Re: [RFC PATCH bpf-next v5 10/12] mm/bpf: Add BPF_F_ALLOW_OVERRIDE support for memcg_bpf_ops
From: bot+bpf-ci@kernel.org
Date: 2026-01-27 10:08:28
Also in:
bpf, cgroups, linux-kselftest, linux-mm, lkml
quoted hunk ↗ jump to hunk
diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c index e746eb9cbd56..7cd983e350d7 100644 --- a/mm/bpf_memcontrol.c +++ b/mm/bpf_memcontrol.c
[ ... ]
static int bpf_memcg_ops_reg(void *kdata, struct bpf_link *link)
{
struct bpf_struct_ops_link *ops_link
= container_of(link, struct bpf_struct_ops_link, link);
- struct memcg_bpf_ops *ops = kdata;
+ struct memcg_bpf_ops *ops = kdata, *old_ops;
struct mem_cgroup *memcg, *iter = NULL;
int err = 0;[ ... ]
+ /* Check for incompatible bpf_ops in descendants. */
while ((iter = mem_cgroup_iter(memcg, iter, NULL))) {
- if (READ_ONCE(iter->bpf_ops)) {
- mem_cgroup_iter_break(memcg, iter);
+ struct memcg_bpf_ops *iter_ops = READ_ONCE(iter->bpf_ops);
+
+ if (iter_ops && iter_ops != old_ops) {
+ /* cannot override existing bpf_ops of sub-cgroup. */
err = -EBUSY;
- break;
+ goto unlock_out; ^^^^
It looks like this error path leaks a CSS reference. The original code
called mem_cgroup_iter_break(memcg, iter) before breaking out of the loop,
which releases the CSS reference held on iter. The new code jumps directly
to unlock_out without releasing this reference.
mem_cgroup_iter() acquires a reference on each returned memcg via
css_tryget() in mm/memcontrol.c. When breaking out of the loop early,
mem_cgroup_iter_break() must be called to release that reference.
Should this be:
if (iter_ops && iter_ops != old_ops) {
mem_cgroup_iter_break(memcg, iter);
err = -EBUSY;
goto unlock_out;
}
}
+ }
+
+ while ((iter = mem_cgroup_iter(memcg, iter, NULL))) {
WRITE_ONCE(iter->bpf_ops, ops);
+ iter->bpf_ops_flags = ops_link->flags;
}
- if (err)
- clean_memcg_bpf_ops(memcg, ops);
+
+unlock_out:
cgroup_unlock();[ ... ] --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21392729810 AI-authorship-score: low AI-authorship-explanation: The commit follows standard kernel documentation patterns without distinctive AI markers. issues-found: 1 issue-severity-score: medium issue-severity-explanation: CSS reference leak in error path leads to memcg lifetime issues but does not cause immediate system instability.