bpf: fix deadlock in special field destruction in NMI#12120
Open
RazeLighter777 wants to merge 1 commit into
Open
bpf: fix deadlock in special field destruction in NMI#12120RazeLighter777 wants to merge 1 commit into
RazeLighter777 wants to merge 1 commit into
Conversation
RazeLighter777
force-pushed
the
recycler-nmi-dtor
branch
from
3a01282 to
fcd3927
Compare
Relax bpf_obj_free_fields to only cancel/free async work in irq_disabled contexts and defer unsafe free operations such as kptr dtors, list head and rb root destruction to a later non-irq_disabled call driven by the allocator or map free. Detect fields that are unsafe to free under irqs_disabled at htab creation time. When creating a hashtab with these fields, forcibly set BPF_F_NO_PREALLOC and use the bpf memory allocator instead. This must happen after the fields are checked, so convert the map to a non-prealloc one if the special fields are present, but before the map has been fully initialized. Enable this fix for regular, percpu, and lru hashtabs. Fixes: 14a324f ("bpf: Wire up freeing of referenced kptr") Reported-by: Justin Suess <utilityemal77@gmail.com> Closes: https://lore.kernel.org/bpf/20260421201035.1729473-1-utilityemal77@gmail.com/ Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> Suggested-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Cc: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> Link: https://lore.kernel.org/bpf/DIG0ONMVOP0L.3QFYUPWFSKWI4@gmail.com/ Signed-off-by: Justin Suess <utilityemal77@gmail.com>
RazeLighter777
force-pushed
the
recycler-nmi-dtor
branch
from
fcd3927 to
29ce4b8
Compare
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
3 times, most recently
from
ec31e3e to
b3beebb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relax the behavior of bpf_obj_free_fields to only cancel/free async work if irqs_disabled, and do not run unsafe free operations such as kptr dtors directly in those contexts.
The switch statement on the field type is split into two switch blocks; the first half containing types that are safe to run the free fields operations for in irq_disabled context. The breaks in the first block are changed to continues to avoid redundant checking / warning from the second block. A default case for the first switch block operation continues past the second block if irqs_disabled().
The second switch statement is the portion of the original block containing the free fields operations that are unsafe if irqs_disabled(). This switch statement is never reached if any of the cases in the first block matched, or if irqs_disabled is true.
This changes the default behavior of bpf_obj_free_fields() to lazy, allocator driven freeing in irqs_disabled contexts for those specific field types in the first block. The fields will be recycled by the allocator, until it calls bpf_obj_free_fields in a safe context.
Fixes: 14a324f ("bpf: Wire up freeing of referenced kptr")
Reported-by: Justin Suess utilityemal77@gmail.com
Closes: https://lore.kernel.org/bpf/20260421201035.1729473-1-utilityemal77@gmail.com/
Suggested-by: Alexei Starovoitov alexei.starovoitov@gmail.com
Suggested-by: Kumar Kartikeya Dwivedi memxor@gmail.com
Cc: Mykyta Yatsenko mykyta.yatsenko5@gmail.com
Link: https://lore.kernel.org/bpf/DIG0ONMVOP0L.3QFYUPWFSKWI4@gmail.com/