From: Tao Chen <chen.dylane@linux.dev>
To: bot+bpf-ci@kernel.org, song@kernel.org, jolsa@kernel.org,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, eddyz87@gmail.com, yonghong.song@linux.dev,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com
Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
martin.lau@kernel.org, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next v2 2/2] bpf: Add preempt disable for bpf_get_stackid
Date: Fri, 6 Feb 2026 17:58:00 +0800 [thread overview]
Message-ID: <9da8a837-697b-4753-bdd7-e0e766c9221e@linux.dev> (raw)
In-Reply-To: <0062e81b59efb3839bd4f9a3459cc54730dbbfb9dd2f688df72d3b4669cab90e@mail.kernel.org>
在 2026/2/6 17:34, bot+bpf-ci@kernel.org 写道:
>> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
>> index 1b100a03ef2e..d263f851f084 100644
>> --- a/kernel/bpf/stackmap.c
>> +++ b/kernel/bpf/stackmap.c
>
> [ ... ]
>
>> @@ -280,12 +297,22 @@ static long __bpf_get_stackid(struct bpf_map *map,
>> /* for build_id+offset, pop a bucket before slow cmp */
>> new_bucket = (struct stack_map_bucket *)
>> pcpu_freelist_pop(&smap->freelist);
>> - if (unlikely(!new_bucket))
>> - return -ENOMEM;
>> + if (unlikely(!new_bucket)) {
>> + ret = -ENOMEM;
>> + goto go_out;
>> + }
>> new_bucket->nr = trace_nr;
>> id_offs = (struct bpf_stack_build_id *)new_bucket->data;
>> for (i = 0; i < trace_nr; i++)
>> id_offs[i].ip = ips[i];
>> +
>> + /*
>> + * It is safe after perf callchain ips copied to bucket buffer
>> + * to reduce the length of preempt section, we can enable preempt here.
>> + */
>> + if (!trace_in)
>> + preempt_enable();
>> +
>
> When the stack_map_use_build_id() path falls through to insert a new entry
> (neither the hash_matches early return nor the -EEXIST early return is
> taken), this preempt_enable() is called here, and then the code continues
> to go_out where preempt_enable() is called again.
>
> The sequence when trace_in == NULL:
>
> preempt_disable() // entering __bpf_get_stackid
> ...
> if (!trace_in)
> preempt_enable(); // here, after copying IPs
> ...
> // fall through to insert new entry
> new_bucket->hash = hash;
> ...
> xchg(&smap->buckets[id], new_bucket);
> ...
> go_out:
> if (!trace_in)
> preempt_enable(); // second enable - imbalanced
>
> The two direct returns (return id and return -EEXIST) after the early
> preempt_enable() correctly bypass go_out. However, when inserting a new
> stack trace (the normal case when no exact match exists and the bucket
> can be reused), the code falls through to go_out and calls preempt_enable()
> a second time.
>
will fix it in v3, and wait for other comments from matainers.
> Could this cause preempt_count underflow when using BPF_F_STACK_BUILD_ID
> maps with bpf_get_stackid()?
>
>> @@ -317,31 +349,21 @@ static long __bpf_get_stackid(struct bpf_map *map,
>> old_bucket = xchg(&smap->buckets[id], new_bucket);
>> if (old_bucket)
>> pcpu_freelist_push(&smap->freelist, &old_bucket->fnode);
>> - return id;
>> +
>> +go_out:
>> + if (!trace_in)
>> + preempt_enable();
>> + return ret;
>> }
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21745231308
>
> AI-authorship-score: low
> AI-authorship-explanation: The commit shows typical human patterns including a control-flow bug from manual refactoring that AI would likely catch, combined with natural but slightly awkward phrasing in comments.
> issues-found: 1
> issue-severity-score: high
> issue-severity-explanation: Preempt count underflow in the build_id path causes kernel warnings and potential system instability when inserting new stack traces.
--
Best Regards
Tao Chen
next prev parent reply other threads:[~2026-02-06 9:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 9:06 [PATCH bpf-next v2 1/2] bpf: Add preempt disable for bpf_get_stack Tao Chen
2026-02-06 9:06 ` [PATCH bpf-next v2 2/2] bpf: Add preempt disable for bpf_get_stackid Tao Chen
2026-02-06 9:34 ` bot+bpf-ci
2026-02-06 9:58 ` Tao Chen [this message]
2026-02-06 17:20 ` Andrii Nakryiko
2026-02-11 7:18 ` Tao Chen
2026-02-06 14:19 ` [syzbot ci] Re: bpf: Add preempt disable for bpf_get_stack syzbot ci
2026-02-06 17:12 ` [PATCH bpf-next v2 1/2] " Andrii Nakryiko
2026-02-11 7:10 ` Tao Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9da8a837-697b-4753-bdd7-e0e766c9221e@linux.dev \
--to=chen.dylane@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.