Re: [PATCH v4 3/6] bpf: add bpf_list_add_impl to insert node after a given list node

Tue, 03 Mar 2026 06:45:39 -0800 

> Returns 0 on success, -EINVAL if 'prev' is not in a list or 'new'
> is already in a list (or duplicate insertion). On failure, the
> kernel drops the passed-in node.

The commit message says the kernel drops the passed-in node on
failure, but looking at the implementation, only the cmpxchg
failure path actually drops the node:

> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
>
> @@ -2497,6 +2497,32 @@
>
> +__bpf_kfunc int bpf_list_add_impl(struct bpf_list_head *head,
> +                               struct bpf_list_node *new,
> +                               struct bpf_list_node *prev,
> +                               void *meta__ign, u64 off)
> +{
> +     struct bpf_list_node_kern *kn = (void *)new, *kp = (void *)prev;
> +     struct btf_struct_meta *meta = meta__ign;
> +     struct list_head *n = &kn->list_head, *p = &kp->list_head;
> +
> +     if (unlikely(!head))
> +             return -EINVAL;
> +
> +     if (WARN_ON_ONCE(READ_ONCE(kp->owner) != head))
> +             return -EINVAL;

These two return paths don't drop 'new' before returning.  The
verifier unconditionally releases the BPF program's reference to
the new node via ref_convert_owning_non_owning() followed by
release_reference(), so nobody holds a reference to it after this
kfunc returns.

In contrast, __bpf_list_add() always either inserts the node or
drops it via __bpf_obj_drop_impl():

    static int __bpf_list_add(...) {
        if (cmpxchg(&node->owner, NULL, BPF_PTR_POISON)) {
            __bpf_obj_drop_impl((void *)n - off, rec, false);
            return -EINVAL;
        }
        tail ? list_add_tail(n, h) : list_add(n, h);
        ...
    }

These early return paths should be unreachable because the
verifier guarantees head is valid and the lock is held, but
should the commit message be corrected to match the actual
behavior, or should the early error paths also drop the node
for consistency with __bpf_list_add()?

> +
> +     if (cmpxchg(&kn->owner, NULL, BPF_PTR_POISON)) {
> +             __bpf_obj_drop_impl((void *)n - off,
> +                     meta ? meta->record : NULL, false);
> +             return -EINVAL;
> +     }
> +
> +     list_add(n, p);
> +     WRITE_ONCE(kn->owner, head);
> +     return 0;
> +}


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22626485740

Reply via email to