On Fri, Nov 01, 2024 at 10:38:31AM +0800, mrpre wrote: ... > diff --git a/net/core/sock_map.c b/net/core/sock_map.c > index 07d6aa4e39ef..36e9787c60de 100644 > --- a/net/core/sock_map.c > +++ b/net/core/sock_map.c > @@ -465,7 +465,7 @@ static int sock_map_get_next_key(struct bpf_map *map, void *key, void *next) > } > > static int sock_map_update_common(struct bpf_map *map, u32 idx, > - struct sock *sk, u64 flags) > + struct sock *sk, u64 flags, s32 target_cpu) > { > struct bpf_stab *stab = container_of(map, struct bpf_stab, map); > struct sk_psock_link *link; > @@ -490,6 +490,8 @@ static int sock_map_update_common(struct bpf_map *map, u32 idx, > psock = sk_psock(sk); > WARN_ON_ONCE(!psock); > > + psock->target_cpu = target_cpu; > + > spin_lock_bh(&stab->lock); > osk = stab->sks[idx]; > if (osk && flags == BPF_NOEXIST) { Hi Jiayuan Chen, The code immediately following the hunk above is: ret = -EEXIST; goto out_unlock; } else if (!osk && flags == BPF_EXIST) { ret = -ENOENT; goto out_unlock; } And it seems that these gotos are the only code paths that lead to out_unlock, which looks like this: out_unlock: spin_unlock_bh(&stab->lock); if (psock) sk_psock_put(sk, psock); out_free: sk_psock_free_link(link); return ret; } As you can see, the code under out_unlock expects that psock may be NULL. But the code added to this function by your patch dereferences it unconditionally. This seems inconsistent. Flagged by Smatch. ...