bpf: allow calling bpf_kptr_xchg while holding a lock

For the following scenario: struct tree_node { struct bpf_rb_node node; struct request __kptr *req; u64 key; }; struct bpf_rb_root tree_root __contains(tree_node, node); struct bpf_spin_lock tree_lock; If we need to traverse all nodes in the rbtree, retrieve the __kptr pointer from each node, and read kernel data from the referenced object, using bpf_kptr_xchg appears unavoidable. This patch skips the BPF verifier checks for bpf_kptr_xchg when called while holding a lock. Signed-off-by: Kaitao Cheng <chengkaitao@kylinos.cn> Link: https://lore.kernel.org/r/20260214124042.62229-2-pilgrimtao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Kaitao Cheng <chengkaitao@kylinos.cn> 2026-02-14 20:40:38 +0800
committer: Alexei Starovoitov <ast@kernel.org> 2026-02-23 17:37:06 -0800
commit: 964c0747686abda124cf718a91ac1c0c325ca52a (patch)
tree: 73e26ccaeab47ee588ffc8123cc1004b04cbdec4 /kernel
parent: 3ecf0b4a0e0ed4783aa32c5f3e42d23c7021e1c8 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2ef00f9b94fe..ee63f27aa5e4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -20998,7 +20998,8 @@ static int do_check_insn(struct bpf_verifier_env *env, bool *do_print_state)
 
 			if (env->cur_state->active_locks) {
 				if ((insn->src_reg == BPF_REG_0 &&
-				     insn->imm != BPF_FUNC_spin_unlock) ||
+				     insn->imm != BPF_FUNC_spin_unlock &&
+				     insn->imm != BPF_FUNC_kptr_xchg) ||
 				    (insn->src_reg == BPF_PSEUDO_KFUNC_CALL &&
 				     (insn->off != 0 || !kfunc_spin_allowed(insn->imm)))) {
 					verbose(env,
author	Kaitao Cheng <chengkaitao@kylinos.cn>	2026-02-14 20:40:38 +0800
committer	Alexei Starovoitov <ast@kernel.org>	2026-02-23 17:37:06 -0800
commit	964c0747686abda124cf718a91ac1c0c325ca52a (patch)
tree	73e26ccaeab47ee588ffc8123cc1004b04cbdec4 /kernel
parent	3ecf0b4a0e0ed4783aa32c5f3e42d23c7021e1c8 (diff)