| Message ID | 20250122022838.1079157-1-wutengda@huaweicloud.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | BPF |
| Headers | show |
| Series | [bpf,v2] selftests/bpf: Fix freplace_link segfault in tailcalls prog test | expand |
On 22/1/25 10:28, Tengda Wu wrote: > There are two bpf_link__destroy(freplace_link) calls in > test_tailcall_bpf2bpf_freplace(). After the first bpf_link__destroy() > is called, if the following bpf_map_{update,delete}_elem() throws an > exception, it will jump to the "out" label and call bpf_link__destroy() > again, causing double free and eventually leading to a segfault. > > Fix it by directly resetting freplace_link to NULL after the first > bpf_link__destroy() call. > > Fixes: 021611d33e78 ("selftests/bpf: Add test to verify tailcall and freplace restrictions") > Signed-off-by: Tengda Wu <wutengda@huaweicloud.com> > --- > tools/testing/selftests/bpf/prog_tests/tailcalls.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/testing/selftests/bpf/prog_tests/tailcalls.c b/tools/testing/selftests/bpf/prog_tests/tailcalls.c > index 544144620ca6..a12fa0521ccc 100644 > --- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c > +++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c > @@ -1602,6 +1602,7 @@ static void test_tailcall_bpf2bpf_freplace(void) > err = bpf_link__destroy(freplace_link); > if (!ASSERT_OK(err, "destroy link")) > goto out; > + freplace_link = NULL; > > /* OK to update prog_array map then delete element from the map. */ > LGTM. Reviewed-by: Leon Hwang <leon.hwang@linux.dev>
diff --git a/tools/testing/selftests/bpf/prog_tests/tailcalls.c b/tools/testing/selftests/bpf/prog_tests/tailcalls.c index 544144620ca6..a12fa0521ccc 100644 --- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c +++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c @@ -1602,6 +1602,7 @@ static void test_tailcall_bpf2bpf_freplace(void) err = bpf_link__destroy(freplace_link); if (!ASSERT_OK(err, "destroy link")) goto out; + freplace_link = NULL; /* OK to update prog_array map then delete element from the map. */
There are two bpf_link__destroy(freplace_link) calls in test_tailcall_bpf2bpf_freplace(). After the first bpf_link__destroy() is called, if the following bpf_map_{update,delete}_elem() throws an exception, it will jump to the "out" label and call bpf_link__destroy() again, causing double free and eventually leading to a segfault. Fix it by directly resetting freplace_link to NULL after the first bpf_link__destroy() call. Fixes: 021611d33e78 ("selftests/bpf: Add test to verify tailcall and freplace restrictions") Signed-off-by: Tengda Wu <wutengda@huaweicloud.com> --- tools/testing/selftests/bpf/prog_tests/tailcalls.c | 1 + 1 file changed, 1 insertion(+)