On Mon, Apr 3, 2023 at 10:31 AM Dave Marchevsky <davemarchevsky@xxxxxx> wrote:
>
> bpf_obj_drop_impl has a void return type. In check_kfunc_call, the "else
> if" which sets kptr_struct_meta for bpf_obj_drop_impl is
> surrounded by a larger if statement which checks btf_type_is_ptr. As a
> result:
>
> * The bpf_obj_drop_impl-specific code will never execute
> * The btf_struct_meta input to bpf_obj_drop is always NULL
> * bpf_obj_drop_impl will always see a NULL btf_record when called
> from BPF program, and won't call bpf_obj_free_fields
> * program-allocated kptrs which have fields that should be cleaned up
> by bpf_obj_free_fields may instead leak resources
>
> This patch adds a btf_type_is_void branch to the larger if and moves
> special handling for bpf_obj_drop_impl there, fixing the issue.
>
> Fixes: ac9f06050a35 ("bpf: Introduce bpf_obj_drop")
> Cc: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx>
> ---
> I can send a version of this patch which applies on bpf-next as well,
> but think this makes sense in bpf as the issue exists there too.
I'd like to avoid the merge conflict in this tricky area of the verifier.
Let's get it through bpf-next first and then we can backport it to stable
after bpf-next gets pulled during the merge window.
