From: sashiko-bot@kernel.org
To: "Kaitao cheng" <kaitao.cheng@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH RESEND bpf-next v10 8/8] selftests/bpf: Add test cases for bpf_list_del/add/is_first/is_last/empty
Date: Wed, 13 May 2026 22:44:39 +0000 [thread overview]
Message-ID: <20260513224439.C75C5C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260512055919.95716-9-kaitao.cheng@linux.dev>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] Latent verifier errors (use-after-release and memory leak) in the negative test `list_add_without_lock_fail`.
--
commit 37523e4b94785be6995dc6c7cf660c200eca4aef
Author: Kaitao Cheng <chengkaitao@kylinos.cn>
selftests/bpf: Add test cases for bpf_list_del/add/is_first/is_last/empty
This commit extends the refcounted_kptr selftests by adding new test cases
for BPF linked list operations. It includes both successful path tests and
negative tests verifying that the verifier correctly rejects operations
made without holding the required spinlock.
> diff --git a/tools/testing/selftests/bpf/progs/refcounted_kptr.c b/tools/testing/selftests/bpf/progs/refcounted_kptr.c
> index c847398837ccd..21ae06797b183 100644
> --- a/tools/testing/selftests/bpf/progs/refcounted_kptr.c
> +++ b/tools/testing/selftests/bpf/progs/refcounted_kptr.c
[ ... ]
> +SEC("?tc")
> +__failure __msg("bpf_spin_lock at off=32 must be held for bpf_list_head")
> +long list_add_without_lock_fail(void *ctx)
> +{
> + struct node_data *n, *prev;
> +
> + n = bpf_obj_new(typeof(*n));
> + if (!n)
> + return -1;
> +
> + prev = bpf_obj_new(typeof(*prev));
> + if (!prev) {
> + bpf_obj_drop(n);
> + return -1;
> + }
> +
> + /* Error case: add list node without holding lock */
> + if (bpf_list_add(&head, &n->l, &prev->l)) {
> + bpf_obj_drop(prev);
> + bpf_obj_drop(n);
Since bpf_list_add() consumes the newly added node (&n->l), would this
subsequent bpf_obj_drop(n) trigger a use-after-release error in the
verifier if it evaluates past the missing spinlock?
> + return -2;
> + }
> +
> + return 0;
Similarly, prev is an owning reference acquired via bpf_obj_new(), but
bpf_list_add() accepts a non-owning reference for the prev argument. Does
this code leak the prev reference by returning 0 here without calling
bpf_obj_drop(prev)?
While the test correctly fails today due to the missing spinlock as
intended, these latent errors could make the test brittle and cause CI
flakes if the verifier's evaluation order changes in the future.
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512055919.95716-1-kaitao.cheng@linux.dev?part=8
prev parent reply other threads:[~2026-05-13 22:44 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 5:59 [PATCH RESEND bpf-next v10 0/8] bpf: Extend the bpf_list family of APIs Kaitao cheng
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 1/8] bpf: refactor __bpf_list_del to take list node pointer Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-12 8:55 ` Kaitao Cheng
2026-05-13 22:30 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 2/8] bpf: clear list node owner and unlink before drop Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-13 22:53 ` Eduard Zingerman
2026-05-14 1:50 ` Alexei Starovoitov
2026-05-13 6:02 ` sashiko-bot
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 3/8] bpf: Introduce the bpf_list_del kfunc Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-12 9:36 ` Kaitao Cheng
2026-05-13 22:32 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 4/8] bpf: refactor __bpf_list_add to take insertion point via **prev_ptr Kaitao cheng
2026-05-13 22:33 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 5/8] bpf: Add bpf_list_add to insert node after a given list node Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-12 12:05 ` Kaitao Cheng
2026-05-13 20:44 ` sashiko-bot
2026-05-13 22:35 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 6/8] bpf: add bpf_list_is_first/last/empty kfuncs Kaitao cheng
2026-05-13 22:35 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 7/8] bpf: allow non-owning list-node args via __nonown_allowed Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-13 22:22 ` sashiko-bot
2026-05-13 22:37 ` Eduard Zingerman
2026-05-13 22:55 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 8/8] selftests/bpf: Add test cases for bpf_list_del/add/is_first/is_last/empty Kaitao cheng
2026-05-13 22:44 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513224439.C75C5C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kaitao.cheng@linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox