Commit 146bd2a
bpf: Release module BTF IDR before module unload
Gregory reported in [0] that the global_map_resize test when run in
repeatedly ends up failing during program load. This stems from the fact
that BTF reference has not dropped to zero after the previous run's
module is unloaded, and the older module's BTF is still discoverable and
visible. Later, in libbpf, load_module_btfs() will find the ID for this
stale BTF, open its fd, and then it will be used during program load
where later steps taking module reference using btf_try_get_module()
fail since the underlying module for the BTF is gone.
Logically, once a module is unloaded, it's associated BTF artifacts
should become hidden. The BTF object inside the kernel may still remain
alive as long its reference counts are alive, but it should no longer be
discoverable.
To fix this, let us call btf_free_id() from the MODULE_STATE_GOING case
for the module unload to free the BTF associated IDR entry, and disable
its discovery once module unload returns to user space. If a race
happens during unload, the outcome is non-deterministic anyway. However,
user space should be able to rely on the guarantee that once it has
synchronously established a successful module unload, no more stale
artifacts associated with this module can be obtained subsequently.
Note that we must be careful to not invoke btf_free_id() in btf_put()
when btf_is_module() is true now. There could be a window where the
module unload drops a non-terminal reference, frees the IDR, but the
same ID gets reused and the second unconditional btf_free_id() ends up
releasing an unrelated entry.
To avoid a special case for btf_is_module() case, set btf->id to zero to
make btf_free_id() idempotent, such that we can unconditionally invoke it
from btf_put(), and also from the MODULE_STATE_GOING case. Since zero is
an invalid IDR, the idr_remove() should be a noop.
Note that we can be sure that by the time we reach final btf_put() for
btf_is_module() case, the btf_free_id() is already done, since the
module itself holds the BTF reference, and it will call this function
for the BTF before dropping its own reference.
[0]: https://lore.kernel.org/bpf/cover.1773170190.git.grbell@redhat.com
Fixes: 36e6844 ("bpf: Load and verify kernel module BTFs")
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Suggested-by: Martin KaFai Lau <martin.lau@kernel.org>
Reported-by: Gregory Bell <grbell@redhat.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260312205307.1346991-1-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>1 parent e06e6b8 commit 146bd2a
1 file changed
Lines changed: 20 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1787 | 1787 | | |
1788 | 1788 | | |
1789 | 1789 | | |
1790 | | - | |
| 1790 | + | |
| 1791 | + | |
| 1792 | + | |
| 1793 | + | |
| 1794 | + | |
| 1795 | + | |
| 1796 | + | |
| 1797 | + | |
| 1798 | + | |
| 1799 | + | |
1791 | 1800 | | |
1792 | 1801 | | |
1793 | 1802 | | |
| |||
8115 | 8124 | | |
8116 | 8125 | | |
8117 | 8126 | | |
8118 | | - | |
| 8127 | + | |
8119 | 8128 | | |
8120 | 8129 | | |
8121 | 8130 | | |
| |||
8197 | 8206 | | |
8198 | 8207 | | |
8199 | 8208 | | |
8200 | | - | |
| 8209 | + | |
8201 | 8210 | | |
8202 | 8211 | | |
8203 | 8212 | | |
| |||
8260 | 8269 | | |
8261 | 8270 | | |
8262 | 8271 | | |
8263 | | - | |
| 8272 | + | |
8264 | 8273 | | |
8265 | 8274 | | |
8266 | 8275 | | |
| |||
8382 | 8391 | | |
8383 | 8392 | | |
8384 | 8393 | | |
| 8394 | + | |
| 8395 | + | |
| 8396 | + | |
| 8397 | + | |
| 8398 | + | |
| 8399 | + | |
| 8400 | + | |
8385 | 8401 | | |
8386 | 8402 | | |
8387 | 8403 | | |
| |||
0 commit comments