On 8/9/22 12:13 PM, Martin KaFai Lau wrote:
On Tue, Aug 09, 2022 at 09:23:39AM +0800, houtao wrote:
+ /* Sock map is freed after two synchronize_rcu() calls, so wait */
+ kern_sync_rcu();
+ kern_sync_rcu();
In btf_map_in_map.c, the comment mentions two kern_sync_rcu()
is needed for 5.8 and earlier kernel. Other cases in prog_tests/
directory only has one kern_sync_rcu(). Why we need two
kern_sync_rcu() for the current kernel?
As tried to explain in the comment, for both sock map and sock storage map, the
used memory is freed two synchronize_rcu(), so if there are not two
kern_sync_rcu() in the test prog, reading the iterator fd will not be able to
trigger the Use-After-Free problem and it will end normally.
For sk storage map, the map can also be used by the
kernel sk_clone_lock() code path. The deferred prog and map
free is not going to help since it only ensures no bpf prog is
still using it but cannot ensure no kernel rcu reader is using it.
There is more details comment in bpf_local_storage_map_free() to
explain for both synchronize_rcu()s.
Thanks for explanation!
