From nobody Thu Apr  2 13:44:54 2026
Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com
 [209.85.216.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD7AC36EA9B
	for <linux-kernel@vger.kernel.org>; Sun, 29 Mar 2026 14:05:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774793153; cv=none;
 b=XYmNsELYsxGpRNobGceQnnPRGe7vdjL+v3fjXSva6xmGOZxPL18vpVbzRSB6O3unI4ks5//4Zr/eNGywprroe1pmReZfQhhtGh1pA8QXhQntJQ+n9oX8aa6QGCoOuvqzjtk0uHmNosjS6WGGTqR1a5HC2SCx63onXkrROC4OFk8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774793153; c=relaxed/simple;
	bh=m4Dp/QO1CQwIaQ7zOXjACVsoK8KivPGSGTVahKCzCOY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Xr+2YyvRIlo+JId29MusDkLrDrPeVOgB7/F69DqejmQYwj04LZJ/eDIiA/uKzq+yTDpgvx78RpV+8dYZcWK3ALll4F/12P4gLTjhnvnpkR+5b0gNIS9qT9SoN1FXSJATphjSvT/cWAah9y8ijVl0QcFmSrzyhXaCG77IPbbvGJc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=pfMv6AxA; arc=none smtp.client-ip=209.85.216.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="pfMv6AxA"
Received: by mail-pj1-f43.google.com with SMTP id
 98e67ed59e1d1-35d94f4ee36so562000a91.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 29 Mar 2026 07:05:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774793152; x=1775397952;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=38DTT79mtCXKXJ8Z/5bB5pjQPLerUM4+fkGr6yskgL4=;
        b=pfMv6AxAxDbMNVnjgOEadQHLR8OA1E5im8YgJTmUjR4QcXZm0C4froJjGFHhsQiFhr
         1r/sFhu784VbykkK8IpvC4umPnpUL8EfHIzrRuWg5rXZc2EM820GnNcTZHuKTjG7QdJF
         dg5/UI5Oh3BTMFoixYZXYs49+D/ADEv2uG6yqgIF2y/gJuP2gbDO/UHbG38DLsCOTcES
         zp88WxyglGBSjcbkjBOrtU2oaHyRjkXgl6tO+yHzkCHS2ppRpz6G339OkmjG+NnZaPbj
         EmIjQ/DlJQIvLN75YOM1TbohXXDyd+l5RzHgEyL1RHvOjdXtn1JYKAdYscq6Nx4aIhxa
         /mkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774793152; x=1775397952;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=38DTT79mtCXKXJ8Z/5bB5pjQPLerUM4+fkGr6yskgL4=;
        b=I8fX+vj1APRaZpBukdGewI7Ad2YhyI0x/V+Hg0RAzT9dYbDRXSeX4kjUga1QK40C60
         tCNNU/p5Wh++JFx4fMpkFGXnzuBhzpaEl3EXXeWBSvRSe8ShNbniZSrGLD7/8uDMeFm2
         GYByvhvyGMbXRDQKuvUjPpgNi6cxkmwtMJP3g1cZSoBjV4OePCY9dobdSRLmRMgKre8b
         f/wDZAtFqpAOfgcf3piFiMxtqr5ujVQoPds1kN4BrI9x+5c3jh/Gpuc3l7doRuRwUPqk
         +TRCzGiRWeEnvhfA0dCck1wUv30+3ZDuKpLBuARalqJ/tWe24lJY/cKqiL2J52mGs28K
         YOUw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV1df+cutis8ZPLgqNt7TKw2Gmjw9e0WRAQWqvpYmn9JGHVlVJnR66THe2J8bT38zaAmdqo+DwLksyvkbI=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw7w/iFq60COOGz6MTiprYjXzRSw9D9SKLKJATeyVL10zoP5pdC
	4E4E51T3IRGt2wAOjY7UNqMRe1AEv5XDfoTNEHNOTZ+XgEqpUCpSLfkI
X-Gm-Gg: ATEYQzw3TS20CA4xqdFRuJ85SERwG52pGlgDjCmouwPZrt3MnhccS3xviJedRnJCcb8
	6VCGv49KBEVcxPX/DsPNLUCrDUAEQYzKi0YQ7GOsIdqW+7xTFhx/wt8F/qtRJqAS90qnbulQV8E
	EIZ4idJhkN85op5fXLsIw52Ru8MT2ytaZVZLb0lt/O485lbFp2reDNXF61jI7WhzvhrgwaINL/K
	iukMkmHCXJN9MNsdSrb2bFqqDU1zLLXRS3Mq30WUoplmc5vpr4KHPp83zIR50Fs4dH6y+Val/Kr
	dKlwK7bLuckXOxD5HFlwGW7uhDnDvCHoa87JoplklYcRho7ZXkgTFgLd/xpwWD4VrUcP+tH64w+
	oSIE1+LxKaGEZX/Y42FRxHxOhmnoKkCpGnEEcuRAK9bJVzFRKQmGmkNeDn0U5CygguozoLY80Fa
	V6WtixkoHlMeYeTHZi1E+EonGLMXclOu3RQzcwXDN5/VAGOIIPJUCSEw==
X-Received: by 2002:a17:90a:1009:b0:35d:9560:3efc with SMTP id
 98e67ed59e1d1-35d9560431dmr3049031a91.14.1774793151838;
        Sun, 29 Mar 2026 07:05:51 -0700 (PDT)
Received: from localhost.localdomain ([113.218.252.111])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35d950bd630sm4417454a91.16.2026.03.29.07.05.46
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Sun, 29 Mar 2026 07:05:51 -0700 (PDT)
From: Chengkaitao <pilgrimtao@gmail.com>
To: martin.lau@linux.dev,
	ast@kernel.org,
	daniel@iogearbox.net,
	andrii@kernel.org,
	eddyz87@gmail.com,
	song@kernel.org,
	yonghong.song@linux.dev,
	john.fastabend@gmail.com,
	kpsingh@kernel.org,
	sdf@fomichev.me,
	haoluo@google.com,
	jolsa@kernel.org,
	shuah@kernel.org,
	chengkaitao@kylinos.cn,
	linux-kselftest@vger.kernel.org
Cc: bpf@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH bpf-next v9 5/9] bpf: refactor __bpf_list_add to take
 insertion point via **prev_ptr
Date: Sun, 29 Mar 2026 22:05:02 +0800
Message-ID: <20260329140506.9595-6-pilgrimtao@gmail.com>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20260329140506.9595-1-pilgrimtao@gmail.com>
References: <20260329140506.9595-1-pilgrimtao@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Kaitao Cheng <chengkaitao@kylinos.cn>

Refactor __bpf_list_add to accept (node, head, struct list_head **prev_ptr,
..) instead of (node, head, bool tail, ..). Load prev from *prev_ptr after
INIT_LIST_HEAD(h), so we never dereference an uninitialized h->prev when
head was 0-initialized (e.g. push_back passes &h->prev).

When prev is not the list head, validate that prev is in the list via
its owner.

Prepares for bpf_list_add_impl(head, new, prev, ..) to insert after a
given list node.

Signed-off-by: Kaitao Cheng <chengkaitao@kylinos.cn>
---
 kernel/bpf/helpers.c | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 6dddb2377047..669e380746a6 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2386,9 +2386,11 @@ __bpf_kfunc void *bpf_refcount_acquire_impl(void *p_=
_refcounted_kptr, void *meta
=20
 static int __bpf_list_add(struct bpf_list_node_kern *node,
 			  struct bpf_list_head *head,
-			  bool tail, struct btf_record *rec, u64 off)
+			  struct list_head **prev_ptr,
+			  struct btf_record *rec, u64 off)
 {
 	struct list_head *n =3D &node->list_head, *h =3D (void *)head;
+	struct list_head *prev;
=20
 	/* If list_head was 0-initialized by map, bpf_obj_init_field wasn't
 	 * called on its fields, so init here
@@ -2396,19 +2398,31 @@ static int __bpf_list_add(struct bpf_list_node_kern=
 *node,
 	if (unlikely(!h->next))
 		INIT_LIST_HEAD(h);
=20
+	prev =3D *prev_ptr;
+
+	/* When prev is not the list head, it must be a node in this list. */
+	if (prev !=3D h) {
+		struct bpf_list_node_kern *prev_kn =3D
+			container_of(prev, struct bpf_list_node_kern, list_head);
+
+		if (unlikely(READ_ONCE(prev_kn->owner) !=3D head))
+			goto fail;
+	}
+
 	/* node->owner !=3D NULL implies !list_empty(n), no need to separately
 	 * check the latter
 	 */
-	if (cmpxchg(&node->owner, NULL, BPF_PTR_POISON)) {
-		/* Only called from BPF prog, no need to migrate_disable */
-		__bpf_obj_drop_impl((void *)n - off, rec, false);
-		return -EINVAL;
-	}
+	if (cmpxchg(&node->owner, NULL, BPF_PTR_POISON))
+		goto fail;
=20
-	tail ? list_add_tail(n, h) : list_add(n, h);
+	list_add(n, prev);
 	WRITE_ONCE(node->owner, head);
-
 	return 0;
+
+fail:
+	/* Only called from BPF prog, no need to migrate_disable */
+	__bpf_obj_drop_impl((void *)n - off, rec, false);
+	return -EINVAL;
 }
=20
 __bpf_kfunc int bpf_list_push_front_impl(struct bpf_list_head *head,
@@ -2417,8 +2431,9 @@ __bpf_kfunc int bpf_list_push_front_impl(struct bpf_l=
ist_head *head,
 {
 	struct bpf_list_node_kern *n =3D (void *)node;
 	struct btf_struct_meta *meta =3D meta__ign;
+	struct list_head *h =3D (void *)head;
=20
-	return __bpf_list_add(n, head, false, meta ? meta->record : NULL, off);
+	return __bpf_list_add(n, head, &h, meta ? meta->record : NULL, off);
 }
=20
 __bpf_kfunc int bpf_list_push_back_impl(struct bpf_list_head *head,
@@ -2427,8 +2442,9 @@ __bpf_kfunc int bpf_list_push_back_impl(struct bpf_li=
st_head *head,
 {
 	struct bpf_list_node_kern *n =3D (void *)node;
 	struct btf_struct_meta *meta =3D meta__ign;
+	struct list_head *h =3D (void *)head;
=20
-	return __bpf_list_add(n, head, true, meta ? meta->record : NULL, off);
+	return __bpf_list_add(n, head, &h->prev, meta ? meta->record : NULL, off);
 }
=20
 static struct bpf_list_node *__bpf_list_del(struct bpf_list_head *head,
--=20
2.50.1 (Apple Git-155)