Re: [PATCH bpf-next v4 2/2] selftests/bpf: Cover refcount acquire node offsets
From: Emil Tsalapatis
Date: Tue Jun 23 2026 - 17:51:05 EST
On Tue Jun 23, 2026 at 2:11 AM EDT, Yiyang Chen wrote:
> Add regression coverage for bpf_refcount_acquire() on graph-node-derived
> pointers.
>
> The rejected case passes a popped list node pointer directly to
> bpf_refcount_acquire(), which must fail because the pointer carries a
> non-zero fixed offset.
>
> Signed-off-by: Yiyang Chen <chenyy23@xxxxxxxxxxxxxxxxxxxxx>
Reviewed-by: Emil Tsalapatis <emil@xxxxxxxxxxxxxxx>
> ---
> .../bpf/progs/refcounted_kptr_fail.c | 34 +++++++++++++++++++
> 1 file changed, 34 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c b/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> index 7247a20c0..024ef2aae 100644
> --- a/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> +++ b/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> @@ -13,12 +13,20 @@ struct node_acquire {
> struct bpf_refcount refcount;
> };
>
> +struct node_refcounted {
> + long key;
> + struct bpf_list_node list;
> + struct bpf_refcount refcount;
> +};
> +
> extern void bpf_rcu_read_lock(void) __ksym;
> extern void bpf_rcu_read_unlock(void) __ksym;
>
> #define private(name) SEC(".data." #name) __hidden __attribute__((aligned(8)))
> private(A) struct bpf_spin_lock glock;
> private(A) struct bpf_rb_root groot __contains(node_acquire, node);
> +private(B) struct bpf_spin_lock lock;
> +private(B) struct bpf_list_head head __contains(node_refcounted, list);
>
> static bool less(struct bpf_rb_node *a, const struct bpf_rb_node *b)
> {
> @@ -93,6 +101,32 @@ long rbtree_refcounted_node_ref_escapes_owning_input(void *ctx)
> return 0;
> }
>
> +SEC("?tc")
> +__failure __msg("dereference of modified ptr_ ptr R1")
> +long refcount_acquire_list_node_offset(void *ctx)
> +{
> + struct node_refcounted *node, *base, *ref;
> + struct bpf_list_node *list_node;
> +
> + node = bpf_obj_new(typeof(*node));
> + if (!node)
> + return 1;
> +
> + bpf_spin_lock(&lock);
> + bpf_list_push_front(&head, &node->list);
> + list_node = bpf_list_pop_front(&head);
> + bpf_spin_unlock(&lock);
> + if (!list_node)
> + return 2;
> +
> + base = container_of(list_node, struct node_refcounted, list);
> + ref = bpf_refcount_acquire(list_node);
> + if (ref)
> + bpf_obj_drop(ref);
> + bpf_obj_drop(base);
> + return 0;
> +}
> +
> SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")
> __failure __msg("function calls are not allowed while holding a lock")
> int BPF_PROG(rbtree_fail_sleepable_lock_across_rcu,