selftests/bpf: Test getting associated struct_ops in timer callback

Make sure 1) a timer callback can also reference the associated
struct_ops, and then make sure 2) the timer callback cannot get a
dangled pointer to the struct_ops when the map is freed.

The test schedules a timer callback from a struct_ops program since
struct_ops programs do not pin the map. It is possible for the timer
callback to run after the map is freed. The timer callback calls a
kfunc that runs .test_1() of the associated struct_ops, which should
return MAP_MAGIC when the map is still alive or -1 when the map is
gone.

The first subtest added in this patch schedules the timer callback to
run immediately, while the map is still alive. The second subtest added
schedules the callback to run 500ms after syscall_prog runs and then
frees the map right after syscall_prog runs. Both subtests then wait
until the callback runs to check the return of the kfunc.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20251203233748.668365-7-ameryhung@gmail.com

diff --git a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c
index 02173504f675f32b610ec13c4e97013d3debf6d8..461ded72235157bcbefcb5ad465a5de63eb160fe 100644 (file)
--- a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c
@@ -3,6 +3,7 @@
 #include <test_progs.h>
 #include "struct_ops_assoc.skel.h"
 #include "struct_ops_assoc_reuse.skel.h"
+#include "struct_ops_assoc_in_timer.skel.h"
 
 static void test_st_ops_assoc(void)
 {
@@ -101,10 +102,90 @@ out:
        struct_ops_assoc_reuse__destroy(skel);
 }
 
+static void test_st_ops_assoc_in_timer(void)
+{
+       struct struct_ops_assoc_in_timer *skel = NULL;
+       int err;
+
+       skel = struct_ops_assoc_in_timer__open_and_load();
+       if (!ASSERT_OK_PTR(skel, "struct_ops_assoc_in_timer__open"))
+               goto out;
+
+       err = bpf_program__assoc_struct_ops(skel->progs.syscall_prog,
+                                           skel->maps.st_ops_map, NULL);
+       ASSERT_OK(err, "bpf_program__assoc_struct_ops");
+
+       err = struct_ops_assoc_in_timer__attach(skel);
+       if (!ASSERT_OK(err, "struct_ops_assoc__attach"))
+               goto out;
+
+       /*
+        * Run .test_1 by calling kfunc bpf_kfunc_multi_st_ops_test_1_prog_arg() and checks
+        * the return value. .test_1 will also schedule timer_cb that runs .test_1 again
+        * immediately.
+        */
+       err = bpf_prog_test_run_opts(bpf_program__fd(skel->progs.syscall_prog), NULL);
+       ASSERT_OK(err, "bpf_prog_test_run_opts");
+
+       /* Check the return of the kfunc after timer_cb runs */
+       while (!READ_ONCE(skel->bss->timer_cb_run))
+               sched_yield();
+       ASSERT_EQ(skel->bss->timer_test_1_ret, 1234, "skel->bss->timer_test_1_ret");
+       ASSERT_EQ(skel->bss->test_err, 0, "skel->bss->test_err_a");
+out:
+       struct_ops_assoc_in_timer__destroy(skel);
+}
+
+static void test_st_ops_assoc_in_timer_no_uref(void)
+{
+       struct struct_ops_assoc_in_timer *skel = NULL;
+       struct bpf_link *link;
+       int err;
+
+       skel = struct_ops_assoc_in_timer__open_and_load();
+       if (!ASSERT_OK_PTR(skel, "struct_ops_assoc_in_timer__open"))
+               goto out;
+
+       err = bpf_program__assoc_struct_ops(skel->progs.syscall_prog,
+                                           skel->maps.st_ops_map, NULL);
+       ASSERT_OK(err, "bpf_program__assoc_struct_ops");
+
+       link = bpf_map__attach_struct_ops(skel->maps.st_ops_map);
+       if (!ASSERT_OK_PTR(link, "bpf_map__attach_struct_ops"))
+               goto out;
+
+       /*
+        * Run .test_1 by calling kfunc bpf_kfunc_multi_st_ops_test_1_prog_arg() and checks
+        * the return value. .test_1 will also schedule timer_cb that runs .test_1 again.
+        * timer_cb will run 500ms after syscall_prog runs, when the user space no longer
+        * holds a reference to st_ops_map.
+        */
+       skel->bss->timer_ns = 500000000;
+       err = bpf_prog_test_run_opts(bpf_program__fd(skel->progs.syscall_prog), NULL);
+       ASSERT_OK(err, "bpf_prog_test_run_opts");
+
+       /* Detach and close struct_ops map to cause it to be freed */
+       bpf_link__destroy(link);
+       close(bpf_program__fd(skel->progs.syscall_prog));
+       close(bpf_map__fd(skel->maps.st_ops_map));
+
+       /* Check the return of the kfunc after timer_cb runs */
+       while (!READ_ONCE(skel->bss->timer_cb_run))
+               sched_yield();
+       ASSERT_EQ(skel->bss->timer_test_1_ret, -1, "skel->bss->timer_test_1_ret");
+       ASSERT_EQ(skel->bss->test_err, 0, "skel->bss->test_err_a");
+out:
+       struct_ops_assoc_in_timer__destroy(skel);
+}
+
 void test_struct_ops_assoc(void)
 {
        if (test__start_subtest("st_ops_assoc"))
                test_st_ops_assoc();
        if (test__start_subtest("st_ops_assoc_reuse"))
                test_st_ops_assoc_reuse();
+       if (test__start_subtest("st_ops_assoc_in_timer"))
+               test_st_ops_assoc_in_timer();
+       if (test__start_subtest("st_ops_assoc_in_timer_no_uref"))
+               test_st_ops_assoc_in_timer_no_uref();
 }

diff --git a/tools/testing/selftests/bpf/progs/struct_ops_assoc_in_timer.c b/tools/testing/selftests/bpf/progs/struct_ops_assoc_in_timer.c
new file mode 100644 (file)
index 0000000..d5a2ea9
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/struct_ops_assoc_in_timer.c
@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <vmlinux.h>
+#include <bpf/bpf_tracing.h>
+#include "bpf_misc.h"
+#include "../test_kmods/bpf_testmod.h"
+#include "../test_kmods/bpf_testmod_kfunc.h"
+
+char _license[] SEC("license") = "GPL";
+
+struct elem {
+       struct bpf_timer timer;
+};
+
+struct {
+       __uint(type, BPF_MAP_TYPE_ARRAY);
+       __uint(max_entries, 1);
+       __type(key, int);
+       __type(value, struct elem);
+} array_map SEC(".maps");
+
+#define MAP_MAGIC 1234
+int recur;
+int test_err;
+int timer_ns;
+int timer_test_1_ret;
+int timer_cb_run;
+
+__noinline static int timer_cb(void *map, int *key, struct bpf_timer *timer)
+{
+       struct st_ops_args args = {};
+
+       recur++;
+       timer_test_1_ret = bpf_kfunc_multi_st_ops_test_1_impl(&args, NULL);
+       recur--;
+
+       timer_cb_run++;
+
+       return 0;
+}
+
+SEC("struct_ops")
+int BPF_PROG(test_1, struct st_ops_args *args)
+{
+       struct bpf_timer *timer;
+       int key = 0;
+
+       if (!recur) {
+               timer = bpf_map_lookup_elem(&array_map, &key);
+               if (!timer)
+                       return 0;
+
+               bpf_timer_init(timer, &array_map, 1);
+               bpf_timer_set_callback(timer, timer_cb);
+               bpf_timer_start(timer, timer_ns, 0);
+       }
+
+       return MAP_MAGIC;
+}
+
+SEC("syscall")
+int syscall_prog(void *ctx)
+{
+       struct st_ops_args args = {};
+       int ret;
+
+       ret = bpf_kfunc_multi_st_ops_test_1_impl(&args, NULL);
+       if (ret != MAP_MAGIC)
+               test_err++;
+
+       return 0;
+}
+
+SEC(".struct_ops.link")
+struct bpf_testmod_multi_st_ops st_ops_map = {
+       .test_1 = (void *)test_1,
+};