From: Martin KaFai Lau <martin.lau@linux.dev>
To: Amery Hung <ameryhung@gmail.com>
Cc: netdev@vger.kernel.org, alexei.starovoitov@gmail.com,
andrii@kernel.org, daniel@iogearbox.net, tj@kernel.org,
martin.lau@kernel.org, kernel-team@meta.com, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v5 3/7] bpf: Pin associated struct_ops when registering async callback
Date: Thu, 6 Nov 2025 11:37:52 -0800 [thread overview]
Message-ID: <84012d65-e0aa-462f-b62d-14f6ea07e1df@linux.dev> (raw)
In-Reply-To: <CAMB2axPayfZOZnGK83eWxYTg9k0uno_y87_0ePE_FD6V+4tnfA@mail.gmail.com>
On 11/6/25 9:57 AM, Amery Hung wrote:
> On Wed, Nov 5, 2025 at 6:13 PM Martin KaFai Lau <martin.lau@linux.dev> wrote:
>>
>> On 11/4/25 9:26 AM, Amery Hung wrote:
>>> Take a refcount of the associated struct_ops map to prevent the map from
>>> being freed when an async callback scheduled from a struct_ops program
>>> runs.
>>>
>>> Since struct_ops programs do not take refcounts on the struct_ops map,
>>> it is possible for a struct_ops map to be freed when an async callback
>>> scheduled from it runs. To prevent this, take a refcount on prog->aux->
>>> st_ops_assoc and save it in a newly created struct bpf_async_res for
>>> every async mechanism. The reference needs to be preserved in
>>> bpf_async_res since prog->aux->st_ops_assoc can be poisoned anytime
>>> and reference leak could happen.
>>>
>>> bpf_async_res will contain a async callback's BPF program and resources
>>> related to the BPF program. The resources will be acquired when
>>> registering a callback and released when cancelled or when the map
>>> associated with the callback is freed.
>>>
>>> Also rename drop_prog_refcnt to bpf_async_cb_reset to better reflect
>>> what it now does.
>>>
>>
>> [ ... ]
>>
>>> +static int bpf_async_res_get(struct bpf_async_res *res, struct bpf_prog *prog)
>>> +{
>>> + struct bpf_map *st_ops_assoc = NULL;
>>> + int err;
>>> +
>>> + prog = bpf_prog_inc_not_zero(prog);
>>> + if (IS_ERR(prog))
>>> + return PTR_ERR(prog);
>>> +
>>> + st_ops_assoc = READ_ONCE(prog->aux->st_ops_assoc);
>>> + if (prog->type == BPF_PROG_TYPE_STRUCT_OPS &&
>>> + st_ops_assoc && st_ops_assoc != BPF_PTR_POISON) {
>>> + st_ops_assoc = bpf_map_inc_not_zero(st_ops_assoc);
>>
>> The READ_ONCE and inc_not_zero is an unusual combo. Should it be
>> rcu_dereference and prog->aux->st_ops_assoc should be "__rcu" tagged?
>>
>
> Understood the underlying struct_ops map is protected by RCU, but
> prog->aux->st_ops_assoc is not protected by RCU and can change
> anytime.
hmm... at least for BPF_PROG_TYPE_STRUCT_OPS, the struct_ops map refcnt
is not taken in patch 2. The prog->aux->st_ops_assoc can be used is
because of the rcu gp.
Another thing I am likely missing is, the refcnted st_ops_assoc is saved
in res->st_ops_assoc. If I read it correctly, the kfunc is using
bpf_prog_get_assoc_struct_ops() which is reading from
[prog->]aux->st_ops_assoc instead of the saved res->st_ops_assoc. Can
the aux->st_ops_assoc be pointing to another struct_ops map different
from res->st_ops_assoc?
next prev parent reply other threads:[~2025-11-06 19:38 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 17:26 [PATCH bpf-next v5 0/7] Support associating BPF programs with struct_ops Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 1/7] bpf: Allow verifier to fixup kernel module kfuncs Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 2/7] bpf: Support associating BPF program with struct_ops Amery Hung
2025-11-04 17:54 ` bot+bpf-ci
2025-11-04 18:03 ` Amery Hung
2025-11-04 21:59 ` Song Liu
2025-11-04 23:26 ` Amery Hung
2025-11-04 22:47 ` Andrii Nakryiko
2025-11-04 23:27 ` Amery Hung
2025-11-06 0:57 ` Martin KaFai Lau
2025-11-06 1:01 ` Amery Hung
2025-11-06 2:17 ` Martin KaFai Lau
2025-11-04 17:26 ` [PATCH bpf-next v5 3/7] bpf: Pin associated struct_ops when registering async callback Amery Hung
2025-11-04 18:03 ` bot+bpf-ci
2025-11-04 18:10 ` Amery Hung
2025-11-04 23:20 ` Andrii Nakryiko
2025-11-05 23:03 ` Amery Hung
2025-11-06 16:54 ` Andrii Nakryiko
2025-11-06 2:13 ` Martin KaFai Lau
2025-11-06 17:57 ` Amery Hung
2025-11-06 19:37 ` Martin KaFai Lau [this message]
2025-11-04 17:26 ` [PATCH bpf-next v5 4/7] libbpf: Add support for associating BPF program with struct_ops Amery Hung
2025-11-04 17:54 ` bot+bpf-ci
2025-11-04 23:27 ` Andrii Nakryiko
2025-11-04 23:26 ` Andrii Nakryiko
2025-11-04 23:39 ` Amery Hung
2025-11-05 0:46 ` Andrii Nakryiko
2025-11-04 17:26 ` [PATCH bpf-next v5 5/7] selftests/bpf: Test BPF_PROG_ASSOC_STRUCT_OPS command Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 6/7] selftests/bpf: Test ambiguous associated struct_ops Amery Hung
2025-11-04 17:26 ` [PATCH bpf-next v5 7/7] selftests/bpf: Test getting associated struct_ops in timer callback Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84012d65-e0aa-462f-b62d-14f6ea07e1df@linux.dev \
--to=martin.lau@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).