On Sun, Feb 8, 2026 at 6:53 PM Chengkaitao <[email protected]> wrote: > > From: Kaitao Cheng <[email protected]> > > If a user holds ownership of a node in the middle of a list, they > can directly remove it from the list without strictly adhering to > deletion rules from the head or tail. > > This is typically paired with bpf_refcount. After calling > bpf_list_del, it is generally necessary to drop the reference to > the list node twice to prevent reference count leaks. > > Signed-off-by: Kaitao Cheng <[email protected]> > --- > kernel/bpf/helpers.c | 19 +++++++++++++++++++ > kernel/bpf/verifier.c | 6 +++++- > 2 files changed, 24 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c > index db72b96f9c8c..44d9b9ea8d40 100644 > --- a/kernel/bpf/helpers.c > +++ b/kernel/bpf/helpers.c > @@ -2388,6 +2388,24 @@ __bpf_kfunc struct bpf_list_node > *bpf_list_pop_back(struct bpf_list_head *head) > return __bpf_list_del(head, true); > } > > +__bpf_kfunc struct bpf_list_node *bpf_list_del(struct bpf_list_head *head, > + struct bpf_list_node *node) > +{ > + struct bpf_list_node_kern *knode = (struct bpf_list_node_kern *)node; > + struct list_head *h = (void *)head; > + > + if (unlikely(!knode)) > + return NULL; > + > + if (WARN_ON_ONCE(READ_ONCE(knode->owner) != h)) > + return NULL;
Existing __bpf_list_del() is actually using 'head', but here... passing 'head' just to warn on it ? Seems overkill. Pass 'node' only. Then it will be more list-like. Any other apis are missing? pw-bot: cr
