From: Martin KaFai Lau <martin.lau@linux.dev>
To: Amery Hung <ameryhung@gmail.com>
Cc: netdev@vger.kernel.org, alexei.starovoitov@gmail.com,
andrii@kernel.org, daniel@iogearbox.net, tj@kernel.org,
martin.lau@kernel.org, kernel-team@meta.com, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v5 3/7] bpf: Pin associated struct_ops when registering async callback
Date: Thu, 6 Nov 2025 11:37:52 -0800 [thread overview]
Message-ID: <84012d65-e0aa-462f-b62d-14f6ea07e1df@linux.dev> (raw)
In-Reply-To: <CAMB2axPayfZOZnGK83eWxYTg9k0uno_y87_0ePE_FD6V+4tnfA@mail.gmail.com>
On 11/6/25 9:57 AM, Amery Hung wrote:
> On Wed, Nov 5, 2025 at 6:13 PM Martin KaFai Lau <martin.lau@linux.dev> wrote:
>>
>> On 11/4/25 9:26 AM, Amery Hung wrote:
>>> Take a refcount of the associated struct_ops map to prevent the map from
>>> being freed when an async callback scheduled from a struct_ops program
>>> runs.
>>>
>>> Since struct_ops programs do not take refcounts on the struct_ops map,
>>> it is possible for a struct_ops map to be freed when an async callback
>>> scheduled from it runs. To prevent this, take a refcount on prog->aux->
>>> st_ops_assoc and save it in a newly created struct bpf_async_res for
>>> every async mechanism. The reference needs to be preserved in
>>> bpf_async_res since prog->aux->st_ops_assoc can be poisoned anytime
>>> and reference leak could happen.
>>>
>>> bpf_async_res will contain a async callback's BPF program and resources
>>> related to the BPF program. The resources will be acquired when
>>> registering a callback and released when cancelled or when the map
>>> associated with the callback is freed.
>>>
>>> Also rename drop_prog_refcnt to bpf_async_cb_reset to better reflect
>>> what it now does.
>>>
>>
>> [ ... ]
>>
>>> +static int bpf_async_res_get(struct bpf_async_res *res, struct bpf_prog *prog)
>>> +{
>>> + struct bpf_map *st_ops_assoc = NULL;
>>> + int err;
>>> +
>>> + prog = bpf_prog_inc_not_zero(prog);
>>> + if (IS_ERR(prog))
>>> + return PTR_ERR(prog);
>>> +
>>> + st_ops_assoc = READ_ONCE(prog->aux->st_ops_assoc);
>>> + if (prog->type == BPF_PROG_TYPE_STRUCT_OPS &&
>>> + st_ops_assoc && st_ops_assoc != BPF_PTR_POISON) {
>>> + st_ops_assoc = bpf_map_inc_not_zero(st_ops_assoc);
>>
>> The READ_ONCE and inc_not_zero is an unusual combo. Should it be
>> rcu_dereference and prog->aux->st_ops_assoc should be "__rcu" tagged?
>>
>
> Understood the underlying struct_ops map is protected by RCU, but
> prog->aux->st_ops_assoc is not protected by RCU and can change
> anytime.
hmm... at least for BPF_PROG_TYPE_STRUCT_OPS, the struct_ops map refcnt
is not taken in patch 2. The prog->aux->st_ops_assoc can be used is
because of the rcu gp.
Another thing I am likely missing is, the refcnted st_ops_assoc is saved
in res->st_ops_assoc. If I read it correctly, the kfunc is using
bpf_prog_get_assoc_struct_ops() which is reading from
[prog->]aux->st_ops_assoc instead of the saved res->st_ops_assoc. Can
the aux->st_ops_assoc be pointing to another struct_ops map different
from res->st_ops_assoc?
next prev parent reply other threads:[~2025-11-06 19:38 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 17:26 [PATCH bpf-next v5 0/7] Support associating BPF programs with struct_ops Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 1/7] bpf: Allow verifier to fixup kernel module kfuncs Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 2/7] bpf: Support associating BPF program with struct_ops Amery Hung
2025-11-04 17:54 ` bot+bpf-ci
2025-11-04 18:03 ` Amery Hung
2025-11-04 21:59 ` Song Liu
2025-11-04 23:26 ` Amery Hung
2025-11-04 22:47 ` Andrii Nakryiko
2025-11-04 23:27 ` Amery Hung
2025-11-06 0:57 ` Martin KaFai Lau
2025-11-06 1:01 ` Amery Hung
2025-11-06 2:17 ` Martin KaFai Lau
2025-11-04 17:26 ` [PATCH bpf-next v5 3/7] bpf: Pin associated struct_ops when registering async callback Amery Hung
2025-11-04 18:03 ` bot+bpf-ci
2025-11-04 18:10 ` Amery Hung
2025-11-04 23:20 ` Andrii Nakryiko
2025-11-05 23:03 ` Amery Hung
2025-11-06 16:54 ` Andrii Nakryiko
2025-11-06 2:13 ` Martin KaFai Lau
2025-11-06 17:57 ` Amery Hung
2025-11-06 19:37 ` Martin KaFai Lau [this message]
2025-11-04 17:26 ` [PATCH bpf-next v5 4/7] libbpf: Add support for associating BPF program with struct_ops Amery Hung
2025-11-04 17:54 ` bot+bpf-ci
2025-11-04 23:27 ` Andrii Nakryiko
2025-11-04 23:26 ` Andrii Nakryiko
2025-11-04 23:39 ` Amery Hung
2025-11-05 0:46 ` Andrii Nakryiko
2025-11-04 17:26 ` [PATCH bpf-next v5 5/7] selftests/bpf: Test BPF_PROG_ASSOC_STRUCT_OPS command Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 6/7] selftests/bpf: Test ambiguous associated struct_ops Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 7/7] selftests/bpf: Test getting associated struct_ops in timer callback Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84012d65-e0aa-462f-b62d-14f6ea07e1df@linux.dev \
--to=martin.lau@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.