From: Jiri Olsa <olsajiri@gmail.com>
To: bot+bpf-ci@kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
bpf@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
kafai@fb.com, eddyz87@gmail.com, songliubraving@fb.com,
yhs@fb.com, menglong8.dong@gmail.com, rostedt@kernel.org,
martin.lau@kernel.org, yonghong.song@linux.dev, clm@meta.com,
ihor.solodrai@linux.dev
Subject: Re: [PATCHv3 bpf-next 08/24] bpf: Add bpf_trampoline_multi_attach/detach functions
Date: Mon, 16 Mar 2026 22:16:29 +0100 [thread overview]
Message-ID: <abhzLaMUFHVow7ZI@krava> (raw)
In-Reply-To: <d97442169a77b667c7f12664cd684f51a8914d4e2c05ef64344aacaae11c3415@mail.kernel.org>
On Mon, Mar 16, 2026 at 08:35:15AM +0000, bot+bpf-ci@kernel.org wrote:
> > The detach works as follows:
> > - we lock all the needed trampolines
> > - remove the program from each (__bpf_trampoline_unlink_prog)
> > - the trampoline_multi_ops passed in __bpf_trampoline_link_prog gathers
> > ftrace_hash (ip -> trampoline) objects
>
> The detach description references __bpf_trampoline_link_prog, but the
> detach path calls __bpf_trampoline_unlink_prog.
ack
>
> > diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> > index d55651b13511..9331cca8c0b4 100644
> > --- a/kernel/bpf/trampoline.c
> > +++ b/kernel/bpf/trampoline.c
>
> [ ... ]
>
> > +static int modify_fentry_multi(struct bpf_trampoline *tr, u32 orig_flags, void *old_addr,
> > + void *new_addr, bool lock_direct_mutex, void *ptr)
> > +{
> > + unsigned long addr = (unsigned long) new_addr;
> > + unsigned long ip = ftrace_location(tr->ip);
> > + struct fentry_multi_data *data = ptr;
> > +
> > + if (bpf_trampoline_use_jmp(tr->flags))
> > + addr = ftrace_jmp_set(addr);
> > + return add_ftrace_hash_entry_direct(data->modify, ip, addr) ? 0 : -ENOMEM;
> > +}
>
> Unlike the standard modify_fentry() which calls direct_ops_mod() ->
> update_ftrace_direct_mod() to update ftrace immediately,
> modify_fentry_multi() only adds a hash entry. The actual ftrace
> update is deferred until after the link loop.
>
> This matters because bpf_trampoline_update() unconditionally calls
> bpf_tramp_image_put() on the old cur_image after a successful
> modify_fentry callback:
>
> bpf_trampoline_update() {
> ...
> err = ops->modify_fentry(tr, ...);
> ...
> if (tr->cur_image)
> bpf_tramp_image_put(tr->cur_image);
> tr->cur_image = im;
> }
>
> With the standard ops, the old image is already unreachable when put.
> With multi ops, ftrace still points to the old image when it is put.
> bpf_tramp_image_put() text-pokes the old image to skip fexit programs
> and starts deferred freeing.
>
> In the success path, the window between image_put and the batched
> update_ftrace_direct_mod is brief (bounded by trampoline_lock_all).
>
> However, in the rollback path below, ftrace is never updated at all:
>
> [ ... ]
>
> > + trampoline_lock_all();
> > +
> > + for (i = 0; i < cnt; i++) {
> > + mnode = &link->nodes[i];
> > + err = __bpf_trampoline_link_prog(&mnode->node, mnode->trampoline, NULL,
> > + &trampoline_multi_ops, &data);
> > + if (err)
> > + goto rollback_unlink;
> > + }
>
> [ ... ]
>
> > +rollback_unlink:
> > + for (j = 0; j < i; j++) {
> > + mnode = &link->nodes[j];
> > + WARN_ON_ONCE(__bpf_trampoline_unlink_prog(&mnode->node, mnode->trampoline,
> > + NULL, &trampoline_multi_ops, &data));
> > + }
> > + trampoline_unlock_all();
> > +
> > + i = cnt;
>
> If a trampoline at index 0 already had programs attached through the
> standard single-trampoline path, and __bpf_trampoline_link_prog
> succeeds for it but fails for a later trampoline, the rollback path
> restores tr->cur_image to a correct new image but never calls
> update_ftrace_direct_mod.
>
> At that point, ftrace still routes calls through the old image that
> was put during the link phase. bpf_tramp_image_put() has already
> patched that old image to skip fexit programs and started the deferred
> freeing sequence (percpu_ref_kill).
>
> Could this leave existing fexit/fmod_ret programs on that trampoline
> non-functional? And once the percpu_ref drains during a quiet period,
> would the old image be freed while ftrace still references it?
good catch, we need the update_ftrace_direct_mod call after the unlink,
I changed the rollback test to hit the described issue, will fix
>
> [ ... ]
>
> > +int bpf_trampoline_multi_detach(struct bpf_prog *prog, struct bpf_tracing_multi_link *link)
> > +{
> > + struct bpf_tracing_multi_node *mnode;
> > + struct fentry_multi_data data = {};
> > + int i, cnt = link->nodes_cnt;
> > +
> > + data.unreg = alloc_ftrace_hash(FTRACE_HASH_DEFAULT_BITS);
> > + data.modify = alloc_ftrace_hash(FTRACE_HASH_DEFAULT_BITS);
> > +
> > + if (!data.unreg || !data.modify) {
> > + free_fentry_multi_data(&data);
> > + return -ENOMEM;
> > + }
>
> bpf_trampoline_multi_detach can return -ENOMEM here without detaching
> anything. In e80a839e3d2c ("bpf: Add support for tracing multi
> link"), this is called from bpf_tracing_multi_link_release():
>
> WARN_ON_ONCE(bpf_trampoline_multi_detach(link->prog, tr_link));
>
> If detach fails, the programs remain linked to the trampolines via
> mnode->node.tramp_hlist, but the link (and its embedded nodes array)
> is freed by bpf_tracing_multi_link_dealloc(). Would this leave
> dangling hlist entries in each trampoline's progs_hlist?
not sure there's anything useful we could do if allocation fails
jirka
next prev parent reply other threads:[~2026-03-16 21:16 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 7:51 [PATCHv3 bpf-next 00/24] bpf: tracing_multi link Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 01/24] ftrace: Add ftrace_hash_count function Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 02/24] bpf: Use mutex lock pool for bpf trampolines Jiri Olsa
2026-03-16 8:35 ` bot+bpf-ci
2026-03-16 21:16 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 03/24] bpf: Add struct bpf_trampoline_ops object Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 04/24] bpf: Add struct bpf_tramp_node object Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 05/24] bpf: Factor fsession link to use struct bpf_tramp_node Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 06/24] bpf: Add multi tracing attach types Jiri Olsa
2026-03-19 16:31 ` kernel test robot
2026-03-19 18:29 ` kernel test robot
2026-03-16 7:51 ` [PATCHv3 bpf-next 07/24] bpf: Move sleepable verification code to btf_id_allow_sleepable Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 08/24] bpf: Add bpf_trampoline_multi_attach/detach functions Jiri Olsa
2026-03-16 8:35 ` bot+bpf-ci
2026-03-16 21:16 ` Jiri Olsa [this message]
2026-03-20 10:18 ` kernel test robot
2026-03-16 7:51 ` [PATCHv3 bpf-next 09/24] bpf: Add support for tracing multi link Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 10/24] bpf: Add support for tracing_multi link cookies Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 11/24] bpf: Add support for tracing_multi link session Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 12/24] bpf: Add support for tracing_multi link fdinfo Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 13/24] libbpf: Add bpf_object_cleanup_btf function Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 14/24] libbpf: Add bpf_link_create support for tracing_multi link Jiri Olsa
2026-03-16 8:35 ` bot+bpf-ci
2026-03-16 21:16 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 15/24] libbpf: Add btf_type_is_traceable_func function Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 16/24] libbpf: Add support to create tracing multi link Jiri Olsa
2026-03-16 8:35 ` bot+bpf-ci
2026-03-16 21:16 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 17/24] selftests/bpf: Add tracing multi skel/pattern/ids attach tests Jiri Olsa
2026-03-17 3:04 ` Leon Hwang
2026-03-17 17:18 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 18/24] selftests/bpf: Add tracing multi skel/pattern/ids module " Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 19/24] selftests/bpf: Add tracing multi intersect tests Jiri Olsa
2026-03-17 3:05 ` Leon Hwang
2026-03-17 17:18 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 20/24] selftests/bpf: Add tracing multi cookies test Jiri Olsa
2026-03-17 3:06 ` Leon Hwang
2026-03-17 17:18 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 21/24] selftests/bpf: Add tracing multi session test Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 22/24] selftests/bpf: Add tracing multi attach fails test Jiri Olsa
2026-03-17 3:06 ` Leon Hwang
2026-03-17 17:19 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 23/24] selftests/bpf: Add tracing multi attach benchmark test Jiri Olsa
2026-03-17 3:09 ` Leon Hwang
2026-03-17 17:19 ` Jiri Olsa
2026-03-16 7:51 ` [PATCHv3 bpf-next 24/24] selftests/bpf: Add tracing multi attach rollback tests Jiri Olsa
2026-03-17 3:20 ` Leon Hwang
2026-03-17 17:19 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abhzLaMUFHVow7ZI@krava \
--to=olsajiri@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=kafai@fb.com \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=menglong8.dong@gmail.com \
--cc=rostedt@kernel.org \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.