This series is an attempt to fix a race in sock_hash_free recently reported by Eric [0]. The race, and a mem leak I found on the way, can be triggered by the crude reproducer posted below. [0] https://lore.kernel.org/bpf/6f8bb6d8-bb70-4533-f15b-310db595d334@xxxxxxxxx/ Cc: Eric Dumazet <eric.dumazet@xxxxxxxxx> Cc: John Fastabend <john.fastabend@xxxxxxxxx> --8<-- enum { NUM_SOCKS = 1000 }; static void *close_map(void *map) { close(*(int *)map); return NULL; } int main(void) { int sock[NUM_SOCKS]; pthread_t worker; int map; int i, err; map = bpf_create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int), sizeof(int), NUM_SOCKS, 0); if (map < 0) error(1, -map, "map create"); for (i = 0; i < NUM_SOCKS; i++) { int fd = socket(AF_INET, SOCK_STREAM, 0); if (fd < 0) error(1, errno, "socket"); err = listen(fd, SOMAXCONN); if (err) error(1, errno, "listen"); sock[i] = fd; err = bpf_map_update_elem(map, &i, &fd, BPF_ANY); if (err) error(1, errno, "map update"); } err = pthread_create(&worker, NULL, close_map, &map); if (err) error(1, err, "thread create"); /* usleep(100); */ for (int i = 0; i < NUM_SOCKS; i++) close(sock[i]); pthread_join(worker, NULL); return 0; } -->8-- Jakub Sitnicki (2): bpf, sockhash: Fix memory leak when unlinking sockets in sock_hash_free bpf, sockhash: Synchronize delete from bucket list on map free net/core/sock_map.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) -- 2.25.4
