git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Kumar Kartikeya Dwivedi <memxor@gmail.com>
	Fri, 27 Feb 2026 22:48:03 +0000 (14:48 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Fri, 27 Feb 2026 23:39:00 +0000 (15:39 -0800)
commit	f41deee082dc7b1c198de21710cb5cb9c604cae0
tree	d2eb266f43e35de5bf4424e812b0e224a7c8b6c5	tree \| snapshot
parent	ae51772b1e94ba1d76db19085957dbccac189c1c	commit \| diff

bpf: Delay freeing fields in local storage

Currently, when use_kmalloc_nolock is false, the freeing of fields for a
local storage selem is done eagerly before waiting for the RCU or RCU
tasks trace grace period to elapse. This opens up a window where the
program which has access to the selem can recreate the fields after the
freeing of fields is done eagerly, causing memory leaks when the element
is finally freed and returned to the kernel.

Make a few changes to address this. First, delay the freeing of fields
until after the grace periods have expired using a __bpf_selem_free_rcu
wrapper which is eventually invoked after transitioning through the
necessary number of grace period waits. Replace usage of the kfree_rcu
with call_rcu to be able to take a custom callback. Finally, care needs
to be taken to extend the rcu barriers for all cases, and not just when
use_kmalloc_nolock is true, as RCU and RCU tasks trace callbacks can be
in flight for either case and access the smap field, which is used to
obtain the BTF record to walk over special fields in the map value.

While we're at it, drop migrate_disable() from bpf_selem_free_rcu, since
migration should be disabled for RCU callbacks already.

Fixes: 9bac675e6368 ("bpf: Postpone bpf_obj_free_fields to the rcu callback")
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260227224806.646888-4-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>