€•=®      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ%/translations/zh_CN/bpf/graph_ds_impl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/zh_TW/bpf/graph_ds_impl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/it_IT/bpf/graph_ds_impl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/ja_JP/bpf/graph_ds_impl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/ko_KR/bpf/graph_ds_impl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ%/translations/sp_SP/bpf/graph_ds_impl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒBPF Graph Data Structures”h]”hŒBPF Graph Data Structures”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒ?/var/lib/git/docbuild/linux/Documentation/bpf/graph_ds_impl.rst”h KubhŒ	paragraph”“”)”}”(hŒÑThis document describes implementation details of new-style "graph" data
structures (linked_list, rbtree), with particular focus on the verifier's
implementation of semantics specific to those data structures.”h]”hŒ×This document describes implementation details of new-style â€œgraphâ€ data
structures (linked_list, rbtree), with particular focus on the verifierâ€™s
implementation of semantics specific to those data structures.”…””}”(hh¹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¸)”}”(hŒ¼Although no specific verifier code is referred to in this document, the document
assumes that the reader has general knowledge of BPF verifier internals, BPF
maps, and BPF program writing.”h]”hŒ¼Although no specific verifier code is referred to in this document, the document
assumes that the reader has general knowledge of BPF verifier internals, BPF
maps, and BPF program writing.”…””}”(hhÇhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K	hh£hžhubh¸)”}”(hŒ¼Note that the intent of this document is to describe the current state of
these graph data structures. **No guarantees** of stability for either
semantics or APIs are made or implied here.”h]”(hŒgNote that the intent of this document is to describe the current state of
these graph data structures. ”…””}”(hhÕhžhhŸNh NubhŒstrong”“”)”}”(hŒ**No guarantees**”h]”hŒNo guarantees”…””}”(hhßhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝhhÕubhŒD of stability for either
semantics or APIs are made or implied here.”…””}”(hhÕhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubhŒtopic”“”)”}”(hhh]”hŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hhh]”h¸)”}”(hhh]”hŒ	reference”“”)”}”(hhh]”hŒIntroduction”…””}”(hj  hžhhŸNh Nubah}”(h]”Œid1”ah ]”h"]”h$]”h&]”Œrefid”Œintroduction”uh1j	  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hhþubj  )”}”(hhh]”h¸)”}”(hhh]”j
  )”}”(hhh]”hŒUnstable API”…””}”(hj-  hžhhŸNh Nubah}”(h]”Œid2”ah ]”h"]”h$]”h&]”Œrefid”Œunstable-api”uh1j	  hj*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hj'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hhþubj  )”}”(hhh]”h¸)”}”(hhh]”j
  )”}”(hhh]”hŒLocking”…””}”(hjO  hžhhŸNh Nubah}”(h]”Œid3”ah ]”h"]”h$]”h&]”Œrefid”Œlocking”uh1j	  hjL  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjI  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hhþubj  )”}”(hhh]”h¸)”}”(hhh]”j
  )”}”(hhh]”hŒNon-owning references”…””}”(hjq  hžhhŸNh Nubah}”(h]”Œid4”ah ]”h"]”h$]”h&]”Œrefid”Œnon-owning-references”uh1j	  hjn  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjk  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hhþubeh}”(h]”h ]”h"]”h$]”h&]”uh1hühhùhžhhŸNh Nubah}”(h]”Œcontents”ah ]”(Œcontents”Œlocal”eh"]”Œcontents”ah$]”h&]”uh1h÷hŸh¶h Khh£hžhubh¢)”}”(hhh]”(h§)”}”(hŒIntroduction”h]”hŒIntroduction”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefid”j  uh1h¦hj  hžhhŸh¶h Kubh¸)”}”(hXf  The BPF map API has historically been the main way to expose data structures
of various types for use within BPF programs. Some data structures fit naturally
with the map API (HASH, ARRAY), others less so. Consequently, programs
interacting with the latter group of data structures can be hard to parse
for kernel programmers without previous BPF experience.”h]”hXf  The BPF map API has historically been the main way to expose data structures
of various types for use within BPF programs. Some data structures fit naturally
with the map API (HASH, ARRAY), others less so. Consequently, programs
interacting with the latter group of data structures can be hard to parse
for kernel programmers without previous BPF experience.”…””}”(hj¯  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj  hžhubh¸)”}”(hX5  Luckily, some restrictions which necessitated the use of BPF map semantics are
no longer relevant. With the introduction of kfuncs, kptrs, and the any-context
BPF allocator, it is now possible to implement BPF data structures whose API
and semantics more closely match those exposed to the rest of the kernel.”h]”hX5  Luckily, some restrictions which necessitated the use of BPF map semantics are
no longer relevant. With the introduction of kfuncs, kptrs, and the any-context
BPF allocator, it is now possible to implement BPF data structures whose API
and semantics more closely match those exposed to the rest of the kernel.”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj  hžhubh¸)”}”(hX  Two such data structures - linked_list and rbtree - have many verification
details in common. Because both have "root"s ("head" for linked_list) and
"node"s, the verifier code and this document refer to common functionality
as "graph_api", "graph_root", "graph_node", etc.”h]”hX(  Two such data structures - linked_list and rbtree - have many verification
details in common. Because both have â€œrootâ€s (â€œheadâ€ for linked_list) and
â€œnodeâ€s, the verifier code and this document refer to common functionality
as â€œgraph_apiâ€, â€œgraph_rootâ€, â€œgraph_nodeâ€, etc.”…””}”(hjË  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K#hj  hžhubh¸)”}”(hŒZUnless otherwise stated, examples and semantics below apply to both graph data
structures.”h]”hŒZUnless otherwise stated, examples and semantics below apply to both graph data
structures.”…””}”(hjÙ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K(hj  hžhubeh}”(h]”j  ah ]”h"]”Œintroduction”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒUnstable API”h]”hŒUnstable API”…””}”(hjñ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j®  j6  uh1h¦hjî  hžhhŸh¶h K,ubh¸)”}”(hXÂ  Data structures implemented using the BPF map API have historically used BPF
helper functions - either standard map API helpers like ``bpf_map_update_elem``
or map-specific helpers. The new-style graph data structures instead use kfuncs
to define their manipulation helpers. Because there are no stability guarantees
for kfuncs, the API and semantics for these data structures can be evolved in
a way that breaks backwards compatibility if necessary.”h]”(hŒ…Data structures implemented using the BPF map API have historically used BPF
helper functions - either standard map API helpers like ”…””}”(hjÿ  hžhhŸNh NubhŒliteral”“”)”}”(hŒ``bpf_map_update_elem``”h]”hŒbpf_map_update_elem”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÿ  ubhX&  
or map-specific helpers. The new-style graph data structures instead use kfuncs
to define their manipulation helpers. Because there are no stability guarantees
for kfuncs, the API and semantics for these data structures can be evolved in
a way that breaks backwards compatibility if necessary.”…””}”(hjÿ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K.hjî  hžhubh¸)”}”(hŒhRoot and node types for the new data structures are opaquely defined in the
``uapi/linux/bpf.h`` header.”h]”(hŒLRoot and node types for the new data structures are opaquely defined in the
”…””}”(hj!  hžhhŸNh Nubj  )”}”(hŒ``uapi/linux/bpf.h``”h]”hŒuapi/linux/bpf.h”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj!  ubhŒ header.”…””}”(hj!  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K5hjî  hžhubeh}”(h]”j<  ah ]”h"]”Œunstable api”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K,ubh¢)”}”(hhh]”(h§)”}”(hŒLocking”h]”hŒLocking”…””}”(hjK  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j®  jX  uh1h¦hjH  hžhhŸh¶h K9ubh¸)”}”(hŒkThe new-style data structures are intrusive and are defined similarly to their
vanilla kernel counterparts:”h]”hŒkThe new-style data structures are intrusive and are defined similarly to their
vanilla kernel counterparts:”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K;hjH  hžhubhŒliteral_block”“”)”}”(hŒœstruct node_data {
  long key;
  long data;
  struct bpf_rb_node node;
};

struct bpf_spin_lock glock;
struct bpf_rb_root groot __contains(node_data, node);”h]”hŒœstruct node_data {
  long key;
  long data;
  struct bpf_rb_node node;
};

struct bpf_spin_lock glock;
struct bpf_rb_root groot __contains(node_data, node);”…””}”hji  sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”Œforce”‰Œlanguage”Œc”Œhighlight_args”}”uh1jg  hŸh¶h K>hjH  hžhubh¸)”}”(hXÿ  The "root" type for both linked_list and rbtree expects to be in a map_value
which also contains a ``bpf_spin_lock`` - in the above example both global
variables are placed in a single-value arraymap. The verifier considers this
spin_lock to be associated with the ``bpf_rb_root`` by virtue of both being in
the same map_value and will enforce that the correct lock is held when
verifying BPF programs that manipulate the tree. Since this lock checking
happens at verification time, there is no runtime penalty.”h]”(hŒgThe â€œrootâ€ type for both linked_list and rbtree expects to be in a map_value
which also contains a ”…””}”(hj~  hžhhŸNh Nubj  )”}”(hŒ``bpf_spin_lock``”h]”hŒbpf_spin_lock”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj~  ubhŒ• - in the above example both global
variables are placed in a single-value arraymap. The verifier considers this
spin_lock to be associated with the ”…””}”(hj~  hžhhŸNh Nubj  )”}”(hŒ``bpf_rb_root``”h]”hŒbpf_rb_root”…””}”(hj˜  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj~  ubhŒç by virtue of both being in
the same map_value and will enforce that the correct lock is held when
verifying BPF programs that manipulate the tree. Since this lock checking
happens at verification time, there is no runtime penalty.”…””}”(hj~  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KIhjH  hžhubeh}”(h]”j^  ah ]”h"]”Œlocking”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K9ubh¢)”}”(hhh]”(h§)”}”(hŒNon-owning references”h]”hŒNon-owning references”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j®  jz  uh1h¦hj·  hžhhŸh¶h KRubh¸)”}”(hŒ**Motivation**”h]”hÞ)”}”(hjÊ  h]”hŒ
Motivation”…””}”(hjÌ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝhjÈ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KThj·  hžhubh¸)”}”(hŒ Consider the following BPF code:”h]”hŒ Consider the following BPF code:”…””}”(hjß  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KVhj·  hžhubjh  )”}”(hŒ•struct node_data *n = bpf_obj_new(typeof(*n)); /* ACQUIRED */

bpf_spin_lock(&lock);

bpf_rbtree_add(&tree, n); /* PASSED */

bpf_spin_unlock(&lock);”h]”hŒ•struct node_data *n = bpf_obj_new(typeof(*n)); /* ACQUIRED */

bpf_spin_lock(&lock);

bpf_rbtree_add(&tree, n); /* PASSED */

bpf_spin_unlock(&lock);”…””}”hjí  sbah}”(h]”h ]”h"]”h$]”h&]”jw  jx  jy  ‰jz  j{  j|  }”uh1jg  hŸh¶h KXhj·  hžhubh¸)”}”(hXÒ  From the verifier's perspective, the pointer ``n`` returned from ``bpf_obj_new``
has type ``PTR_TO_BTF_ID | MEM_ALLOC``, with a ``btf_id`` of
``struct node_data`` and a nonzero ``ref_obj_id``. Because it holds ``n``, the
program has ownership of the pointee's (object pointed to by ``n``) lifetime.
The BPF program must pass off ownership before exiting - either via
``bpf_obj_drop``, which ``free``'s the object, or by adding it to ``tree`` with
``bpf_rbtree_add``.”h]”(hŒ/From the verifierâ€™s perspective, the pointer ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``n``”h]”hŒn”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ returned from ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_new``”h]”hŒbpf_obj_new”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ

has type ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``PTR_TO_BTF_ID | MEM_ALLOC``”h]”hŒPTR_TO_BTF_ID | MEM_ALLOC”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ	, with a ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ
``btf_id``”h]”hŒbtf_id”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ of
”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``struct node_data``”h]”hŒstruct node_data”…””}”(hjL  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ and a nonzero ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``ref_obj_id``”h]”hŒ
ref_obj_id”…””}”(hj^  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ. Because it holds ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``n``”h]”hŒn”…””}”(hjp  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒE, the
program has ownership of the pointeeâ€™s (object pointed to by ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``n``”h]”hŒn”…””}”(hj‚  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒP) lifetime.
The BPF program must pass off ownership before exiting - either via
”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ, which ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hj¦  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ$â€™s the object, or by adding it to ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``tree``”h]”hŒtree”…””}”(hj¸  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ with
”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``bpf_rbtree_add``”h]”hŒbpf_rbtree_add”…””}”(hjÊ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ.”…””}”(hjü  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kbhj·  hžhubh¸)”}”(hŒ(``ACQUIRED`` and ``PASSED`` comments in the example denote statements where
"ownership is acquired" and "ownership is passed", respectively)”h]”(hŒ(”…””}”(hjâ  hžhhŸNh Nubj  )”}”(hŒ``ACQUIRED``”h]”hŒACQUIRED”…””}”(hjê  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒ and ”…””}”(hjâ  hžhhŸNh Nubj  )”}”(hŒ
``PASSED``”h]”hŒPASSED”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjâ  ubhŒy comments in the example denote statements where
â€œownership is acquiredâ€ and â€œownership is passedâ€, respectively)”…””}”(hjâ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kjhj·  hžhubh¸)”}”(hX_  What should the verifier do with ``n`` after ownership is passed off? If the
object was ``free``'d with ``bpf_obj_drop`` the answer is obvious: the verifier
should reject programs which attempt to access ``n`` after ``bpf_obj_drop`` as
the object is no longer valid. The underlying memory may have been reused for
some other allocation, unmapped, etc.”h]”(hŒ!What should the verifier do with ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``n``”h]”hŒn”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ2 after ownership is passed off? If the
object was ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hj.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ
â€™d with ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hj@  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒT the answer is obvious: the verifier
should reject programs which attempt to access ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``n``”h]”hŒn”…””}”(hjR  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ after ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒw as
the object is no longer valid. The underlying memory may have been reused for
some other allocation, unmapped, etc.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kmhj·  hžhubh¸)”}”(hŒúWhen ownership is passed to ``tree`` via ``bpf_rbtree_add`` the answer is less
obvious. The verifier could enforce the same semantics as for ``bpf_obj_drop``,
but that would result in programs with useful, common coding patterns being
rejected, e.g.:”h]”(hŒWhen ownership is passed to ”…””}”(hj|  hžhhŸNh Nubj  )”}”(hŒ``tree``”h]”hŒtree”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj|  ubhŒ via ”…””}”(hj|  hžhhŸNh Nubj  )”}”(hŒ``bpf_rbtree_add``”h]”hŒbpf_rbtree_add”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj|  ubhŒR the answer is less
obvious. The verifier could enforce the same semantics as for ”…””}”(hj|  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj|  ubhŒ],
but that would result in programs with useful, common coding patterns being
rejected, e.g.:”…””}”(hj|  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kshj·  hžhubjh  )”}”(hŒ·int x;
struct node_data *n = bpf_obj_new(typeof(*n)); /* ACQUIRED */

bpf_spin_lock(&lock);

bpf_rbtree_add(&tree, n); /* PASSED */
x = n->data;
n->data = 42;

bpf_spin_unlock(&lock);”h]”hŒ·int x;
struct node_data *n = bpf_obj_new(typeof(*n)); /* ACQUIRED */

bpf_spin_lock(&lock);

bpf_rbtree_add(&tree, n); /* PASSED */
x = n->data;
n->data = 42;

bpf_spin_unlock(&lock);”…””}”hjÀ  sbah}”(h]”h ]”h"]”h$]”h&]”jw  jx  jy  ‰jz  j{  j|  }”uh1jg  hŸh¶h Kxhj·  hžhubh¸)”}”(hŒ†Both the read from and write to ``n->data`` would be rejected. The verifier
can do better, though, by taking advantage of two details:”h]”(hŒ Both the read from and write to ”…””}”(hjÏ  hžhhŸNh Nubj  )”}”(hŒ``n->data``”h]”hŒn->data”…””}”(hj×  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒ[ would be rejected. The verifier
can do better, though, by taking advantage of two details:”…””}”(hjÏ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K…hj·  hžhubhŒblock_quote”“”)”}”(hX§  * Graph data structure APIs can only be used when the ``bpf_spin_lock``
  associated with the graph root is held

* Both graph data structures have pointer stability

   * Because graph nodes are allocated with ``bpf_obj_new`` and
     adding / removing from the root involves fiddling with the
     ``bpf_{list,rb}_node`` field of the node struct, a graph node will
     remain at the same address after either operation.
”h]”hý)”}”(hhh]”(j  )”}”(hŒmGraph data structure APIs can only be used when the ``bpf_spin_lock``
associated with the graph root is held
”h]”h¸)”}”(hŒlGraph data structure APIs can only be used when the ``bpf_spin_lock``
associated with the graph root is held”h]”(hŒ4Graph data structure APIs can only be used when the ”…””}”(hjü  hžhhŸNh Nubj  )”}”(hŒ``bpf_spin_lock``”h]”hŒbpf_spin_lock”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjü  ubhŒ'
associated with the graph root is held”…””}”(hjü  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kˆhjø  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubj  )”}”(hX+  Both graph data structures have pointer stability

 * Because graph nodes are allocated with ``bpf_obj_new`` and
   adding / removing from the root involves fiddling with the
   ``bpf_{list,rb}_node`` field of the node struct, a graph node will
   remain at the same address after either operation.
”h]”(h¸)”}”(hŒ1Both graph data structures have pointer stability”h]”hŒ1Both graph data structures have pointer stability”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K‹hj"  ubjð  )”}”(hŒô* Because graph nodes are allocated with ``bpf_obj_new`` and
  adding / removing from the root involves fiddling with the
  ``bpf_{list,rb}_node`` field of the node struct, a graph node will
  remain at the same address after either operation.
”h]”hý)”}”(hhh]”j  )”}”(hŒìBecause graph nodes are allocated with ``bpf_obj_new`` and
adding / removing from the root involves fiddling with the
``bpf_{list,rb}_node`` field of the node struct, a graph node will
remain at the same address after either operation.
”h]”h¸)”}”(hŒëBecause graph nodes are allocated with ``bpf_obj_new`` and
adding / removing from the root involves fiddling with the
``bpf_{list,rb}_node`` field of the node struct, a graph node will
remain at the same address after either operation.”h]”(hŒ'Because graph nodes are allocated with ”…””}”(hj?  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_new``”h]”hŒbpf_obj_new”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj?  ubhŒ@ and
adding / removing from the root involves fiddling with the
”…””}”(hj?  hžhhŸNh Nubj  )”}”(hŒ``bpf_{list,rb}_node``”h]”hŒbpf_{list,rb}_node”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj?  ubhŒ_ field of the node struct, a graph node will
remain at the same address after either operation.”…””}”(hj?  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj;  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj8  ubah}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1hühŸh¶h Khj4  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h Khj"  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubeh}”(h]”h ]”h"]”h$]”h&]”j}  j~  uh1hühŸh¶h Kˆhjñ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h Kˆhj·  hžhubh¸)”}”(hX”  Because the associated ``bpf_spin_lock`` must be held by any program adding
or removing, if we're in the critical section bounded by that lock, we know
that no other program can add or remove until the end of the critical section.
This combined with pointer stability means that, until the critical section
ends, we can safely access the graph node through ``n`` even after it was used
to pass ownership.”h]”(hŒBecause the associated ”…””}”(hj—  hžhhŸNh Nubj  )”}”(hŒ``bpf_spin_lock``”h]”hŒbpf_spin_lock”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—  ubhX?   must be held by any program adding
or removing, if weâ€™re in the critical section bounded by that lock, we know
that no other program can add or remove until the end of the critical section.
This combined with pointer stability means that, until the critical section
ends, we can safely access the graph node through ”…””}”(hj—  hžhhŸNh Nubj  )”}”(hŒ``n``”h]”hŒn”…””}”(hj±  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj—  ubhŒ* even after it was used
to pass ownership.”…””}”(hj—  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K’hj·  hžhubh¸)”}”(hŒäThe verifier considers such a reference a *non-owning reference*. The ref
returned by ``bpf_obj_new`` is accordingly considered an *owning reference*.
Both terms currently only have meaning in the context of graph nodes and API.”h]”(hŒ*The verifier considers such a reference a ”…””}”(hjÉ  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ*non-owning reference*”h]”hŒnon-owning reference”…””}”(hjÓ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÑ  hjÉ  ubhŒ. The ref
returned by ”…””}”(hjÉ  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_new``”h]”hŒbpf_obj_new”…””}”(hjå  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÉ  ubhŒ is accordingly considered an ”…””}”(hjÉ  hžhhŸNh NubjÒ  )”}”(hŒ*owning reference*”h]”hŒowning reference”…””}”(hj÷  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÑ  hjÉ  ubhŒO.
Both terms currently only have meaning in the context of graph nodes and API.”…””}”(hjÉ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K™hj·  hžhubh¸)”}”(hŒ**Details**”h]”hÞ)”}”(hj  h]”hŒDetails”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj·  hžhubh¸)”}”(hŒ;Let's enumerate the properties of both types of references.”h]”hŒ=Letâ€™s enumerate the properties of both types of references.”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KŸhj·  hžhubh¸)”}”(hŒ*owning reference*”h]”jÒ  )”}”(hj6  h]”hŒowning reference”…””}”(hj8  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÑ  hj4  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¡hj·  hžhubjð  )”}”(hXC  * This reference controls the lifetime of the pointee

* Ownership of pointee must be 'released' by passing it to some graph API
  kfunc, or via ``bpf_obj_drop``, which ``free``'s the pointee

  * If not released before program ends, verifier considers program invalid

* Access to the pointee's memory will not page fault
”h]”hý)”}”(hhh]”(j  )”}”(hŒ4This reference controls the lifetime of the pointee
”h]”h¸)”}”(hŒ3This reference controls the lifetime of the pointee”h]”hŒ3This reference controls the lifetime of the pointee”…””}”(hjV  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K£hjR  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjO  ubj  )”}”(hŒÐOwnership of pointee must be 'released' by passing it to some graph API
kfunc, or via ``bpf_obj_drop``, which ``free``'s the pointee

* If not released before program ends, verifier considers program invalid
”h]”(h¸)”}”(hŒ„Ownership of pointee must be 'released' by passing it to some graph API
kfunc, or via ``bpf_obj_drop``, which ``free``'s the pointee”h]”(hŒZOwnership of pointee must be â€˜releasedâ€™ by passing it to some graph API
kfunc, or via ”…””}”(hjn  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjn  ubhŒ, which ”…””}”(hjn  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjn  ubhŒâ€™s the pointee”…””}”(hjn  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¥hjj  ubhý)”}”(hhh]”j  )”}”(hŒHIf not released before program ends, verifier considers program invalid
”h]”h¸)”}”(hŒGIf not released before program ends, verifier considers program invalid”h]”hŒGIf not released before program ends, verifier considers program invalid”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¨hj£  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj   ubah}”(h]”h ]”h"]”h$]”h&]”j}  j~  uh1hühŸh¶h K¨hjj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjO  ubj  )”}”(hŒ3Access to the pointee's memory will not page fault
”h]”h¸)”}”(hŒ2Access to the pointee's memory will not page fault”h]”hŒ4Access to the pointeeâ€™s memory will not page fault”…””}”(hjË  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KªhjÇ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjO  ubeh}”(h]”h ]”h"]”h$]”h&]”j}  j~  uh1hühŸh¶h K£hjK  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h K£hj·  hžhubh¸)”}”(hŒ*non-owning reference*”h]”jÒ  )”}”(hjí  h]”hŒnon-owning reference”…””}”(hjï  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÑ  hjë  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¬hj·  hžhubjð  )”}”(hXE  * This reference does not own the pointee

   * It cannot be used to add the graph node to a graph root, nor ``free``'d via
     ``bpf_obj_drop``

* No explicit control of lifetime, but can infer valid lifetime based on
  non-owning ref existence (see explanation below)

* Access to the pointee's memory will not page fault
”h]”hý)”}”(hhh]”(j  )”}”(hŒŒThis reference does not own the pointee

 * It cannot be used to add the graph node to a graph root, nor ``free``'d via
   ``bpf_obj_drop``
”h]”(h¸)”}”(hŒ'This reference does not own the pointee”h]”hŒ'This reference does not own the pointee”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K®hj	  ubjð  )”}”(hŒa* It cannot be used to add the graph node to a graph root, nor ``free``'d via
  ``bpf_obj_drop``
”h]”hý)”}”(hhh]”j  )”}”(hŒ]It cannot be used to add the graph node to a graph root, nor ``free``'d via
``bpf_obj_drop``
”h]”h¸)”}”(hŒ\It cannot be used to add the graph node to a graph root, nor ``free``'d via
``bpf_obj_drop``”h]”(hŒ=It cannot be used to add the graph node to a graph root, nor ”…””}”(hj&  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hj.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj&  ubhŒ	â€™d via
”…””}”(hj&  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hj@  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj&  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K°hj"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubah}”(h]”h ]”h"]”h$]”h&]”j}  j~  uh1hühŸh¶h K°hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h K°hj	  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubj  )”}”(hŒxNo explicit control of lifetime, but can infer valid lifetime based on
non-owning ref existence (see explanation below)
”h]”h¸)”}”(hŒwNo explicit control of lifetime, but can infer valid lifetime based on
non-owning ref existence (see explanation below)”h]”hŒwNo explicit control of lifetime, but can infer valid lifetime based on
non-owning ref existence (see explanation below)”…””}”(hjp  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K³hjl  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubj  )”}”(hŒ3Access to the pointee's memory will not page fault
”h]”h¸)”}”(hŒ2Access to the pointee's memory will not page fault”h]”hŒ4Access to the pointeeâ€™s memory will not page fault”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¶hj„  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”j}  j~  uh1hühŸh¶h K®hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h K®hj·  hžhubh¸)”}”(hX™  From verifier's perspective non-owning references can only exist
between spin_lock and spin_unlock. Why? After spin_unlock another program
can do arbitrary operations on the data structure like removing and ``free``-ing
via bpf_obj_drop. A non-owning ref to some chunk of memory that was remove'd,
``free``'d, and reused via bpf_obj_new would point to an entirely different thing.
Or the memory could go away.”h]”(hŒÑFrom verifierâ€™s perspective non-owning references can only exist
between spin_lock and spin_unlock. Why? After spin_unlock another program
can do arbitrary operations on the data structure like removing and ”…””}”(hj¨  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hj°  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¨  ubhŒU-ing
via bpf_obj_drop. A non-owning ref to some chunk of memory that was removeâ€™d,
”…””}”(hj¨  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hjÂ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¨  ubhŒiâ€™d, and reused via bpf_obj_new would point to an entirely different thing.
Or the memory could go away.”…””}”(hj¨  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¸hj·  hžhubh¸)”}”(hX+  To prevent this logic violation all non-owning references are invalidated by the
verifier after a critical section ends. This is necessary to ensure the "will
not page fault" property of non-owning references. So if the verifier hasn't
invalidated a non-owning ref, accessing it will not page fault.”h]”hX1  To prevent this logic violation all non-owning references are invalidated by the
verifier after a critical section ends. This is necessary to ensure the â€œwill
not page faultâ€ property of non-owning references. So if the verifier hasnâ€™t
invalidated a non-owning ref, accessing it will not page fault.”…””}”(hjÚ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¿hj·  hžhubh¸)”}”(hŒìCurrently ``bpf_obj_drop`` is not allowed in the critical section, so
if there's a valid non-owning ref, we must be in a critical section, and can
conclude that the ref's memory hasn't been dropped-and- ``free``'d or
dropped-and-reused.”h]”(hŒ
Currently ”…””}”(hjè  hžhhŸNh Nubj  )”}”(hŒ``bpf_obj_drop``”h]”hŒbpf_obj_drop”…””}”(hjð  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjè  ubhŒ· is not allowed in the critical section, so
if thereâ€™s a valid non-owning ref, we must be in a critical section, and can
conclude that the refâ€™s memory hasnâ€™t been dropped-and- ”…””}”(hjè  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjè  ubhŒâ€™d or
dropped-and-reused.”…””}”(hjè  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÄhj·  hžhubh¸)”}”(hX½  Any reference to a node that is in an rbtree _must_ be non-owning, since
the tree has control of the pointee's lifetime. Similarly, any ref to a node
that isn't in rbtree _must_ be owning. This results in a nice property:
graph API add / remove implementations don't need to check if a node
has already been added (or already removed), as the ownership model
allows the verifier to prevent such a state from being valid by simply checking
types.”h]”hXÃ  Any reference to a node that is in an rbtree _must_ be non-owning, since
the tree has control of the pointeeâ€™s lifetime. Similarly, any ref to a node
that isnâ€™t in rbtree _must_ be owning. This results in a nice property:
graph API add / remove implementations donâ€™t need to check if a node
has already been added (or already removed), as the ownership model
allows the verifier to prevent such a state from being valid by simply checking
types.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÉhj·  hžhubh¸)”}”(hŒgHowever, pointer aliasing poses an issue for the above "nice property".
Consider the following example:”h]”hŒkHowever, pointer aliasing poses an issue for the above â€œnice propertyâ€.
Consider the following example:”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÑhj·  hžhubjh  )”}”(hXJ  struct node_data *n, *m, *o, *p;
n = bpf_obj_new(typeof(*n));     /* 1 */

bpf_spin_lock(&lock);

bpf_rbtree_add(&tree, n);        /* 2 */
m = bpf_rbtree_first(&tree);     /* 3 */

o = bpf_rbtree_remove(&tree, n); /* 4 */
p = bpf_rbtree_remove(&tree, m); /* 5 */

bpf_spin_unlock(&lock);

bpf_obj_drop(o);
bpf_obj_drop(p); /* 6 */”h]”hXJ  struct node_data *n, *m, *o, *p;
n = bpf_obj_new(typeof(*n));     /* 1 */

bpf_spin_lock(&lock);

bpf_rbtree_add(&tree, n);        /* 2 */
m = bpf_rbtree_first(&tree);     /* 3 */

o = bpf_rbtree_remove(&tree, n); /* 4 */
p = bpf_rbtree_remove(&tree, m); /* 5 */

bpf_spin_unlock(&lock);

bpf_obj_drop(o);
bpf_obj_drop(p); /* 6 */”…””}”hj6  sbah}”(h]”h ]”h"]”h$]”h&]”jw  jx  jy  ‰jz  j{  j|  }”uh1jg  hŸh¶h KÔhj·  hžhubh¸)”}”(hŒ{Assume the tree is empty before this program runs. If we track verifier state
changes here using numbers in above comments:”h]”hŒ{Assume the tree is empty before this program runs. If we track verifier state
changes here using numbers in above comments:”…””}”(hjE  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kæhj·  hžhubjð  )”}”(hX   1) n is an owning reference

2) n is a non-owning reference, it's been added to the tree

3) n and m are non-owning references, they both point to the same node

4) o is an owning reference, n and m non-owning, all point to same node

5) o and p are owning, n and m non-owning, all point to the same node

6) a double-free has occurred, since o and p point to same node and o was
   ``free``'d in previous statement
”h]”hŒenumerated_list”“”)”}”(hhh]”(j  )”}”(hŒn is an owning reference
”h]”h¸)”}”(hŒn is an owning reference”h]”hŒn is an owning reference”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kéhj\  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubj  )”}”(hŒ9n is a non-owning reference, it's been added to the tree
”h]”h¸)”}”(hŒ8n is a non-owning reference, it's been added to the tree”h]”hŒ:n is a non-owning reference, itâ€™s been added to the tree”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Këhjt  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubj  )”}”(hŒDn and m are non-owning references, they both point to the same node
”h]”h¸)”}”(hŒCn and m are non-owning references, they both point to the same node”h]”hŒCn and m are non-owning references, they both point to the same node”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KíhjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubj  )”}”(hŒEo is an owning reference, n and m non-owning, all point to same node
”h]”h¸)”}”(hŒDo is an owning reference, n and m non-owning, all point to same node”h]”hŒDo is an owning reference, n and m non-owning, all point to same node”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kïhj¤  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubj  )”}”(hŒCo and p are owning, n and m non-owning, all point to the same node
”h]”h¸)”}”(hŒBo and p are owning, n and m non-owning, all point to the same node”h]”hŒBo and p are owning, n and m non-owning, all point to the same node”…””}”(hjÀ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kñhj¼  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubj  )”}”(hŒha double-free has occurred, since o and p point to same node and o was
``free``'d in previous statement
”h]”h¸)”}”(hŒga double-free has occurred, since o and p point to same node and o was
``free``'d in previous statement”h]”(hŒGa double-free has occurred, since o and p point to same node and o was
”…””}”(hjØ  hžhhŸNh Nubj  )”}”(hŒ``free``”h]”hŒfree”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjØ  ubhŒâ€™d in previous statement”…””}”(hjØ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KóhjÔ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjY  ubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ)”uh1jW  hjS  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h Kéhj·  hžhubh¸)”}”(hŒõStates 4 and 5 violate our "nice property", as there are non-owning refs to
a node which is not in an rbtree. Statement 5 will try to remove a node which
has already been removed as a result of this violation. State 6 is a dangerous
double-free.”h]”hŒùStates 4 and 5 violate our â€œnice propertyâ€, as there are non-owning refs to
a node which is not in an rbtree. Statement 5 will try to remove a node which
has already been removed as a result of this violation. State 6 is a dangerous
double-free.”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Köhj·  hžhubh¸)”}”(hŒÃAt a minimum we should prevent state 6 from being possible. If we can't also
prevent state 5 then we must abandon our "nice property" and check whether a
node has already been removed at runtime.”h]”hŒÉAt a minimum we should prevent state 6 from being possible. If we canâ€™t also
prevent state 5 then we must abandon our â€œnice propertyâ€ and check whether a
node has already been removed at runtime.”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kûhj·  hžhubh¸)”}”(hŒ×We prevent both by generalizing the "invalidate non-owning references" behavior
of ``bpf_spin_unlock`` and doing similar invalidation after
``bpf_rbtree_remove``. The logic here being that any graph API kfunc which:”h]”(hŒWWe prevent both by generalizing the â€œinvalidate non-owning referencesâ€ behavior
of ”…””}”(hj+	  hžhhŸNh Nubj  )”}”(hŒ``bpf_spin_unlock``”h]”hŒbpf_spin_unlock”…””}”(hj3	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj+	  ubhŒ& and doing similar invalidation after
”…””}”(hj+	  hžhhŸNh Nubj  )”}”(hŒ``bpf_rbtree_remove``”h]”hŒbpf_rbtree_remove”…””}”(hjE	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj+	  ubhŒ6. The logic here being that any graph API kfunc which:”…””}”(hj+	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kÿhj·  hžhubjð  )”}”(hŒ|* takes an arbitrary node argument

* removes it from the data structure

* returns an owning reference to the removed node
”h]”hý)”}”(hhh]”(j  )”}”(hŒ!takes an arbitrary node argument
”h]”h¸)”}”(hŒ takes an arbitrary node argument”h]”hŒ takes an arbitrary node argument”…””}”(hjh	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhjd	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hja	  ubj  )”}”(hŒ#removes it from the data structure
”h]”h¸)”}”(hŒ"removes it from the data structure”h]”hŒ"removes it from the data structure”…””}”(hj€	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj|	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hja	  ubj  )”}”(hŒ0returns an owning reference to the removed node
”h]”h¸)”}”(hŒ/returns an owning reference to the removed node”h]”hŒ/returns an owning reference to the removed node”…””}”(hj˜	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj”	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hja	  ubeh}”(h]”h ]”h"]”h$]”h&]”j}  j~  uh1hühŸh¶h Mhj]	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jï  hŸh¶h Mhj·  hžhubh¸)”}”(hŒ´May result in a state where some other non-owning reference points to the same
node. So ``remove``-type kfuncs must be considered a non-owning reference
invalidation point as well.”h]”(hŒXMay result in a state where some other non-owning reference points to the same
node. So ”…””}”(hj¸	  hžhhŸNh Nubj  )”}”(hŒ
``remove``”h]”hŒremove”…””}”(hjÀ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj¸	  ubhŒR-type kfuncs must be considered a non-owning reference
invalidation point as well.”…””}”(hj¸	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M	hj·  hžhubeh}”(h]”j€  ah ]”h"]”Œnon-owning references”ah$]”h&]”uh1h¡hh£hžhhŸh¶h KRubeh}”(h]”Œbpf-graph-data-structures”ah ]”h"]”Œbpf graph data structures”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j

  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jä	  já	  jš  j•  jë  j  jE  j<  j´  j^  jÜ	  j€  uŒ	nametypes”}”(jä	  ‰jš  ‰jë  ‰jE  ‰j´  ‰jÜ	  ‰uh}”(já	  h£j•  hùj  j  j<  jî  j^  jH  j€  j·  j  j  j6  j-  jX  jO  jz  jq  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”j
  Ks…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.