On Tue, Aug 09, 2022 at 09:23:39AM +0800, houtao wrote: > >> + /* Sock map is freed after two synchronize_rcu() calls, so wait */ > >> + kern_sync_rcu(); > >> + kern_sync_rcu(); > > > > In btf_map_in_map.c, the comment mentions two kern_sync_rcu() > > is needed for 5.8 and earlier kernel. Other cases in prog_tests/ > > directory only has one kern_sync_rcu(). Why we need two > > kern_sync_rcu() for the current kernel? > As tried to explain in the comment, for both sock map and sock storage map, the > used memory is freed two synchronize_rcu(), so if there are not two > kern_sync_rcu() in the test prog, reading the iterator fd will not be able to > trigger the Use-After-Free problem and it will end normally. For sk storage map, the map can also be used by the kernel sk_clone_lock() code path. The deferred prog and map free is not going to help since it only ensures no bpf prog is still using it but cannot ensure no kernel rcu reader is using it. There is more details comment in bpf_local_storage_map_free() to explain for both synchronize_rcu()s.
