bpf: don't leak memory in bpf getsockopt when optlen == 0 #622
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Master branch: 286e95e |
|
Master branch: f97844f |
kernel-patches-bot
force-pushed
the
series/412607=>bpf
branch
from
d9d0aa4 to
f682c6a
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=412607 expired. Closing PR. |
optlen == 0 indicates that the kernel should ignore BPF buffer and use the original one from the user. We, however, forget to free the temporary buffer that we've allocated for BPF. Reported-by: Martin KaFai Lau <[email protected]> Fixes: d8fe449 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") Signed-off-by: Stanislav Fomichev <[email protected]>
|
Master branch: 2f94ac1 |
kernel-patches-bot
force-pushed
the
series/412607=>bpf
branch
from
f682c6a to
a3a2e2a
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=413233 irrelevant now. Closing PR. |
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
May 30, 2023
Commit d6ae7d1 ("drm/msm/gem: Simplify vmap vs LRU tracking") introduced a splat in the pin_pages_locked() path for buffers that had been MADV_DONTNEED. ------------[ cut here ]------------ msm_obj->madv != 0 WARNING: CPU: 1 PID: 144 at drivers/gpu/drm/msm/msm_gem.c:230 msm_gem_pin_pages_locked+0x9c/0xd4 Modules linked in: lzo_rle cros_ec_lid_angle cros_ec_sensors cros_ec_sensors_core venus_dec venus_enc videobuf2_dma_contig cdc_ether usbnet mii uvcvideo videobuf2_vmalloc hci_uart btqca qcom_spmi_adc5 uvc qcom_spmi_temp_alarm qcom_vadc_common cros_ec_sensorhub videobuf2_memops cros_ec_typec sx9324 sx_common typec joydev bluetooth industrialio_triggered_buffer ecdh_generic kfifo_buf ecc venus_core qcom_stats v4l2_mem2mem videobuf2_v4l2 videobuf2_common ath11k_ahb ath11k mac80211 cfg80211 fuse zram zsmalloc CPU: 1 PID: 144 Comm: ring0 Tainted: G W 6.3.0-rc2-debug+ #622 Hardware name: Google Villager (rev1+) with LTE (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : msm_gem_pin_pages_locked+0x9c/0xd4 lr : msm_gem_pin_pages_locked+0x9c/0xd4 sp : ffffffc009ffbab0 x29: ffffffc009ffbab0 x28: ffffffee8da75008 x27: ffffff80a10274d0 x26: ffffff8087fe3bf8 x25: ffffff8087fe3c08 x24: 0000000000000001 x23: ffffff80891d5800 x22: ffffff809d0de480 x21: ffffff8081e5a080 x20: 0000000000000002 x19: ffffff80a3564c00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000000a9620 x14: 0000000000000000 x13: 2d2d2d2d2d2d2d2d x12: 2d2d2d2d5d206572 x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : ffffffee8c705dfc x8 : ffffffee8da75000 x7 : ffffffee8d34e6d0 x6 : 0000000000000000 x5 : 00000000000affa8 x4 : 000000000000000d x3 : ffffffee8da75008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8088048040 Call trace: msm_gem_pin_pages_locked+0x9c/0xd4 get_vaddr+0xb0/0x150 msm_gem_get_vaddr_active+0x1c/0x28 snapshot_buf+0x90/0x10c msm_rd_dump_submit+0x30c/0x380 msm_gpu_submit+0x88/0x174 msm_job_run+0x68/0x118 drm_sched_main+0x2b8/0x3a0 kthread+0xf0/0x100 ret_from_fork+0x10/0x20 irq event stamp: 3358 hardirqs last enabled at (3357): [<ffffffee8c7051f4>] __up_console_sem+0x7c/0x80 hardirqs last disabled at (3358): [<ffffffee8d3480b0>] el1_dbg+0x24/0x80 softirqs last enabled at (3330): [<ffffffee8c610420>] __do_softirq+0x21c/0x4bc softirqs last disabled at (3325): [<ffffffee8c616708>] ____do_softirq+0x18/0x24 ---[ end trace 0000000000000000 ]--- But, as with msm_gem_get_vaddr_active(), this is a special case because we know that the buffer won't be purged evicted until it's fence is signaled. We just forgot to propagate the logic get_vaddr() to pin_pages_locked(). Fixes: d6ae7d1 ("drm/msm/gem: Simplify vmap vs LRU tracking") Signed-off-by: Rob Clark <[email protected]> Patchwork: https://patchwork.freedesktop.org/patch/532616/ Link: https://lore.kernel.org/r/[email protected]
eddyz87
added a commit
to eddyz87/bpf
that referenced
this pull request
Jul 30, 2025
Failing tests: - kernel-patches#110 fexit_bpf2bpf:FAIL - kernel-patches#124 for_each:FAIL - kernel-patches#144 iters:FAIL - kernel-patches#148 kfree_skb:FAIL - kernel-patches#161 l4lb_all:FAIL - kernel-patches#193 map_kptr:FAIL - kernel-patches#23 bpf_loop:FAIL - kernel-patches#260 pkt_access:FAIL - kernel-patches#269 prog_run_opts:FAIL - kernel-patches#280 rbtree_success:FAIL - kernel-patches#356 res_spin_lock_failure:FAIL - kernel-patches#364 setget_sockopt:FAIL - kernel-patches#381 sock_fields:FAIL - kernel-patches#394 spin_lock:FAIL - kernel-patches#395 spin_lock_success:FAIL - kernel-patches#444 test_bpffs:FAIL - kernel-patches#453 test_profiler:FAIL - kernel-patches#479 usdt:FAIL - kernel-patches#488 verifier_bits_iter:FAIL - kernel-patches#597 verif_scale_pyperf600:FAIL - kernel-patches#598 verif_scale_pyperf600_bpf_loop:FAIL - kernel-patches#599 verif_scale_pyperf600_iter:FAIL - kernel-patches#608 verif_scale_strobemeta_subprogs:FAIL - kernel-patches#622 xdp_attach:FAIL - kernel-patches#637 xdp_noinline:FAIL - kernel-patches#639 xdp_synproxy:FAIL - kernel-patches#72 cls_redirect:FAIL - kernel-patches#88 crypto_sanity:FAIL - kernel-patches#97 dynptr:FAIL Signed-off-by: Eduard Zingerman <[email protected]>
eddyz87
added a commit
to eddyz87/bpf
that referenced
this pull request
Jul 30, 2025
Failing tests: - kernel-patches#110 fexit_bpf2bpf:FAIL - kernel-patches#124 for_each:FAIL - kernel-patches#144 iters:FAIL - kernel-patches#148 kfree_skb:FAIL - kernel-patches#161 l4lb_all:FAIL - kernel-patches#193 map_kptr:FAIL - kernel-patches#23 bpf_loop:FAIL - kernel-patches#260 pkt_access:FAIL - kernel-patches#269 prog_run_opts:FAIL - kernel-patches#280 rbtree_success:FAIL - kernel-patches#356 res_spin_lock_failure:FAIL - kernel-patches#364 setget_sockopt:FAIL - kernel-patches#381 sock_fields:FAIL - kernel-patches#394 spin_lock:FAIL - kernel-patches#395 spin_lock_success:FAIL - kernel-patches#444 test_bpffs:FAIL - kernel-patches#453 test_profiler:FAIL - kernel-patches#479 usdt:FAIL - kernel-patches#488 verifier_bits_iter:FAIL - kernel-patches#597 verif_scale_pyperf600:FAIL - kernel-patches#598 verif_scale_pyperf600_bpf_loop:FAIL - kernel-patches#599 verif_scale_pyperf600_iter:FAIL - kernel-patches#608 verif_scale_strobemeta_subprogs:FAIL - kernel-patches#622 xdp_attach:FAIL - kernel-patches#637 xdp_noinline:FAIL - kernel-patches#639 xdp_synproxy:FAIL - kernel-patches#72 cls_redirect:FAIL - kernel-patches#88 crypto_sanity:FAIL - kernel-patches#97 dynptr:FAIL Signed-off-by: Eduard Zingerman <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: don't leak memory in bpf getsockopt when optlen == 0
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=412607