On Mon, 2026-06-22 at 02:25 +0000, Yiyang Chen wrote:
> Add regression coverage for bpf_refcount_acquire() on graph-node-derived
> pointers.
>
> The rejected cases pass popped list and rbtree node pointers directly to
> bpf_refcount_acquire(), which must fail because those pointers carry
> non-zero fixed offsets.
>
> Do not add a positive container_of() case here. Existing refcounted_kptr
> coverage already exercises valid base-pointer acquisitions, and this patch
> only checks the rejected offset forms.
This paragraph is completely unnecessary.
> Fixes: 7c50b1cb76aca ("bpf: Add bpf_refcount_acquire kfunc")
I don't think the fixes tag applies to the test.
> Signed-off-by: Yiyang Chen <[email protected]>
> ---
> .../bpf/progs/refcounted_kptr_fail.c | 77 +++++++++++++++++++
> 1 file changed, 77 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> b/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> index 7247a20c0..77cda5ca2 100644
> --- a/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> +++ b/tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c
> @@ -13,12 +13,22 @@ struct node_acquire {
> struct bpf_refcount refcount;
> };
>
> +struct node_refcounted {
> + long key;
> + struct bpf_rb_node rb;
> + struct bpf_list_node list;
> + struct bpf_refcount refcount;
> +};
> +
> extern void bpf_rcu_read_lock(void) __ksym;
> extern void bpf_rcu_read_unlock(void) __ksym;
>
> #define private(name) SEC(".data." #name) __hidden
> __attribute__((aligned(8)))
> private(A) struct bpf_spin_lock glock;
> private(A) struct bpf_rb_root groot __contains(node_acquire, node);
> +private(B) struct bpf_spin_lock lock;
> +private(B) struct bpf_rb_root root __contains(node_refcounted, rb);
> +private(B) struct bpf_list_head head __contains(node_refcounted, list);
>
> static bool less(struct bpf_rb_node *a, const struct bpf_rb_node *b)
> {
> @@ -31,6 +41,17 @@ static bool less(struct bpf_rb_node *a, const struct
> bpf_rb_node *b)
> return node_a->key < node_b->key;
> }
>
> +static bool less_refcounted(struct bpf_rb_node *a, const struct bpf_rb_node
> *b)
> +{
> + struct node_refcounted *node_a;
> + struct node_refcounted *node_b;
> +
> + node_a = container_of(a, struct node_refcounted, rb);
> + node_b = container_of(b, struct node_refcounted, rb);
> +
> + return node_a->key < node_b->key;
> +}
> +
> SEC("?tc")
> __failure __msg("Unreleased reference id=4 alloc_insn={{[0-9]+}}")
> long rbtree_refcounted_node_ref_escapes(void *ctx)
> @@ -93,6 +114,62 @@ long rbtree_refcounted_node_ref_escapes_owning_input(void
> *ctx)
> return 0;
> }
>
> +SEC("?tc")
> +__failure __msg("dereference of modified ptr_ ptr R1")
> +long refcount_acquire_list_node_offset(void *ctx)
> +{
> + struct node_refcounted *node, *base, *ref;
> + struct bpf_list_node *list_node;
> +
> + node = bpf_obj_new(typeof(*node));
> + if (!node)
> + return 1;
> +
> + bpf_spin_lock(&lock);
> + bpf_list_push_front(&head, &node->list);
> + list_node = bpf_list_pop_front(&head);
> + bpf_spin_unlock(&lock);
> + if (!list_node)
> + return 2;
> +
> + base = container_of(list_node, struct node_refcounted, list);
> + ref = bpf_refcount_acquire(list_node);
> + if (ref)
> + bpf_obj_drop(ref);
> + bpf_obj_drop(base);
> + return 0;
> +}
> +
> +SEC("?tc")
> +__failure __msg("dereference of modified ptr_ ptr R1")
> +long refcount_acquire_rbtree_node_offset(void *ctx)
Why is this test necessary? Does it exercise any paths that the
previous one does not check?
> +{
> + struct node_refcounted *node, *base, *ref;
> + struct bpf_rb_node *rb_node;
> +
> + node = bpf_obj_new(typeof(*node));
> + if (!node)
> + return 1;
> +
> + node->key = 1;
> +
> + bpf_spin_lock(&lock);
> + bpf_rbtree_add(&root, &node->rb, less_refcounted);
> + rb_node = bpf_rbtree_first(&root);
> + if (rb_node)
> + rb_node = bpf_rbtree_remove(&root, rb_node);
> + bpf_spin_unlock(&lock);
> + if (!rb_node)
> + return 2;
> +
> + base = container_of(rb_node, struct node_refcounted, rb);
> + ref = bpf_refcount_acquire(rb_node);
> + if (ref)
> + bpf_obj_drop(ref);
> + bpf_obj_drop(base);
> + return 0;
> +}
> +
> SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")
> __failure __msg("function calls are not allowed while holding a lock")
> int BPF_PROG(rbtree_fail_sleepable_lock_across_rcu,
