From: XIAO WU <shawdoxwu@gmail.com>
To: bot+bpf-ci@kernel.org
Cc: a.s.protopopov@gmail.com, akpm@linux-foundation.org,
ameryhung@gmail.com, andrii@kernel.org, ast@kernel.org,
bpf@vger.kernel.org, brauner@kernel.org, brgerst@gmail.com,
cgroups@vger.kernel.org, chenridong@huaweicloud.com,
clm@meta.com, daniel@iogearbox.net, davem@davemloft.net,
eddyz87@gmail.com, geliang@kernel.org, hannes@cmpxchg.org,
haoluo@google.com, hawk@kernel.org, hui.zhu@linux.dev,
ihor.solodrai@linux.dev, inwardvessel@gmail.com,
jeffxu@chromium.org, jiayuan.chen@linux.dev,
john.fastabend@gmail.com, jolsa@kernel.org, kees@kernel.org,
kernel@jfarr.cc, kerneljasonxing@gmail.com, kpsingh@kernel.org,
kuba@kernel.org, lance.yang@linux.dev,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, martin.lau@kernel.org, martin.lau@linux.dev,
masahiroy@kernel.org, mhocko@kernel.org, mkoutny@suse.com,
muchun.song@linux.dev, nathan@kernel.org, netdev@vger.kernel.org,
ojeda@kernel.org, paul.chaignon@gmail.com, peterz@infradead.org,
rdunlap@infradead.org, roman.gushchin@linux.dev, sdf@fomichev.me,
shakeel.butt@linux.dev, shuah@kernel.org, song@kernel.org,
tj@kernel.org, willemb@google.com, yonghong.song@linux.dev,
zhuhui@kylinos.cn
Subject: Re: [RFC PATCH bpf-next v6 11/12] selftests/bpf: Add test for memcg_bpf_ops hierarchies
Date: Thu, 23 Apr 2026 17:15:16 +0800 [thread overview]
Message-ID: <20260423171516.00004adc@gmail.com> (raw)
In-Reply-To: <958ccd923342ddd02e9122381d51319cb125ec51d601bb6fcad57531a2f5ef57@mail.kernel.org>
Hi,
> +cleanup:
> + bpf_link__destroy(link1);
> + bpf_link__destroy(link2);
> + bpf_link__destroy(link3);
> + memcg_ops__detach(skel);
> + memcg_ops__destroy(skel);
>
> Can this crash if skel is NULL?
Yes, this is a valid bug in the selftest cleanup path.
If execution jumps to cleanup before memcg_ops__open_and_load()
succeeds, skel remains NULL. In that case, memcg_ops__detach(skel)
dereferences NULL through obj->skeleton in the generated detach helper,
as you pointed out.
This is also inconsistent with nearby tests in the same file that
already do if (skel) {
memcg_ops__detach(skel);
memcg_ops__destroy(skel);
}
The C repro, modeling the same control flow:
--8<--
// SPDX-License-Identifier: GPL-2.0
// PoC for cleanup-path NULL dereference in
test_memcg_ops_hierarchies().
#include <stdio.h>
struct bpf_object_skeleton {
int dummy;
};
struct memcg_ops {
struct bpf_object_skeleton *skeleton;
};
__attribute__((noinline))
static void bpf_object__detach_skeleton(struct bpf_object_skeleton *s)
{
(void)s;
}
/* Matches generated skeleton helper shape from review mail. */
static inline void memcg_ops__detach(struct memcg_ops *obj)
{
bpf_object__detach_skeleton(obj->skeleton);
}
static int setup_cgroup_environment_fail(void)
{
return -1;
}
int main(void)
{
int ret;
struct memcg_ops *skel = NULL;
fprintf(stderr, "[*] trigger cleanup with skel == NULL\n");
/* Simulate early failure before open_and_load() assigns skel. */
ret = setup_cgroup_environment_fail();
if (ret)
goto cleanup;
cleanup:
/* Same problematic call pattern as in the test cleanup block. */
memcg_ops__detach(skel);
return 0;
}
--8<--
Signed-off-by: XIAO WU <shawdoxwu@gmail.com>
Thanks,
xiao
next prev parent reply other threads:[~2026-04-23 9:15 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 8:56 [RFC PATCH bpf-next v6 00/12] mm: memcontrol: Add BPF hooks for memory controller Hui Zhu
2026-02-04 8:56 ` [RFC PATCH bpf-next v6 01/12] bpf: move bpf_struct_ops_link into bpf.h Hui Zhu
2026-02-04 8:56 ` [RFC PATCH bpf-next v6 02/12] bpf: initial support for attaching struct ops to cgroups Hui Zhu
2026-02-04 8:56 ` [RFC PATCH bpf-next v6 03/12] bpf: mark struct oom_control's memcg field as TRUSTED_OR_NULL Hui Zhu
2026-02-04 8:56 ` [RFC PATCH bpf-next v6 04/12] mm: define mem_cgroup_get_from_ino() outside of CONFIG_SHRINKER_DEBUG Hui Zhu
2026-02-04 8:56 ` [RFC PATCH bpf-next v6 05/12] libbpf: introduce bpf_map__attach_struct_ops_opts() Hui Zhu
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 8:56 ` [RFC PATCH bpf-next v6 06/12] bpf: Pass flags in bpf_link_create for struct_ops Hui Zhu
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:00 ` [RFC PATCH bpf-next v6 07/12] libbpf: Support passing user-defined flags " Hui Zhu
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:00 ` [RFC PATCH bpf-next v6 08/12] mm: memcontrol: Add BPF struct_ops for memory controller Hui Zhu
2026-02-04 9:00 ` [RFC PATCH bpf-next v6 09/12] selftests/bpf: Add tests for memcg_bpf_ops Hui Zhu
2026-02-04 9:00 ` [RFC PATCH bpf-next v6 10/12] mm/bpf: Add BPF_F_ALLOW_OVERRIDE support " Hui Zhu
2026-02-04 9:00 ` [RFC PATCH bpf-next v6 11/12] selftests/bpf: Add test for memcg_bpf_ops hierarchies Hui Zhu
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:28 ` bot+bpf-ci
2026-04-23 9:15 ` XIAO WU [this message]
2026-02-04 9:00 ` [RFC PATCH bpf-next v6 12/12] samples/bpf: Add memcg priority control example Hui Zhu
2026-02-04 9:28 ` bot+bpf-ci
2026-02-04 9:28 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260423171516.00004adc@gmail.com \
--to=shawdoxwu@gmail.com \
--cc=a.s.protopopov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=brgerst@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=chenridong@huaweicloud.com \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=geliang@kernel.org \
--cc=hannes@cmpxchg.org \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=hui.zhu@linux.dev \
--cc=ihor.solodrai@linux.dev \
--cc=inwardvessel@gmail.com \
--cc=jeffxu@chromium.org \
--cc=jiayuan.chen@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kees@kernel.org \
--cc=kernel@jfarr.cc \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=lance.yang@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=masahiroy@kernel.org \
--cc=mhocko@kernel.org \
--cc=mkoutny@suse.com \
--cc=muchun.song@linux.dev \
--cc=nathan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=roman.gushchin@linux.dev \
--cc=sdf@fomichev.me \
--cc=shakeel.butt@linux.dev \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=tj@kernel.org \
--cc=willemb@google.com \
--cc=yonghong.song@linux.dev \
--cc=zhuhui@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.