This is a note to let you know that I've just added the patch titled
bpf: Tighten tail call checks for lingering locks, RCU, preempt_disable
to the 6.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bpf-tighten-tail-call-checks-for-lingering-locks-rcu.patch
and it can be found in the queue-6.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 8b0008e117552310cf0bf36910302895242f1cc9
Author: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
Date: Sun Nov 3 14:59:38 2024 -0800
bpf: Tighten tail call checks for lingering locks, RCU, preempt_disable
[ Upstream commit 46f7ed32f7a873d6675ea72e1d6317df41a55f81 ]
There are three situations when a program logically exits and transfers
control to the kernel or another program: bpf_throw, BPF_EXIT, and tail
calls. The former two check for any lingering locks and references, but
tail calls currently do not. Expand the checks to check for spin locks,
RCU read sections and preempt disabled sections.
Spin locks are indirectly preventing tail calls as function calls are
disallowed, but the checks for preemption and RCU are more relaxed,
hence ensure tail calls are prevented in their presence.
Fixes: 9bb00b2895cb ("bpf: Add kfunc bpf_rcu_read_lock/unlock()")
Fixes: fc7566ad0a82 ("bpf: Introduce bpf_preempt_[disable,enable] kfuncs")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
Link: https://lore.kernel.org/r/20241103225940.1408302-2-memxor@xxxxxxxxx
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index bb99bada7e2ed..011b4a86e2b3b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -10583,11 +10583,26 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
switch (func_id) {
case BPF_FUNC_tail_call:
+ if (env->cur_state->active_lock.ptr) {
+ verbose(env, "tail_call cannot be used inside bpf_spin_lock-ed region\n");
+ return -EINVAL;
+ }
+
err = check_reference_leak(env, false);
if (err) {
verbose(env, "tail_call would lead to reference leak\n");
return err;
}
+
+ if (env->cur_state->active_rcu_lock) {
+ verbose(env, "tail_call cannot be used inside bpf_rcu_read_lock-ed region\n");
+ return -EINVAL;
+ }
+
+ if (env->cur_state->active_preempt_lock) {
+ verbose(env, "tail_call cannot be used inside bpf_preempt_disable-ed region\n");
+ return -EINVAL;
+ }
break;
case BPF_FUNC_get_local_storage:
/* check that flags argument in get_local_storage(map, flags) is 0,
