• Daniel Borkmann's avatar
    act_bpf: fix memory leaks when replacing bpf programs · e04f76d6
    Daniel Borkmann authored
    [ Upstream commit f4eaed28 ]
    
    We currently trigger multiple memory leaks when replacing bpf
    actions, besides others:
    
      comm "tc", pid 1909, jiffies 4294851310 (age 1602.796s)
      hex dump (first 32 bytes):
        01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  ................
        18 b0 98 6d 00 88 ff ff 00 00 00 00 00 00 00 00  ...m............
      backtrace:
        [<ffffffff817e623e>] kmemleak_alloc+0x4e/0xb0
        [<ffffffff8120a22d>] __vmalloc_node_range+0x1bd/0x2c0
        [<ffffffff8120a37a>] __vmalloc+0x4a/0x50
        [<ffffffff811a8d0a>] bpf_prog_alloc+0x3a/0xa0
        [<ffffffff816c0684>] bpf_prog_create+0x44/0xa0
        [<ffffffffa09ba4eb>] tcf_bpf_init+0x28b/0x3c0 [act_bpf]
        [<ffffffff816d7001>] tcf_action_init_1+0x191/0x1b0
        [<ffffffff816d70a2>] tcf_action_init+0x82/0xf0
        [<ffffffff816d4d12>] tcf_exts_validate+0xb2/0xc0
        [<ffffffffa09b5838>] cls_bpf_modify_existing+0x98/0x340 [cls_bpf]
        [<ffffffffa09b5cd6>] cls_bpf_change+0x1a6/0x274 [cls_bpf]
        [<ffffffff816d56e5>] tc_ctl_tfilter+0x335/0x910
        [<ffffffff816b9145>] rtnetlink_rcv_msg+0x95/0x240
        [<ffffffff816df34f>] netlink_rcv_skb+0xaf/0xc0
        [<ffffffff816b909e>] rtnetlink_rcv+0x2e/0x40
        [<ffffffff816deaaf>] netlink_unicast+0xef/0x1b0
    
    Issue is that the old content from tcf_bpf is allocated and needs
    to be released when we replace it. We seem to do that since the
    beginning of act_bpf on the filter and insns, later on the name as
    well.
    
    Example test case, after patch:
    
      # FOO="1,6 0 0 4294967295,"
      # BAR="1,6 0 0 4294967294,"
      # tc actions add action bpf bytecode "$FOO" index 2
      # tc actions show action bpf
       action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe
       index 2 ref 1 bind 0
      # tc actions replace action bpf bytecode "$BAR" index 2
      # tc actions show action bpf
       action order 0: bpf bytecode '1,6 0 0 4294967294' default-action pipe
       index 2 ref 1 bind 0
      # tc actions replace action bpf bytecode "$FOO" index 2
      # tc actions show action bpf
       action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe
       index 2 ref 1 bind 0
      # tc actions del action bpf index 2
      [...]
      # echo "scan" > /sys/kernel/debug/kmemleak
      # cat /sys/kernel/debug/kmemleak | grep "comm \"tc\"" | wc -l
      0
    
    Fixes: d23b8ad8 ("tc: add BPF based action")
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    e04f76d6
act_bpf.c 8.27 KB