From: sashiko-bot@kernel.org
To: "Yiyang Chen" <chenyy23@mails.tsinghua.edu.cn>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 2/2] selftests/bpf: Cover nullable RCU pointer use after unlock
Date: Sat, 20 Jun 2026 15:32:13 +0000 [thread overview]
Message-ID: <20260620153214.201131F000E9@smtp.kernel.org> (raw)
In-Reply-To: <ed2b303079d5955af859daaae94dfde5d29bd64d.1781968391.git.chenyy23@mails.tsinghua.edu.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] The newly added tests fail to test `MEM_RCU` pointer use-after-unlock behavior because the pointer is not an `__rcu` pointer and is read outside the explicit RCU critical section.
--
commit 78986d2dc799ce86278ca6d6e66b17c43c68dbeb
Author: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
selftests/bpf: Cover nullable RCU pointer use after unlock
Add coverage for nullable BTF pointers that are read under
bpf_rcu_read_lock() and then used after bpf_rcu_read_unlock().
> diff --git a/tools/testing/selftests/bpf/progs/rcu_read_lock.c b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
> index b4e073168fb15..b78542706fbce 100644
> --- a/tools/testing/selftests/bpf/progs/rcu_read_lock.c
> +++ b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
[ ... ]
> @@ -372,6 +372,26 @@ int cross_rcu_region(void *ctx)
> return 0;
> }
>
> +SEC("?tp_btf/net_dev_queue")
> +int BPF_PROG(rcu_null_check_after_unlock, struct sk_buff *skb)
> +{
> + bpf_rcu_read_lock();
> + bpf_rcu_read_unlock();
> +
> + if (!skb->sk)
> + return 0;
> + return skb->sk->__sk_common.skc_daddr;
> +}
[Severity: Medium]
Since the skb->sk pointer is loaded after the explicit bpf_rcu_read_unlock()
call, does this actually test the MEM_RCU trust behavior?
Because skb->sk is not an __rcu pointer and the load occurs completely outside
the RCU critical section, it appears the lock and unlock calls here are
isolated and have no effect on the pointer's trust state in the verifier.
> +
> +SEC("?tp_btf/net_dev_queue")
> +int BPF_PROG(rcu_null_deref_after_unlock, struct sk_buff *skb)
> +{
> + bpf_rcu_read_lock();
> + bpf_rcu_read_unlock();
> +
> + return skb->sk->__sk_common.skc_daddr;
> +}
[Severity: Medium]
Is this negative test being rejected by the verifier for the wrong reason?
Because skb->sk is a standard PTR_MAYBE_NULL, the verifier will reject the
dereference due to the missing NULL check regardless of the RCU unlock.
Could this mask the absence of the intended RCU reference tracking coverage?
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1781968391.git.chenyy23@mails.tsinghua.edu.cn?part=2
prev parent reply other threads:[~2026-06-20 15:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-20 15:17 [PATCH bpf-next 0/2] bpf: Preserve RCU pointer nullness after unlock Yiyang Chen
2026-06-20 15:17 ` [PATCH bpf-next 1/2] bpf: Preserve nullable RCU pointer state on unlock Yiyang Chen
2026-06-20 17:44 ` Alexei Starovoitov
2026-06-20 15:17 ` [PATCH bpf-next 2/2] selftests/bpf: Cover nullable RCU pointer use after unlock Yiyang Chen
2026-06-20 15:32 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620153214.201131F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=chenyy23@mails.tsinghua.edu.cn \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.