From: sashiko-bot@kernel.org
To: "Kaitao cheng" <kaitao.cheng@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH RESEND bpf-next v10 5/8] bpf: Add bpf_list_add to insert node after a given list node
Date: Wed, 13 May 2026 20:44:19 +0000 [thread overview]
Message-ID: <20260513204420.2BB22C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260512055919.95716-6-kaitao.cheng@linux.dev>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] bpf_list_add drops the 'new' node on runtime failure, but the verifier unconditionally converts 'new' to a non-owning reference, leading to a reliable Use-After-Free.
- [High] The bpf_list_add kfunc is marked with KF_IMPLICIT_ARGS but lacks the required _impl counterpart, causing the verifier to unconditionally reject it.
--
commit 2a493a875461b6ae4bffbc4548a568dfaca01438
Author: Kaitao Cheng <chengkaitao@kylinos.cn>
bpf: Add bpf_list_add to insert node after a given list node
This patch adds a new kfunc bpf_list_add() to insert a node after a given
list node in a BPF linked list. The new node must be an owning reference
which is consumed by the kfunc, and on failure, the kernel drops the
passed-in node.
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 5388078f31710..2b8e8d4284a54 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2570,6 +2570,16 @@ __bpf_kfunc int bpf_list_push_back_impl(struct bpf_list_head *head,
> return bpf_list_push_back(head, node, meta__ign, off);
> }
>
> +__bpf_kfunc int bpf_list_add(struct bpf_list_head *head, struct bpf_list_node *new,
> + struct bpf_list_node *prev, struct btf_struct_meta *meta,
> + u64 off)
> +{
> + struct bpf_list_node_kern *n = (void *)new, *p = (void *)prev;
> + struct list_head *prev_ptr = &p->list_head;
> +
> + return __bpf_list_add(n, head, &prev_ptr, meta ? meta->record : NULL, off);
> +}
If __bpf_list_add() fails at runtime (e.g., because prev is not in the list
indicated by head), it drops the 'new' node:
__bpf_list_add()
...
fail:
__bpf_obj_drop_impl((void *)n - off, rec, false);
return -EINVAL;
However, the verifier unconditionally converts 'new' into a non-owning
reference during check_kfunc_call(). If __bpf_list_add() fails, the BPF program
retains this non-owning reference to a freed node. Could this allow the program
to trigger a use-after-free within the lock critical section?
[ ... ]
> @@ -4748,6 +4758,7 @@ BTF_ID_FLAGS(func, bpf_list_push_front, KF_IMPLICIT_ARGS)
> BTF_ID_FLAGS(func, bpf_list_push_front_impl)
> BTF_ID_FLAGS(func, bpf_list_push_back, KF_IMPLICIT_ARGS)
> BTF_ID_FLAGS(func, bpf_list_push_back_impl)
> +BTF_ID_FLAGS(func, bpf_list_add, KF_IMPLICIT_ARGS)
Since bpf_list_add is marked with KF_IMPLICIT_ARGS, won't the verifier look
for a bpf_list_add_impl counterpart during program load?
Without defining and registering a bpf_list_add_impl function,
find_kfunc_impl_proto() will fail to find the required _impl suffix in the
vmlinux BTF. Will this cause the verifier to unconditionally reject the kfunc?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512055919.95716-1-kaitao.cheng@linux.dev?part=5
next prev parent reply other threads:[~2026-05-13 20:44 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 5:59 [PATCH RESEND bpf-next v10 0/8] bpf: Extend the bpf_list family of APIs Kaitao cheng
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 1/8] bpf: refactor __bpf_list_del to take list node pointer Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-12 8:55 ` Kaitao Cheng
2026-05-13 22:30 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 2/8] bpf: clear list node owner and unlink before drop Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-13 22:53 ` Eduard Zingerman
2026-05-13 6:02 ` sashiko-bot
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 3/8] bpf: Introduce the bpf_list_del kfunc Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-12 9:36 ` Kaitao Cheng
2026-05-13 22:32 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 4/8] bpf: refactor __bpf_list_add to take insertion point via **prev_ptr Kaitao cheng
2026-05-13 22:33 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 5/8] bpf: Add bpf_list_add to insert node after a given list node Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-12 12:05 ` Kaitao Cheng
2026-05-13 20:44 ` sashiko-bot [this message]
2026-05-13 22:35 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 6/8] bpf: add bpf_list_is_first/last/empty kfuncs Kaitao cheng
2026-05-13 22:35 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 7/8] bpf: allow non-owning list-node args via __nonown_allowed Kaitao cheng
2026-05-12 6:41 ` bot+bpf-ci
2026-05-13 22:22 ` sashiko-bot
2026-05-13 22:37 ` Eduard Zingerman
2026-05-13 22:55 ` Eduard Zingerman
2026-05-12 5:59 ` [PATCH RESEND bpf-next v10 8/8] selftests/bpf: Add test cases for bpf_list_del/add/is_first/is_last/empty Kaitao cheng
2026-05-13 22:44 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513204420.2BB22C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kaitao.cheng@linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox