On 8/7/25 5:34 AM, Dmitry Antipov wrote:
Running with CONFIG_DEBUG_KMEMLEAK enabled, I've noticed a few memory
leaks reported as follows:
unreferenced object 0xffff8881ce3bd080 (size 64):
comm "systemd", pid 3524, jiffies 4294789711
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8c5ed7af):
__kmalloc_node_track_caller_noprof+0x25e/0x4e0
krealloc_noprof+0xe8/0x2f0
kvrealloc_noprof+0x65/0xe0
do_check+0x3ef1/0xcd10
do_check_common+0x1631/0x2110
bpf_check+0x3686/0x1e430
bpf_prog_load+0xda2/0x13f0
__sys_bpf+0x374/0x5b0
__x64_sys_bpf+0x7c/0x90
do_syscall_64+0x8a/0x220
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Wnen an array of SCC slots is allocated in 'compute_scc()', 'scc_cnt' of
the corresponding environment should be adjusted to match the size of this
array. Otherwise an array members (re)assigned in 'scc_visit_alloc()' will
be unreachable from the freeing loop in 'free_states()'.
Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
This one has been fixed in
https://lore.kernel.org/all/20250801232330.1800436-1-eddyz87@xxxxxxxxx/
---
kernel/bpf/verifier.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0806295945e4..c4f69a9e9af6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23114,6 +23114,8 @@ static void free_states(struct bpf_verifier_env *env)
for (i = 0; i < env->scc_cnt; ++i) {
info = env->scc_info[i];
+ if (!info)
+ continue;
for (j = 0; j < info->num_visits; j++)
free_backedges(&info->visits[j]);
kvfree(info);
@@ -24554,6 +24556,7 @@ static int compute_scc(struct bpf_verifier_env *env)
err = -ENOMEM;
goto exit;
}
+ env->scc_cnt = next_scc_id;
exit:
kvfree(stack);
kvfree(pre);
