1. Patchew
  2. linux
  3. [PATCH v5 0/3] bpf/verifier: Expand the usage scenarios of bpf_kptr_xchg
  4. View patch

[PATCH v5 2/3] bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set

Chengkaitao posted 3 patches 4 days, 2 hours ago
[PATCH v5 2/3] bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set
Posted by Chengkaitao 4 days, 2 hours ago 
From: Chengkaitao Com <chengkaitao@kylinos.cn>

When traversing an rbtree using bpf_rbtree_left/right, if bpf_kptr_xchg
is used to access the __kptr pointer contained in a node, it currently
requires first removing the node with bpf_rbtree_remove and clearing the
NON_OWN_REF flag, then re-adding the node to the original rbtree with
bpf_rbtree_add after usage. This process significantly degrades rbtree
traversal performance. The patch enables accessing __kptr pointers with
the NON_OWN_REF flag set while holding the lock, eliminating the need
for this remove-read-readd sequence.

Signed-off-by: Chengkaitao Com <chengkaitao@kylinos.cn>
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
---
 kernel/bpf/verifier.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 05a6a6606b6c..bb3ff4bbb3a2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9260,7 +9260,8 @@ static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE }
 static const struct bpf_reg_types kptr_xchg_dest_types = {
 	.types = {
 		PTR_TO_MAP_VALUE,
-		PTR_TO_BTF_ID | MEM_ALLOC
+		PTR_TO_BTF_ID | MEM_ALLOC,
+		PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF
 	}
 };
 static const struct bpf_reg_types dynptr_types = {
@@ -9420,6 +9421,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 	}
 	case PTR_TO_BTF_ID | MEM_ALLOC:
 	case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
+	case PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF:
 		if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock &&
 		    meta->func_id != BPF_FUNC_kptr_xchg) {
 			verifier_bug(env, "unimplemented handling of MEM_ALLOC");
-- 
2.50.1 (Apple Git-155)
Re: [PATCH v5 2/3] bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set
Posted by bot+bpf-ci@kernel.org 4 days, 1 hour ago 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2dd860ae12..bb45fa5612 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9300,7 +9300,8 @@ static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE }
>  static const struct bpf_reg_types kptr_xchg_dest_types = {
>  	.types = {
>  		PTR_TO_MAP_VALUE,
> -		PTR_TO_BTF_ID | MEM_ALLOC
> +		PTR_TO_BTF_ID | MEM_ALLOC,
> +		PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF
>  	}
>  };

Is the MEM_RCU variant also needed here?

When ref_set_non_owning() marks a register as NON_OWN_REF, it also adds
MEM_RCU if the node has a bpf_refcount field (refcount_off >= 0):

    reg->type |= NON_OWN_REF;
    if (rec->refcount_off >= 0)
        reg->type |= MEM_RCU;

This means rbtree nodes with both a __kptr field and a bpf_refcount field
would have type PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU, which
won't match any entry in kptr_xchg_dest_types.

Should this also add:

    PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU

to handle that case?

> @@ -9460,6 +9461,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
>  	}
>  	case PTR_TO_BTF_ID | MEM_ALLOC:
>  	case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
> +	case PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF:
>  		if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock &&
>  		    meta->func_id != BPF_FUNC_kptr_xchg) {

Similarly, does this switch need a case for the MEM_RCU variant?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21614799102

AI-authorship-score: low
AI-authorship-explanation: The commit addresses a specific practical problem with minimal targeted changes, showing domain expertise typical of human kernel developers rather than AI-generated comprehensive solutions.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: Missing MEM_RCU variant may prevent bpf_kptr_xchg on refcounted rbtree nodes, but this affects only a subset of use cases and causes verifier rejection rather than runtime issues.
Re: [PATCH v5 2/3] bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set
Posted by Chengkaitao 3 days, 21 hours ago 
On Tue, Feb 3, 2026 at 11:04 AM <bot+bpf-ci@kernel.org> wrote:
>
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 2dd860ae12..bb45fa5612 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -9300,7 +9300,8 @@ static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE }
> >  static const struct bpf_reg_types kptr_xchg_dest_types = {
> >       .types = {
> >               PTR_TO_MAP_VALUE,
> > -             PTR_TO_BTF_ID | MEM_ALLOC
> > +             PTR_TO_BTF_ID | MEM_ALLOC,
> > +             PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF
> >       }
> >  };
>
> Is the MEM_RCU variant also needed here?
>
> When ref_set_non_owning() marks a register as NON_OWN_REF, it also adds
> MEM_RCU if the node has a bpf_refcount field (refcount_off >= 0):
>
>     reg->type |= NON_OWN_REF;
>     if (rec->refcount_off >= 0)
>         reg->type |= MEM_RCU;
>
> This means rbtree nodes with both a __kptr field and a bpf_refcount field
> would have type PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU, which
> won't match any entry in kptr_xchg_dest_types.
>
> Should this also add:
>
>     PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU
>
> to handle that case?
>
> > @@ -9460,6 +9461,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
> >       }
> >       case PTR_TO_BTF_ID | MEM_ALLOC:
> >       case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
> > +     case PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF:
> >               if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock &&
> >                   meta->func_id != BPF_FUNC_kptr_xchg) {
>
> Similarly, does this switch need a case for the MEM_RCU variant?
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21614799102
>
> AI-authorship-score: low
> AI-authorship-explanation: The commit addresses a specific practical problem with minimal targeted changes, showing domain expertise typical of human kernel developers rather than AI-generated comprehensive solutions.
> issues-found: 1
> issue-severity-score: low
> issue-severity-explanation: Missing MEM_RCU variant may prevent bpf_kptr_xchg on refcounted rbtree nodes, but this affects only a subset of use cases and causes verifier rejection rather than runtime issues.

I will try to add this case.  thanks

-- 
Yours,
Chengkaitao

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.