On 22/1/25 10:28, Tengda Wu wrote: > There are two bpf_link__destroy(freplace_link) calls in > test_tailcall_bpf2bpf_freplace(). After the first bpf_link__destroy() > is called, if the following bpf_map_{update,delete}_elem() throws an > exception, it will jump to the "out" label and call bpf_link__destroy() > again, causing double free and eventually leading to a segfault. > > Fix it by directly resetting freplace_link to NULL after the first > bpf_link__destroy() call. > > Fixes: 021611d33e78 ("selftests/bpf: Add test to verify tailcall and freplace restrictions") > Signed-off-by: Tengda Wu <wutengda@xxxxxxxxxxxxxxx> > --- > tools/testing/selftests/bpf/prog_tests/tailcalls.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/testing/selftests/bpf/prog_tests/tailcalls.c b/tools/testing/selftests/bpf/prog_tests/tailcalls.c > index 544144620ca6..a12fa0521ccc 100644 > --- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c > +++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c > @@ -1602,6 +1602,7 @@ static void test_tailcall_bpf2bpf_freplace(void) > err = bpf_link__destroy(freplace_link); > if (!ASSERT_OK(err, "destroy link")) > goto out; > + freplace_link = NULL; > > /* OK to update prog_array map then delete element from the map. */ > LGTM. Reviewed-by: Leon Hwang <leon.hwang@xxxxxxxxx>