Thread (7 messages) 7 messages, 2 authors, 2025-12-28

Re: [Patch bpf-next v5 2/4] skmsg: implement slab allocator cache for sk_msg

From: bot+bpf-ci@kernel.org
Date: 2025-12-28 00:43:49
Also in: bpf

quoted hunk ↗ jump to hunk
diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
index 84ec69568bb7..61e2c2e6840b 100644
--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
[ ... ]
quoted hunk ↗ jump to hunk
@@ -319,6 +322,13 @@ static inline void sock_drop(struct sock *sk, struct sk_buff *skb)
 	kfree_skb(skb);
 }

+static inline void kfree_sk_msg(struct sk_msg *msg)
+{
+	if (msg->skb)
+		consume_skb(msg->skb);
+	kmem_cache_free(sk_msg_cachep, msg);
+}
[ ... ]
quoted hunk ↗ jump to hunk
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 0812e01e3171..45ff311ccf49 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
[ ... ]
quoted hunk ↗ jump to hunk
@@ -503,16 +505,17 @@ bool sk_msg_is_readable(struct sock *sk)
 }
 EXPORT_SYMBOL_GPL(sk_msg_is_readable);

-static struct sk_msg *alloc_sk_msg(gfp_t gfp)
+struct sk_msg *sk_msg_alloc(gfp_t gfp)
 {
 	struct sk_msg *msg;

-	msg = kzalloc(sizeof(*msg), gfp | __GFP_NOWARN);
+	msg = kmem_cache_zalloc(sk_msg_cachep, gfp | __GFP_NOWARN);
 	if (unlikely(!msg))
 		return NULL;
 	sg_init_marker(msg->sg.data, NR_MSG_FRAG_IDS);
 	return msg;
 }
+EXPORT_SYMBOL_GPL(sk_msg_alloc);
[ ... ]
quoted hunk ↗ jump to hunk
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index a0a385e07094..ed049a912a23 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -38,7 +38,7 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock,
 	struct sk_msg *tmp;
 	int i, ret = 0;

-	tmp = kzalloc(sizeof(*tmp), __GFP_NOWARN | GFP_KERNEL);
+	tmp = sk_msg_alloc(GFP_KERNEL);
 	if (unlikely(!tmp))
 		return -ENOMEM;
The allocation is converted to sk_msg_alloc() which uses kmem_cache_zalloc(),
but the error path in bpf_tcp_ingress() still uses kfree(tmp). Since sk_msg
objects are now allocated from sk_msg_cachep, should this be kfree_sk_msg(tmp)
instead? Freeing a kmem_cache object with kfree() can corrupt slab metadata.
quoted hunk ↗ jump to hunk
@@ -406,8 +406,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
 	    msg->cork_bytes > msg->sg.size && !enospc) {
 		psock->cork_bytes = msg->cork_bytes - msg->sg.size;
 		if (!psock->cork) {
-			psock->cork = kzalloc(sizeof(*psock->cork),
-					      GFP_ATOMIC | __GFP_NOWARN);
+			psock->cork = sk_msg_alloc(GFP_ATOMIC);
 			if (!psock->cork) {
 				sk_msg_free(sk, msg);
 				*copied = 0;
Similarly, psock->cork is now allocated via sk_msg_alloc(). However, in the
__SK_REDIRECT case when cork is true, the code path through
tcp_bpf_send_verdict() uses kfree(msg) to free the cork object. Should this
also be kfree_sk_msg(msg) to match the new allocation method?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20546413613
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help