Re: [PATCH v5 2/3] bpf/verifier: allow using bpf_kptr_xchg even if the NON_OWN_REF flag is set

Mon, 02 Feb 2026 19:05:06 -0800 

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2dd860ae12..bb45fa5612 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9300,7 +9300,8 @@ static const struct bpf_reg_types timer_types = { 
> .types = { PTR_TO_MAP_VALUE }
>  static const struct bpf_reg_types kptr_xchg_dest_types = {
>       .types = {
>               PTR_TO_MAP_VALUE,
> -             PTR_TO_BTF_ID | MEM_ALLOC
> +             PTR_TO_BTF_ID | MEM_ALLOC,
> +             PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF
>       }
>  };

Is the MEM_RCU variant also needed here?

When ref_set_non_owning() marks a register as NON_OWN_REF, it also adds
MEM_RCU if the node has a bpf_refcount field (refcount_off >= 0):

    reg->type |= NON_OWN_REF;
    if (rec->refcount_off >= 0)
        reg->type |= MEM_RCU;

This means rbtree nodes with both a __kptr field and a bpf_refcount field
would have type PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU, which
won't match any entry in kptr_xchg_dest_types.

Should this also add:

    PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF | MEM_RCU

to handle that case?

> @@ -9460,6 +9461,7 @@ static int check_reg_type(struct bpf_verifier_env *env, 
> u32 regno,
>       }
>       case PTR_TO_BTF_ID | MEM_ALLOC:
>       case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
> +     case PTR_TO_BTF_ID | MEM_ALLOC | NON_OWN_REF:
>               if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != 
> BPF_FUNC_spin_unlock &&
>                   meta->func_id != BPF_FUNC_kptr_xchg) {

Similarly, does this switch need a case for the MEM_RCU variant?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21614799102

AI-authorship-score: low
AI-authorship-explanation: The commit addresses a specific practical problem 
with minimal targeted changes, showing domain expertise typical of human kernel 
developers rather than AI-generated comprehensive solutions.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: Missing MEM_RCU variant may prevent bpf_kptr_xchg 
on refcounted rbtree nodes, but this affects only a subset of use cases and 
causes verifier rejection rather than runtime issues.

Reply via email to