Re: [PATCH bpf-next v2] bpf: Clear rb node linkage when freeing bpf_rb_root

Next message: Gregory Price: "[PATCH v4 3/9] mm/memory_hotplug: export mhp_get_default_online_type"
Previous message: Gregory Price: "[PATCH v4 1/9] mm/memory: add memory_block_aligned_range() helper"
In reply to: bot+bpf-ci: "Re: [PATCH bpf-next v2] bpf: Clear rb node linkage when freeing bpf_rb_root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Fri Jun 05 2026 - 17:21:18 EST

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@xxxxxxxxxx>:

On Fri, 5 Jun 2026 17:41:43 +0800 you wrote:
> From: Kaitao Cheng <chengkaitao@xxxxxxxxxx>
>
> bpf_rb_root_free() detaches the root by copying the current rb_root_cached
> and then replacing the live root with RB_ROOT_CACHED. It then walks the
> copied root and drops each object contained in the tree.
>
> This leaves the rb node state intact while dropping the object. If the
> object is refcounted and survives the drop, its bpf_rb_node_kern still
> contains an owner pointer to the freed root and stale rb tree linkage. If
> a later bpf_rb_root allocation reuses the same address, bpf_rbtree_remove()
> can incorrectly pass the owner check and call rb_erase_cached() on a node
> whose rb pointers belong to the old tree.
>
> [...]

Here is the summary with links:
- [bpf-next,v2] bpf: Clear rb node linkage when freeing bpf_rb_root
https://git.kernel.org/bpf/bpf-next/c/4a7910ee060d

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html