Re: [PATCH RESEND bpf-next v10 7/8] bpf: allow non-owning list-node args via __nonown_allowed

[Eduard Zingerman]

On Tue, 2026-05-12 at 13:59 +0800, Kaitao cheng wrote:
> From: Kaitao Cheng <chengkaitao@xxxxxxxxxx>
> 
> KF_ARG_PTR_TO_LIST_NODE normally requires an owning reference
> (PTR_TO_BTF_ID | MEM_ALLOC with ref_obj_id). Introduce and use
> the __nonown_allowed annotation on selected list-node arguments
> so non-owning references with ref_obj_id==0 are accepted as well.
> 
> This enables passing bpf_list_front() / bpf_list_back() results to:
> 
> bpf_list_add() as insertion point (prev)
> bpf_list_del() as deletion target (node)
> bpf_list_is_first/last() as query target (node)
> 
> Verifier keeps existing owning-ref checks by default; only arguments
> annotated with __nonown_allowed bypass MEM_ALLOC/ref_obj_id checks
> and then follow the same list-node validation path.
> 
> Signed-off-by: Kaitao Cheng <chengkaitao@xxxxxxxxxx>
> ---

Reviewed-by: Eduard Zingerman <eddyz87@xxxxxxxxx>

[...]

> @@ -12017,6 +12022,13 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  				return ret;
>  			break;
>  		case KF_ARG_PTR_TO_LIST_NODE:
> +			if (is_kfunc_arg_nonown_allowed(btf, &args[i]) &&
> +			    type_is_non_owning_ref(reg->type) && !reg->ref_obj_id) {
                                                                 ^^^^^^^^^^^^^^^^
                           Nit: I think this check is redundant, type_is_non_owning_ref() should suffice.

> +				/* Allow bpf_list_front/back return value for
> +				 * __nonown_allowed list-node arguments.
> +				 */
> +				goto check_ok;
> +			}
>  			if (reg->type != (PTR_TO_BTF_ID | MEM_ALLOC)) {
>  				verbose(env, "%s expected pointer to allocated object\n",
>  					reg_arg_name(env, argno));

[...]