From: sashiko-bot@kernel.org
To: "Justin Suess" <utilityemal77@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 1/2] bpf: Implement dtor for struct file BTF ID
Date: Thu, 23 Apr 2026 22:32:01 +0000 [thread overview]
Message-ID: <20260423223202.7237EC2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260423152239.4140627-2-utilityemal77@gmail.com>
Sashiko AI review found 1 potential issue(s):
- [High] bpf_file_release_dtor calls fput(), which is not NMI-safe and can cause a system deadlock when a struct file kptr is dropped from NMI context.
--
commit 37dfae0a149d4a18858208a4dfafb133d94b8e0d
Author: Justin Suess <utilityemal77@gmail.com>
bpf: Implement dtor for struct file BTF ID
This commit implements a destructor for struct file, allowing it to be
stored in a map as a referenced kptr. The destructor relies on fput() to
release the file reference.
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 2bb60200c2665..ee5ceb82e4f81 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2752,6 +2753,13 @@ __bpf_kfunc void bpf_task_release_dtor(void *p)
> }
> CFI_NOSEAL(bpf_task_release_dtor);
>
> +__bpf_kfunc void bpf_file_release_dtor(void *file)
> +{
> + fput((struct file *)file);
Can calling fput() here lead to a system deadlock if the destructor is
invoked from NMI context?
When a map element containing a struct file kptr is replaced or deleted, BPF
synchronously calls the destructor on the old pointer. BPF map updates can
be performed by programs executing in NMI context, such as perf event
programs or fentry programs attached to NMI handlers.
If the file's refcount reaches 0, fput() invokes __fput_deferred(). In NMI
context, __fput_deferred() skips task_work_add() and falls back to calling
schedule_delayed_work().
The schedule_delayed_work() function queues the work using add_timer_global()
or add_timer_on(), which acquire the timer_base raw spinlock. If the NMI
preempted code that was already holding this spinlock, the system will
deadlock.
Does dropping file references from BPF map destructors need to be deferred
using an NMI-safe mechanism, such as irq_work?
> +}
> +
> +CFI_NOSEAL(bpf_file_release_dtor);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260423152239.4140627-1-utilityemal77@gmail.com?part=1
next prev parent reply other threads:[~2026-04-23 22:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 15:22 [PATCH bpf-next v2 0/2] Allow storing referenced struct file kptrs in BPF maps Justin Suess
2026-04-23 15:22 ` [PATCH bpf-next v2 1/2] bpf: Implement dtor for struct file BTF ID Justin Suess
2026-04-23 16:16 ` bot+bpf-ci
2026-04-23 22:32 ` sashiko-bot [this message]
2026-04-23 15:22 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add test for map-stored struct file kptrs Justin Suess
2026-04-23 22:52 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260423223202.7237EC2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox