From: Chengkaitao <pilgrimtao@gmail.com>
To: martin.lau@linux.dev, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, eddyz87@gmail.com, song@kernel.org,
yonghong.song@linux.dev, john.fastabend@gmail.com,
kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
jolsa@kernel.org, shuah@kernel.org, chengkaitao@kylinos.cn,
linux-kselftest@vger.kernel.org
Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH bpf-next v9 3/9] bpf: clear list node owner and unlink before drop
Date: Sun, 29 Mar 2026 22:05:00 +0800 [thread overview]
Message-ID: <20260329140506.9595-4-pilgrimtao@gmail.com> (raw)
In-Reply-To: <20260329140506.9595-1-pilgrimtao@gmail.com>
From: Kaitao Cheng <chengkaitao@kylinos.cn>
When draining a BPF list_head, clear each node's owner pointer while still
holding the spinlock, so concurrent readers always see a consistent owner.
Delink each node with list_del_init() before calling __bpf_obj_drop_impl(),
preventing subsequent users who hold a reference count to the node from
acquiring an invalid next node.
Signed-off-by: Kaitao Cheng <chengkaitao@kylinos.cn>
---
kernel/bpf/helpers.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 94fcd4ab39e9..8abb99712043 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2232,7 +2232,7 @@ EXPORT_SYMBOL_GPL(bpf_base_func_proto);
void bpf_list_head_free(const struct btf_field *field, void *list_head,
struct bpf_spin_lock *spin_lock)
{
- struct list_head *head = list_head, *orig_head = list_head;
+ struct list_head *head = list_head, *orig_head = list_head, *pos;
BUILD_BUG_ON(sizeof(struct list_head) > sizeof(struct bpf_list_head));
BUILD_BUG_ON(__alignof__(struct list_head) > __alignof__(struct bpf_list_head));
@@ -2247,6 +2247,9 @@ void bpf_list_head_free(const struct btf_field *field, void *list_head,
if (!head->next || list_empty(head))
goto unlock;
head = head->next;
+ /* Clear owner under spinlock to ensure the owner is always valid */
+ for (pos = head; pos != orig_head; pos = pos->next)
+ WRITE_ONCE(container_of(pos, struct bpf_list_node_kern, list_head)->owner, NULL);
unlock:
INIT_LIST_HEAD(orig_head);
__bpf_spin_unlock_irqrestore(spin_lock);
@@ -2255,7 +2258,9 @@ void bpf_list_head_free(const struct btf_field *field, void *list_head,
void *obj = head;
obj -= field->graph_root.node_offset;
+ pos = head;
head = head->next;
+ list_del_init(pos);
/* The contained type can also have resources, including a
* bpf_list_head which needs to be freed.
*/
--
2.50.1 (Apple Git-155)
next prev parent reply other threads:[~2026-03-29 14:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 14:04 [PATCH bpf-next v9 0/9] bpf: Extend the bpf_list family of APIs Chengkaitao
2026-03-29 14:04 ` [PATCH bpf-next v9 1/9] bpf: refactor kfunc checks using table-driven approach in verifier Chengkaitao
2026-03-30 15:20 ` Mykyta Yatsenko
2026-03-30 17:05 ` Alexei Starovoitov
2026-04-03 17:41 ` Chengkaitao
2026-04-04 4:49 ` Ihor Solodrai
2026-04-04 10:38 ` Chengkaitao
2026-04-07 18:40 ` Ihor Solodrai
2026-04-10 2:53 ` Chengkaitao
2026-04-23 23:25 ` Ihor Solodrai
2026-03-29 14:04 ` [PATCH bpf-next v9 2/9] bpf: refactor __bpf_list_del to take list node pointer Chengkaitao
2026-03-29 14:05 ` Chengkaitao [this message]
2026-03-29 14:45 ` [PATCH bpf-next v9 3/9] bpf: clear list node owner and unlink before drop bot+bpf-ci
2026-03-29 14:05 ` [PATCH bpf-next v9 4/9] bpf: Introduce the bpf_list_del kfunc Chengkaitao
2026-03-29 14:05 ` [PATCH bpf-next v9 5/9] bpf: refactor __bpf_list_add to take insertion point via **prev_ptr Chengkaitao
2026-03-29 14:05 ` [PATCH bpf-next v9 6/9] bpf: Add bpf_list_add_impl to insert node after a given list node Chengkaitao
2026-03-29 14:05 ` [PATCH bpf-next v9 7/9] bpf: allow bpf_list_front/back result as the prev argument of bpf_list_add_impl Chengkaitao
2026-03-29 14:05 ` [PATCH bpf-next v9 8/9] bpf: add bpf_list_is_first/last/empty kfuncs Chengkaitao
2026-03-29 14:05 ` [PATCH bpf-next v9 9/9] selftests/bpf: Add test cases for bpf_list_del/add/is_first/is_last/empty Chengkaitao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260329140506.9595-4-pilgrimtao@gmail.com \
--to=pilgrimtao@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=chengkaitao@kylinos.cn \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.