| From: |
| Justin Suess <utilityemal77-AT-gmail.com> |
| To: |
| ast-AT-kernel.org, daniel-AT-iogearbox.net, andrii-AT-kernel.org, eddyz87-AT-gmail.com, memxor-AT-gmail.com |
| Subject: |
| [PATCH bpf-next v3 0/2] Allow storing referenced struct file kptrs in BPF maps |
| Date: |
| Fri, 24 Apr 2026 15:22:50 -0400 |
| Message-ID: |
| <20260424192252.695240-1-utilityemal77@gmail.com> |
| Cc: |
| martin.lau-AT-linux.dev, song-AT-kernel.org, yonghong.song-AT-linux.dev, jolsa-AT-kernel.org, bpf-AT-vger.kernel.org, mic-AT-digikod.net, Justin Suess <utilityemal77-AT-gmail.com> |
| Archive-link: |
| Article |
Hello,
This series adds a destructor for struct file, enabling it to be used as a
referenced kptr in BPF maps.
This iteration of the series just addresses a small test failure.
v1: https://lore.kernel.org/bpf/20260420203306.3107246-1-util...
v2: https://lore.kernel.org/bpf/20260423152239.4140627-1-util...
The destructor mirrors bpf_put_file() semantics and releases the reference
via fput(). This allows pointers returned from kfuncs such as
bpf_get_task_exe_file() to be safely stored and later reused with helpers
and kfuncs that operate on struct file.
This fills a gap compared to bpf_dynptr_from_file(), where the resulting
dynptr can be stored in a map, but cannot be passed to kfuncs expecting
a struct file *.
Use cases include caching file references across events and deferring
processing while keeping the underlying file alive.
Patch 1 adds the struct file kptr destructor and wires it into the BTF
kfunc sets.
Patch 2 adds selftests covering successful use and verifier rejection of
unreferenced pointers and success cases.
Changes for v3:
- Fix variable name in failure test case to pass.
- Better handle fd closure for file copy helper.
- Remove dead test function.
Changes for v2:
- Fix comment formatting based on sashiko feedback.
- Fix typo in commit based on sashiko feedback.
- Remove close_fd helper based on Song Liu's feedback.
- Expand selftests to include success and failure verifier tests.
Note on NMI safety:
An existing bug in NMI safety after further investigation from this
sashiko report [1] was found and reported here, with reproducer. [2]
Basically it is possible to invoke map dtors from within an nmi context
by attaching to specific tracepoints. Because the existing dtors rely on
rcu and/or locks, you can cause deadlocks. The fput added by this patch
is unsafe in nmi context and affected by this bug.
However, the solution requires deeper investigation into verifier safety
in NMI contexts, and is outside the scope of this patch.
[1] : https://lore.kernel.org/bpf/20260421010536.17FB1C19425@sm...
[2] : https://lore.kernel.org/bpf/20260421201035.1729473-1-util...
Justin Suess (2):
bpf: Implement dtor for struct file BTF ID
selftests/bpf: Add test for map-stored struct file kptrs
kernel/bpf/helpers.c | 16 +-
.../bpf/prog_tests/refcounted_kptr_file.c | 247 ++++++++++++++++++
.../bpf/progs/refcounted_kptr_file.c | 158 +++++++++++
.../bpf/progs/refcounted_kptr_file_fail.c | 141 ++++++++++
.../bpf/progs/refcounted_kptr_file_success.c | 61 +++++
5 files changed, 622 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/refcounted_kptr_file.c
create mode 100644 tools/testing/selftests/bpf/progs/refcounted_kptr_file.c
create mode 100644 tools/testing/selftests/bpf/progs/refcounted_kptr_file_fail.c
create mode 100644 tools/testing/selftests/bpf/progs/refcounted_kptr_file_success.c
--
2.53.0
