selftests/bpf: Add cgroup kptr NMI deadlock reproducer

[kernel-patches-daemon-bpf]

Pull request for series with
subject: selftests/bpf: Add cgroup kptr NMI deadlock reproducer
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1109417

[kernel-patches-daemon-bpf]

Upstream branch: 2e8ad1f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1109417
version: 1

[kernel-patches-review-bot]

commit ab701978928c853126e1a9a64d530023fcbd2002
Author: Justin Suess <utilityemal77@gmail.com>

selftests/bpf: Add cgroup kptr NMI deadlock reproducer

This adds a selftest that stashes a referenced cgroup kptr in a BPF map
and then deletes the map element from NMI context, exercising the path
where bpf_cgroup_release_dtor -> cgroup_put would run inline from an
NMI. The test scans /dev/kmsg after each round and treats
bpf_cgroup_release_dtor appearing in a splat stack as the regressed
behaviour.

> Exercise the path where a cgroup kptr stashed in a BPF map has its
> destructor invoked from NMI context when the map element is freed.
> bpf_cgroup_release_dtor -> cgroup_put can take sleeping/spinning paths
> that are unsafe to enter from NMI; the destructor must be deferred
> instead of run inline.
>
> The test stashes a cgroup kptr from a syscall program into a HASH map
> with BPF_F_NO_PREALLOC, then drives map element deletion from a
> tp_btf/nmi_handler program firing on PMU cycle counter NMIs raised on a
> pinned CPU. Each round:
>
>   1. Creates a cgroup and stashes its kptr in the map.
>   2. Removes the cgroup and waits for css_free_rwork_fn to fire for
>      every subsystem CSS (tracked via an fexit program), so the kptr
>      drop hits the window where the bug reproduces.
>   3. Arms the NMI program (gated by an "nr_cgrps" counter) and waits
>      for it to delete the stashed element.
>
> After REPRO_ROUNDS iterations the test scans /dev/kmsg captured from
> the start of the run: bpf_cgroup_release_dtor appearing in any splat
> stack means the destructor ran inline from NMI and the fix has
> regressed. The task variant only proved no hard hang; scanning kmsg
> catches the bug even when the inline path does not actually wedge the
> CPU.
>
> This fails and causes a kernel splat prior to commit a3a81d247651
> ("bpf: Cancel special fields on map value recycle") in bpf-next/master.
>
> Runs on x86 only: relies on PMU cycle counter NMIs and the
> x86-specific nmi_handler tracepoint.
>
> Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> Signed-off-by: Justin Suess <utilityemal77@gmail.com>

This reproduces a bug where a referenced cgroup kptr stashed in a map
has its destructor run inline from NMI context on map element free.

The eager free of a referenced kptr on map update/delete came in with
commit 14a324f6a67e ("bpf: Wire up freeing of referenced kptr"), which
added bpf_map_free_kptrs() and wired it into the update/delete paths via
check_and_free_fields(). The kernel fix referenced here, a3a81d247651
("bpf: Cancel special fields on map value recycle"), carries that same
Fixes: tag.

Should this reproducer also carry:

  Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr")

---

AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

In-Reply-To-Subject: selftests/bpf: Add cgroup kptr NMI deadlock reproducer
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27289488363

[kernel-patches-daemon-bpf]

Forwarding comment 4672240385 via email
In-Reply-To: 20260610155225.1221740-1-utilityemal77@gmail.com
Patch: https://patchwork.kernel.org/project/netdevbpf/patch/20260610155225.1221740-1-utilityemal77@gmail.com/

[kernel-patches-daemon-bpf]

Upstream branch: 30dee2c
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1109417
version: 1