Skip to content

bpf/verifier: Expand the usage scenarios of bpf_kptr_xchg #10934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kernel-patches-daemon-bpf wants to merge 3 commits into
base: bpf-next_base
Choose a base branch
from
Open

bpf/verifier: Expand the usage scenarios of bpf_kptr_xchg #10934

kernel-patches-daemon-bpf wants to merge 3 commits into from
+182 −2

Conversation

@kernel-patches-daemon-bpf
Copy link

@kernel-patches-daemon-bpf kernel-patches-daemon-bpf bot commented Feb 3, 2026

Pull request for series with
subject: bpf/verifier: Expand the usage scenarios of bpf_kptr_xchg
version: 5
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1050033

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Feb 3, 2026

Upstream branch: 6b95cc5
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1050033
version: 5

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Feb 3, 2026

Upstream branch: d95d76a
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1050033
version: 5

@kernel-patches-review-bot
Copy link

kernel-patches-review-bot bot commented Feb 3, 2026 

commit 89b3aab8a7985a61534c13aa011a3919a16cb6c6
Author: Chengkaitao Com <[email protected]>

bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set

This patch allows bpf_kptr_xchg to operate on __kptr fields within rbtree
nodes obtained via bpf_rbtree_left/right traversal (NON_OWN_REF pointers),
avoiding the need to remove and re-add nodes just to access their kptrs.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2dd860ae12..bb45fa5612 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9300,7 +9300,8 @@ static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE }
>  static const struct bpf_reg_types kptr_xchg_dest_types = {
>  	.types = {
>  		PTR_TO_MAP_VALUE,
> -		PTR_TO_BTF_ID | MEM_ALLOC
> +		PTR_TO_BTF_ID | MEM_ALLOC,
> +		PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF
>  	}
>  };

Is the MEM_RCU variant also needed here?

When ref_set_non_owning() marks a register as NON_OWN_REF, it also adds
MEM_RCU if the node has a bpf_refcount field (refcount_off >= 0):

    reg->type |= NON_OWN_REF;
    if (rec->refcount_off >= 0)
        reg->type |= MEM_RCU;

This means rbtree nodes with both a __kptr field and a bpf_refcount field
would have type PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU, which
won't match any entry in kptr_xchg_dest_types.

Should this also add:

    PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU

to handle that case?

> @@ -9460,6 +9461,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
>  	}
>  	case PTR_TO_BTF_ID | MEM_ALLOC:
>  	case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
> +	case PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF:
>  		if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock &&
>  		    meta->func_id != BPF_FUNC_kptr_xchg) {

Similarly, does this switch need a case for the MEM_RCU variant?

AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

In-Reply-To-Subject: bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21614799102

AI-authorship-score: low
AI-authorship-explanation: The commit addresses a specific practical problem with minimal targeted changes, showing domain expertise typical of human kernel developers rather than AI-generated comprehensive solutions.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: Missing MEM_RCU variant may prevent bpf_kptr_xchg on refcounted rbtree nodes, but this affects only a subset of use cases and causes verifier rejection rather than runtime issues.

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Feb 3, 2026

Forwarding comment 3838760901 via email
In-Reply-To: [email protected]
Patch: https://patchwork.kernel.org/project/netdevbpf/patch/[email protected]/

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Feb 3, 2026

Upstream branch: f941479
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1050033
version: 5

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Feb 3, 2026

Upstream branch: f11f7cf
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1050033
version: 5

Chengkaitao Com added 3 commits February 3, 2026 17:06
bpf/verifier: allow calling bpf_kptr_xchg while holding a lock
ec27f0d 
For the following scenario:
struct tree_node {
    struct bpf_rb_node node;
    struct request __kptr *req;
    u64 key;
};
struct bpf_rb_root tree_root __contains(tree_node, node);
struct bpf_spin_lock tree_lock;

If we need to traverse all nodes in the rbtree, retrieve the __kptr
pointer from each node, and read kernel data from the referenced
object, using bpf_kptr_xchg appears unavoidable.

This patch skips the BPF verifier checks for bpf_kptr_xchg when
called while holding a lock.

Signed-off-by: Chengkaitao Com <[email protected]>
bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag …
2e76f77 
…is set

When traversing an rbtree using bpf_rbtree_left/right, if bpf_kptr_xchg
is used to access the __kptr pointer contained in a node, it currently
requires first removing the node with bpf_rbtree_remove and clearing the
NON_OWN_REF flag, then re-adding the node to the original rbtree with
bpf_rbtree_add after usage. This process significantly degrades rbtree
traversal performance. The patch enables accessing __kptr pointers with
the NON_OWN_REF flag set while holding the lock, eliminating the need
for this remove-read-readd sequence.

Signed-off-by: Chengkaitao Com <[email protected]>
Signed-off-by: Feng Yang <[email protected]>
selftests/bpf: Add supplementary tests for bpf_kptr_xchg
01fd567 
1. Allow using bpf_kptr_xchg while holding a lock.
2. When the rb_node contains a __kptr pointer, we do not need to
   perform a remove-read-add operation.

This patch implements the following workflow:
1. Construct a rbtree with 16 elements.
2. Traverse the rbtree, locate the kptr pointer in the target node,
   and read the content pointed to by the pointer.
3. Remove all nodes from the rbtree.

Signed-off-by: Chengkaitao Com <[email protected]>
Signed-off-by: Feng Yang <[email protected]>
@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Feb 4, 2026

Upstream branch: b28dac3
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1050033
version: 5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next new V5-ci-fail V5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants