From: Leon Hwang <leon.hwang@linux.dev>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>, bot+bpf-ci@kernel.org
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Amery Hung <ameryhung@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
kernel-patches-bot@fb.com,
Martin KaFai Lau <martin.lau@kernel.org>,
Chris Mason <clm@meta.com>,
Ihor Solodrai <ihor.solodrai@linux.dev>
Subject: Re: [PATCH bpf-next v5 2/2] selftests/bpf: Add test to verify freeing the special fields when update [lru_,]percpu_hash maps
Date: Wed, 5 Nov 2025 22:09:49 +0800 [thread overview]
Message-ID: <ca11cc02-0cf6-48aa-8840-1662fa61dbbc@linux.dev> (raw)
In-Reply-To: <CAADnVQJZbyQWaUTzB0=82mq+hSVqxGb679cW1=t=OFCRuCVdXQ@mail.gmail.com>
On 2025/11/5 01:37, Alexei Starovoitov wrote:
> On Tue, Nov 4, 2025 at 6:52 AM <bot+bpf-ci@kernel.org> wrote:
>>
>>> diff --git a/tools/testing/selftests/bpf/progs/refcounted_kptr.c b/tools/testing/selftests/bpf/progs/refcounted_kptr.c
>>> index 893a4fdb4..87b0cc018 100644
>>> --- a/tools/testing/selftests/bpf/progs/refcounted_kptr.c
>>> +++ b/tools/testing/selftests/bpf/progs/refcounted_kptr.c
>>
>> [ ... ]
>>
>>> @@ -568,4 +568,64 @@ int BPF_PROG(rbtree_sleepable_rcu_no_explicit_rcu_lock,
>>> return 0;
>>> }
>>>
>>> +private(kptr_ref) u64 ref;
>>> +
>>> +static int probe_read_refcount(void)
>>> +{
>>> + u32 refcount;
>>> +
>>> + bpf_probe_read_kernel(&refcount, sizeof(refcount), (void *) ref);
>>> + return refcount;
>>> +}
>>> +
>>> +static int __insert_in_list(struct bpf_list_head *head, struct bpf_spin_lock *lock,
>>> + struct node_data __kptr **node)
>>> +{
>>> + struct node_data *n, *m;
>>> +
>>> + n = bpf_obj_new(typeof(*n));
>>> + if (!n)
>>> + return -1;
>>> +
>>> + m = bpf_refcount_acquire(n);
>>> + n = bpf_kptr_xchg(node, n);
>>> + if (n) {
>>> + bpf_obj_drop(n);
>>> + bpf_obj_drop(m);
>>> + return -2;
>>> + }
>>
>> In __insert_in_list(), after bpf_kptr_xchg() stores the new object in
>> the map and returns the old value in n, can the error path drop both
>> n and m? At this point, the new object (pointed to by m) is already
>> referenced by the map. Dropping m here would free an object that the
>> map still points to, leaving a dangling pointer.
>
> AI is wrong, but I bet it got confused by reuse of variable 'n'.
> It's hard for humans too.
> Leon,
> please use a different var.
> n = bpf_kptr_xchg(node, n); is a head scratcher.
No problem.
I'll update the variable names in the next revision.
>
> Also see Yonghong's comment on v4 which I suspect applies to v5.
That was actually a misunderstanding — he didn't run the newly added tests.
Still, I'll update the test name to include "refcounted_kptr" to make it
clearer and help avoid such confusion in the future.
Thanks,
Leon
prev parent reply other threads:[~2025-11-05 14:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 14:27 [PATCH bpf-next v5 0/2] bpf: Free special fields when update [lru_,]percpu_hash maps Leon Hwang
2025-11-04 14:27 ` [PATCH bpf-next v5 1/2] " Leon Hwang
2025-11-04 14:27 ` [PATCH bpf-next v5 2/2] selftests/bpf: Add test to verify freeing the " Leon Hwang
2025-11-04 14:52 ` bot+bpf-ci
2025-11-04 17:37 ` Alexei Starovoitov
2025-11-05 14:09 ` Leon Hwang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ca11cc02-0cf6-48aa-8840-1662fa61dbbc@linux.dev \
--to=leon.hwang@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-patches-bot@fb.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.