Re: [PATCH bpf-next v8 6/8] bpf: allow bpf_list_front/back result as the prev argument of bpf_list_add_impl
From: Alexei Starovoitov
Date: Mon Mar 16 2026 - 10:32:00 EST
On Mon, Mar 16, 2026 at 4:29 AM Chengkaitao <pilgrimtao@xxxxxxxxx> wrote:
>
> From: Kaitao Cheng <chengkaitao@xxxxxxxxxx>
>
> KF_ARG_PTR_TO_LIST_NODE normally requires an owning reference
> (PTR_TO_BTF_ID | MEM_ALLOC and ref_obj_id). For bpf_list_add_impl's
> third argument (prev), allow a non-owning reference with ref_obj_id==0
> so that the result of bpf_list_front() or bpf_list_back() can be passed
> as the insertion point. When prev is such a non-owning ref, skip the
> MEM_ALLOC/ref_obj_id checks and jump to the shared list-node processing.
> Owning refs (e.g. from pop + refcount_acquire) still pass the existing
> checks and reach the same label.
>
> Signed-off-by: Kaitao Cheng <chengkaitao@xxxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 98ddb370feb5..0a6f2e6a5d28 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -13737,6 +13737,14 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> return ret;
> break;
> case KF_ARG_PTR_TO_LIST_NODE:
> + if (meta->func_id == special_kfunc_list[KF_bpf_list_add_impl]
> + && i == 2 && type_is_non_owning_ref(reg->type)
> + && !reg->ref_obj_id) {
> + /* Allow bpf_list_front/back return value as
> + * list_add_impl's third arg (R3).
> + */
> + goto check_ok;
> + }
This is too specific and non scalable.
Another kfunc with similar requirements would need a separate 'if'
with func_id == new_kfunc and potentially different 'i == N'.
Let's introduce a new double underscore suffix for this
or some other way.
pw-bot: cr