From: Martin KaFai Lau <martin.lau@linux.dev>
To: xulang@uniontech.com
Cc: bot+bpf-ci@kernel.org, andrii@kernel.org, ast@kernel.org,
bpf@vger.kernel.org, clm@meta.com, daniel@iogearbox.net,
dddddd@hust.edu.cn, dzm91@hust.edu.cn, eddyz87@gmail.com,
hust-os-kernel-patches@googlegroups.com, ihor.solodrai@linux.dev,
kaiyanm@hust.edu.cn, martin.lau@kernel.org, sdf@fomichev.me,
yonghong.song@linux.dev
Subject: Re: [PATCH bpf v3] bpf: fix: Race condition in bpf_trampoline_unlink_cgroup_shim
Date: Mon, 2 Mar 2026 18:39:30 -0800 [thread overview]
Message-ID: <ad50571a-ce13-47c9-ba5d-570adb4fc689@linux.dev> (raw)
In-Reply-To: <5a89fd3edd5e90ed47ff1189efdfa626f9b4610daa02da46a3a8fe4d5762796c@mail.kernel.org>
On 2/27/26 7:04 PM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
>> --- a/kernel/bpf/trampoline.c
>> +++ b/kernel/bpf/trampoline.c
>
> [ ... ]
>
>> @@ -1003,12 +1004,13 @@ struct bpf_attach_target_info tgt_info = {};
>>
>> shim_link = cgroup_shim_find(tr, bpf_func);
>> if (shim_link) {
>> - /* Reusing existing shim attached by the other program. */
>> - bpf_link_inc(&shim_link->link.link);
>> -
>> - mutex_unlock(&tr->mutex);
>> - bpf_trampoline_put(tr); /* bpf_trampoline_get above */
>> - return 0;
>> + link = &shim_link->link.link;
>> + if (link == bpf_link_inc_not_zero(link)) {
>
> The other callers of bpf_link_inc_not_zero() check the return value
> using IS_ERR(), for example bpf_link_by_id():
>
> link = bpf_link_inc_not_zero(link);
>
> and bpf_link_get_curr_or_next():
>
> link = bpf_link_inc_not_zero(link);
> if (IS_ERR(link)) {
>
> Should this use the same IS_ERR() pattern for consistency? Something
> like:
>
> if (!IS_ERR(bpf_link_inc_not_zero(link))) {
The same feedback by ai-review. I don't have a strong opinion. However,
the newly added "struct bpf_link *link" variable is not needed also. I
would carry the ai's suggestion further and remove the new local
variable also. Just test:
if (!IS_ERR(bpf_link_inc_not_zero(&shim_link->link.link))) {
>
>> + /* Reusing existing shim attached by the other program. */
>> + mutex_unlock(&tr->mutex);
>> + bpf_trampoline_put(tr); /* bpf_trampoline_get above */
>> + return 0;
>> + }
>> }
>
> This commit fixes a use-after-free introduced by commit 69fd337a975c
> ("bpf: per-cgroup lsm flavor"), which added the bpf_link_inc() call
> that could resurrect a zero-refcount link. It appears to be missing
> a Fixes: tag. Martin KaFai Lau's review of v2 also expected this tag
> to be present.
Indeed, please ensure to address the earlier reviewer's feedback.
pw-bot: cr
>
> Suggested:
>
> Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
>
> https://lore.kernel.org/bpf/cd99eba7-ac03-4b53-a79c-a6206abbddb6@linux.dev/
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22511586078
>
> AI-authorship-score: low
> AI-authorship-explanation: Human authorship patterns: references maintainer suggestion, informal testing description, iterative v1/v2/v3 development with reviewer feedback, addresses a bug reported by a different researcher.
> issues-found: 2
> issue-severity-score: low
> issue-severity-explanation: Missing Fixes: tag (requested by BPF maintainer) and non-standard bpf_link_inc_not_zero() return value comparison pattern; neither causes runtime problems.
next prev parent reply other threads:[~2026-03-03 2:39 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-25 11:14 bpf: Race condition in bpf_trampoline_unlink_cgroup_shim during concurrent cgroup LSM link release 梅开彦
2025-12-01 20:21 ` Martin KaFai Lau
2025-12-02 4:48 ` 梅开彦
2026-02-06 7:13 ` [PATCH] bpf: fix: Race condition in bpf_trampoline_unlink_cgroup_shim xulang
2026-02-06 7:50 ` bot+bpf-ci
2026-02-12 19:51 ` Martin KaFai Lau
2026-02-24 9:42 ` xulang
2026-02-25 6:54 ` [PATCH v2] " xulang
2026-02-25 7:38 ` bot+bpf-ci
2026-02-27 20:33 ` Martin KaFai Lau
2026-02-28 2:24 ` [PATCH bpf v3] " xulang
2026-02-28 3:04 ` bot+bpf-ci
2026-03-03 2:39 ` Martin KaFai Lau [this message]
2026-03-03 8:36 ` [PATCH bpf v4] " xulang
2026-03-03 9:28 ` bot+bpf-ci
2026-03-03 9:52 ` [PATCH bpf v5] bpf: fix: Race condition in bpf_trampoline_link_cgroup_shim xulang
2026-03-03 23:30 ` patchwork-bot+netdevbpf
2026-03-03 23:30 ` [PATCH bpf v4] bpf: fix: Race condition in bpf_trampoline_unlink_cgroup_shim patchwork-bot+netdevbpf
2026-03-03 23:46 ` Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad50571a-ce13-47c9-ba5d-570adb4fc689@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=dddddd@hust.edu.cn \
--cc=dzm91@hust.edu.cn \
--cc=eddyz87@gmail.com \
--cc=hust-os-kernel-patches@googlegroups.com \
--cc=ihor.solodrai@linux.dev \
--cc=kaiyanm@hust.edu.cn \
--cc=martin.lau@kernel.org \
--cc=sdf@fomichev.me \
--cc=xulang@uniontech.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.