From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Tamir Duberstein" <tamird@kernel.org>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Jiri Olsa" <jolsa@kernel.org>, "Shuah Khan" <shuah@kernel.org>,
"Andrea Righi" <arighi@nvidia.com>,
"Xu Kuohai" <xukuohai@huawei.com>,
"Andrea Righi" <andrea.righi@canonical.com>
Cc: <bpf@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>,
"Andrew Werner" <awerner32@gmail.com>,
"Zvi Effron" <zeffron@riotgames.com>,
"Andrii Nakryiko" <andriin@fb.com>
Subject: Re: [PATCH bpf 2/6] libbpf: ringbuf: Prevent NULL callback crash
Date: Tue, 16 Jun 2026 20:44:13 -0400 [thread overview]
Message-ID: <DJAWPR7RA9VX.2LHJ0V3EVGR7S@etsalapatis.com> (raw)
In-Reply-To: <20260613-bpf-ringbuf-fixes-v1-2-e623481cb724@kernel.org>
On Sat Jun 13, 2026 at 9:48 PM EDT, Tamir Duberstein wrote:
> ring_buffer__new() and ring_buffer__add() allow a NULL sample
> callback. When callback-based consumption reaches such a ring, it calls
> through the NULL function pointer and crashes.
>
> Validate every ring in a manager before polling or consuming. Return
> -EINVAL without consuming records from an earlier valid ring or waiting
> for an event. Perform the same check before honoring a zero record bound
> so invalid callback consumption consistently reports the error.
>
Can we just prevent a ring from being added with a NULL sample_cb?
What's the use for permitting it? Even if we don't, rechecking the
callbacks every single time we consume the ringbuf seems overkill.
> Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support")
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Tamir Duberstein <tamird@kernel.org>
> ---
> tools/lib/bpf/libbpf.h | 11 ++-
> tools/lib/bpf/ringbuf.c | 41 +++++++++--
> tools/testing/selftests/bpf/prog_tests/ringbuf.c | 93 ++++++++++++++++++++++++
> 3 files changed, 134 insertions(+), 11 deletions(-)
>
> diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
> index bba4e8464396..9ba6b9ad3498 100644
> --- a/tools/lib/bpf/libbpf.h
> +++ b/tools/lib/bpf/libbpf.h
> @@ -1526,18 +1526,17 @@ LIBBPF_API int ring__map_fd(const struct ring *r);
> *
> * @param r A ringbuffer object.
> * @return The number of records consumed (or INT_MAX, whichever is less), or
> - * a negative number if any of the callbacks return an error.
> + * a negative error code on failure.
> */
> LIBBPF_API int ring__consume(struct ring *r);
>
> /**
> - * @brief **ring__consume_n()** consumes up to a requested amount of items from
> - * a ringbuffer without event polling.
> + * @brief **ring__consume_n()** consumes up to a requested number of records
> + * from a ringbuffer without event polling.
> *
> * @param r A ringbuffer object.
> - * @param n Maximum amount of items to consume.
> - * @return The number of items consumed, or a negative number if any of the
> - * callbacks return an error.
> + * @param n Maximum number of records to consume.
> + * @return The number of records consumed, or a negative error code on failure.
> */
> LIBBPF_API int ring__consume_n(struct ring *r, size_t n);
>
> diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c
> index f2bb619d5a75..ae7fa79b6217 100644
> --- a/tools/lib/bpf/ringbuf.c
> +++ b/tools/lib/bpf/ringbuf.c
> @@ -231,6 +231,24 @@ static inline int roundup_len(__u32 len)
> return (len + 7) / 8 * 8;
> }
>
> +static int ringbuf_validate(const struct ring *r)
> +{
> + return r->sample_cb ? 0 : -EINVAL;
> +}
> +
> +static int ringbuf_validate_callbacks(const struct ring_buffer *rb)
> +{
> + int i, err;
> +
> + for (i = 0; i < rb->ring_cnt; i++) {
> + err = ringbuf_validate(rb->rings[i]);
> + if (err)
> + return err;
> + }
> +
> + return 0;
> +}
> +
> static int64_t ringbuf_process_ring(struct ring *r, size_t n)
> {
> int *len_ptr, len, err;
> @@ -240,6 +258,9 @@ static int64_t ringbuf_process_ring(struct ring *r, size_t n)
> bool got_new_data;
> void *sample;
>
> + err = ringbuf_validate(r);
> + if (err)
> + return err;
> if (n == 0)
> return 0;
>
> @@ -284,14 +305,17 @@ static int64_t ringbuf_process_ring(struct ring *r, size_t n)
> * records.
> *
> * Returns number of records consumed across all registered ring buffers (or
> - * n, whichever is less), or negative number if any of the callbacks return
> - * error.
> + * n, whichever is less), or a negative error code on failure.
> */
> int ring_buffer__consume_n(struct ring_buffer *rb, size_t n)
> {
> int64_t err, res = 0;
> int i;
>
> + err = ringbuf_validate_callbacks(rb);
> + if (err)
> + return libbpf_err(err);
> +
> for (i = 0; i < rb->ring_cnt; i++) {
> struct ring *ring = rb->rings[i];
>
> @@ -309,14 +333,17 @@ int ring_buffer__consume_n(struct ring_buffer *rb, size_t n)
>
> /* Consume available ring buffer(s) data without event polling.
> * Returns number of records consumed across all registered ring buffers (or
> - * INT_MAX, whichever is less), or negative number if any of the callbacks
> - * return error.
> + * INT_MAX, whichever is less), or a negative error code on failure.
> */
> int ring_buffer__consume(struct ring_buffer *rb)
> {
> int64_t err, res = 0;
> int i;
>
> + err = ringbuf_validate_callbacks(rb);
> + if (err)
> + return libbpf_err(err);
> +
> for (i = 0; i < rb->ring_cnt; i++) {
> struct ring *ring = rb->rings[i];
>
> @@ -334,13 +361,17 @@ int ring_buffer__consume(struct ring_buffer *rb)
>
> /* Poll for available data and consume records, if any are available.
> * Returns number of records consumed (or INT_MAX, whichever is less), or
> - * negative number, if any of the registered callbacks returned error.
> + * a negative error code on failure.
> */
> int ring_buffer__poll(struct ring_buffer *rb, int timeout_ms)
> {
> int i, cnt;
> int64_t err, res = 0;
>
> + err = ringbuf_validate_callbacks(rb);
> + if (err)
> + return libbpf_err(err);
> +
> cnt = epoll_wait(rb->epoll_fd, rb->events, rb->ring_cnt, timeout_ms);
> if (cnt < 0)
> return libbpf_err(-errno);
> diff --git a/tools/testing/selftests/bpf/prog_tests/ringbuf.c b/tools/testing/selftests/bpf/prog_tests/ringbuf.c
> index 4f0558f14847..9ce996bcea8c 100644
> --- a/tools/testing/selftests/bpf/prog_tests/ringbuf.c
> +++ b/tools/testing/selftests/bpf/prog_tests/ringbuf.c
> @@ -401,6 +401,97 @@ static int process_n_sample(void *ctx, void *data, size_t len)
> return 0;
> }
>
> +static int process_noop_sample(void *ctx, void *data, size_t len)
> +{
> + return 0;
> +}
> +
> +static void ringbuf_null_cb_subtest(void)
> +{
> + struct test_ringbuf_n_lskel *skel_n;
> + struct ring_buffer *ringbuf = NULL;
> + struct ring *ring;
> + unsigned long consumer_pos;
> + int no_cb_map_fd = -1;
> + int err;
> +
> + skel_n = test_ringbuf_n_lskel__open();
> + if (!ASSERT_OK_PTR(skel_n, "test_ringbuf_n_lskel__open"))
> + return;
> +
> + skel_n->maps.ringbuf.max_entries = getpagesize();
> + skel_n->bss->pid = getpid();
> + skel_n->bss->value = SAMPLE_VALUE;
> +
> + err = test_ringbuf_n_lskel__load(skel_n);
> + if (!ASSERT_OK(err, "test_ringbuf_n_lskel__load"))
> + goto cleanup;
> +
> + err = test_ringbuf_n_lskel__attach(skel_n);
> + if (!ASSERT_OK(err, "test_ringbuf_n_lskel__attach"))
> + goto cleanup;
> +
> + syscall(__NR_getpgid);
> +
> + no_cb_map_fd = bpf_map_create(BPF_MAP_TYPE_RINGBUF, NULL, 0, 0,
> + getpagesize(), NULL);
> + if (!ASSERT_OK_FD(no_cb_map_fd, "bpf_map_create"))
> + goto cleanup;
> +
> + /* Manager APIs must validate all rings before consuming any of them. */
> + ringbuf = ring_buffer__new(skel_n->maps.ringbuf.map_fd,
> + process_noop_sample, NULL, NULL);
> + if (!ASSERT_OK_PTR(ringbuf, "ring_buffer__new"))
> + goto cleanup_fd;
> +
> + ring = ring_buffer__ring(ringbuf, 0);
> + if (!ASSERT_OK_PTR(ring, "ring_buffer__ring"))
> + goto cleanup_ringbuf;
> +
> + err = ring_buffer__add(ringbuf, no_cb_map_fd, NULL, NULL);
> + if (!ASSERT_OK(err, "ring_buffer__add_no_cb"))
> + goto cleanup_ringbuf;
> +
> + consumer_pos = ring__consumer_pos(ring);
> + ASSERT_GT(ring__producer_pos(ring), consumer_pos,
> + "producer_pos_mixed_cb");
> +
> + err = ring_buffer__consume_n(ringbuf, 0);
> + ASSERT_EQ(err, -EINVAL, "ringbuf_consume_zero_mixed_cb");
> + err = ring_buffer__consume(ringbuf);
> + ASSERT_EQ(err, -EINVAL, "ringbuf_consume_mixed_cb");
> + err = ring_buffer__poll(ringbuf, 0);
> + ASSERT_EQ(err, -EINVAL, "ringbuf_poll_mixed_cb");
> + ASSERT_EQ(ring__consumer_pos(ring), consumer_pos,
> + "consumer_pos_mixed_cb");
> +
> + ring_buffer__free(ringbuf);
> + ringbuf =
> + ring_buffer__new(skel_n->maps.ringbuf.map_fd, NULL, NULL, NULL);
> + if (!ASSERT_OK_PTR(ringbuf, "ring_buffer__new_no_cb"))
> + goto cleanup_fd;
> +
> + ring = ring_buffer__ring(ringbuf, 0);
> + if (!ASSERT_OK_PTR(ring, "ring_buffer__ring_no_cb"))
> + goto cleanup_ringbuf;
> + consumer_pos = ring__consumer_pos(ring);
> +
> + err = ring_buffer__consume_n(ringbuf, 0);
> + ASSERT_EQ(err, -EINVAL, "ringbuf_consume_zero_no_cb");
> + err = ring__consume_n(ring, 0);
> + ASSERT_EQ(err, -EINVAL, "ring_consume_zero_no_cb");
> + err = ring__consume(ring);
> + ASSERT_EQ(err, -EINVAL, "ring_consume_no_cb");
> + ASSERT_EQ(ring__consumer_pos(ring), consumer_pos, "consumer_pos_no_cb");
> +
> +cleanup_ringbuf:
> + ring_buffer__free(ringbuf);
> +cleanup_fd:
> + close(no_cb_map_fd);
> +cleanup:
> + test_ringbuf_n_lskel__destroy(skel_n);
> +}
> +
> static void ringbuf_n_subtest(void)
> {
> struct test_ringbuf_n_lskel *skel_n;
> @@ -579,6 +670,8 @@ void test_ringbuf(void)
> ringbuf_subtest();
> if (test__start_subtest("ringbuf_n"))
> ringbuf_n_subtest();
> + if (test__start_subtest("ringbuf_null_cb"))
> + ringbuf_null_cb_subtest();
> if (test__start_subtest("ringbuf_map_key"))
> ringbuf_map_key_subtest();
> if (test__start_subtest("ringbuf_write"))
next prev parent reply other threads:[~2026-06-17 0:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 1:48 [PATCH bpf 0/6] libbpf: Fix ring buffer consumption Tamir Duberstein
2026-06-14 1:48 ` [PATCH bpf 1/6] libbpf: ringbuf: Honor zero consume bounds Tamir Duberstein
2026-06-17 0:35 ` Emil Tsalapatis
2026-06-14 1:48 ` [PATCH bpf 2/6] libbpf: ringbuf: Prevent NULL callback crash Tamir Duberstein
2026-06-17 0:44 ` Emil Tsalapatis [this message]
2026-06-14 1:48 ` [PATCH bpf 3/6] libbpf: ringbuf: Handle position counter wrap Tamir Duberstein
2026-06-14 2:05 ` sashiko-bot
2026-06-17 1:19 ` Emil Tsalapatis
2026-06-14 1:48 ` [PATCH bpf 4/6] libbpf: ringbuf: Use compiler atomics Tamir Duberstein
2026-06-14 1:59 ` sashiko-bot
2026-06-17 1:30 ` Emil Tsalapatis
2026-06-14 1:48 ` [PATCH bpf 5/6] libbpf: ringbuf: Prevent missed wakeups Tamir Duberstein
2026-06-14 1:57 ` sashiko-bot
2026-06-14 1:48 ` [PATCH bpf 6/6] libbpf: ringbuf: Reject overwrite callback use Tamir Duberstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJAWPR7RA9VX.2LHJ0V3EVGR7S@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrea.righi@canonical.com \
--cc=andrii@kernel.org \
--cc=andriin@fb.com \
--cc=arighi@nvidia.com \
--cc=ast@kernel.org \
--cc=awerner32@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=tamird@kernel.org \
--cc=xukuohai@huawei.com \
--cc=yonghong.song@linux.dev \
--cc=zeffron@riotgames.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox