bpf: allow calling bpf_kptr_xchg while holding a lock

For the following scenario:
struct tree_node {
    struct bpf_rb_node node;
    struct request __kptr *req;
    u64 key;
};
struct bpf_rb_root tree_root __contains(tree_node, node);
struct bpf_spin_lock tree_lock;

If we need to traverse all nodes in the rbtree, retrieve the __kptr
pointer from each node, and read kernel data from the referenced
object, using bpf_kptr_xchg appears unavoidable.

This patch skips the BPF verifier checks for bpf_kptr_xchg when
called while holding a lock.

Signed-off-by: Kaitao Cheng <chengkaitao@kylinos.cn>
Link: https://lore.kernel.org/r/20260214124042.62229-2-pilgrimtao@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2ef00f9b94fe5e5c4305bd44cb87f16305eabd15..ee63f27aa5e4397932e906adbb701f9df841ff40 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -20998,7 +20998,8 @@ static int do_check_insn(struct bpf_verifier_env *env, bool *do_print_state)
 
                        if (env->cur_state->active_locks) {
                                if ((insn->src_reg == BPF_REG_0 &&
-                                    insn->imm != BPF_FUNC_spin_unlock) ||
+                                    insn->imm != BPF_FUNC_spin_unlock &&
+                                    insn->imm != BPF_FUNC_kptr_xchg) ||
                                    (insn->src_reg == BPF_PSEUDO_KFUNC_CALL &&
                                     (insn->off != 0 || !kfunc_spin_allowed(insn->imm)))) {
                                        verbose(env,