tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

bpf: Enforce RCU protection for KF_RCU_PROTECTED

Currently, KF_RCU_PROTECTED only applies to iterator APIs and that too
in a convoluted fashion: the presence of this flag on the kfunc is used
to set MEM_RCU in iterator type, and the lack of RCU protection results
in an error only later, once next() or destroy() methods are invoked on
the iterator. While there is no bug, this is certainly a bit
unintuitive, and makes the enforcement of the flag iterator specific.

In the interest of making this flag useful for other upcoming kfuncs,
e.g. scx_bpf_cpu_curr() [0][1], add enforcement for invoking the kfunc
in an RCU critical section in general.

This would also mean that iterator APIs using KF_RCU_PROTECTED will
error out earlier, instead of throwing an error for lack of RCU CS
protection when next() or destroy() methods are invoked.

In addition to this, if the kfuncs tagged KF_RCU_PROTECTED return a
pointer value, ensure that this pointer value is only usable in an RCU
critical section. There might be edge cases where the return value is
special and doesn't need to imply MEM_RCU semantics, but in general, the
assumption should hold for the majority of kfuncs, and we can revisit
things if necessary later.

[0]: https://lore.kernel.org/all/20250903212311.369697-3-christian.loehle@arm.com
[1]: https://lore.kernel.org/all/20250909195709.92669-1-arighi@nvidia.com

Tested-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250917032755.4068726-2-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Kumar Kartikeya Dwivedi and committed by
Alexei Starovoitov 1512231b 6ff4a0fa

+31 -4
+18 -1
Documentation/bpf/kfuncs.rst
··· 335 335 pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should very likely 336 336 also be KF_RET_NULL. 337 337 338 + 2.4.8 KF_RCU_PROTECTED flag 339 + --------------------------- 340 + 341 + The KF_RCU_PROTECTED flag is used to indicate that the kfunc must be invoked in 342 + an RCU critical section. This is assumed by default in non-sleepable programs, 343 + and must be explicitly ensured by calling ``bpf_rcu_read_lock`` for sleepable 344 + ones. 345 + 346 + If the kfunc returns a pointer value, this flag also enforces that the returned 347 + pointer is RCU protected, and can only be used while the RCU critical section is 348 + active. 349 + 350 + The flag is distinct from the ``KF_RCU`` flag, which only ensures that its 351 + arguments are at least RCU protected pointers. This may transitively imply that 352 + RCU protection is ensured, but it does not work in cases of kfuncs which require 353 + RCU protection but do not take RCU protected arguments. 354 + 338 355 .. _KF_deprecated_flag: 339 356 340 - 2.4.8 KF_DEPRECATED flag 357 + 2.4.9 KF_DEPRECATED flag 341 358 ------------------------ 342 359 343 360 The KF_DEPRECATED flag is used for kfuncs which are scheduled to be
+10
kernel/bpf/verifier.c
··· 13931 13931 return -EACCES; 13932 13932 } 13933 13933 13934 + if (is_kfunc_rcu_protected(&meta) && !in_rcu_cs(env)) { 13935 + verbose(env, "kernel func %s requires RCU critical section protection\n", func_name); 13936 + return -EACCES; 13937 + } 13938 + 13934 13939 /* In case of release function, we get register number of refcounted 13935 13940 * PTR_TO_BTF_ID in bpf_kfunc_arg_meta, do the release now. 13936 13941 */ ··· 14049 14044 /* Ensures we don't access the memory after a release_reference() */ 14050 14045 if (meta.ref_obj_id) 14051 14046 regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id; 14047 + 14048 + if (is_kfunc_rcu_protected(&meta)) 14049 + regs[BPF_REG_0].type |= MEM_RCU; 14052 14050 } else { 14053 14051 mark_reg_known_zero(env, regs, BPF_REG_0); 14054 14052 regs[BPF_REG_0].btf = desc_btf; ··· 14060 14052 14061 14053 if (meta.func_id == special_kfunc_list[KF_bpf_get_kmem_cache]) 14062 14054 regs[BPF_REG_0].type |= PTR_UNTRUSTED; 14055 + else if (is_kfunc_rcu_protected(&meta)) 14056 + regs[BPF_REG_0].type |= MEM_RCU; 14063 14057 14064 14058 if (is_iter_next_kfunc(&meta)) { 14065 14059 struct bpf_reg_state *cur_iter;
+1 -1
tools/testing/selftests/bpf/progs/cgroup_read_xattr.c
··· 73 73 } 74 74 75 75 SEC("lsm.s/socket_connect") 76 - __failure __msg("expected an RCU CS") 76 + __failure __msg("kernel func bpf_iter_css_new requires RCU critical section protection") 77 77 int BPF_PROG(use_css_iter_sleepable_missing_rcu_lock) 78 78 { 79 79 u64 cgrp_id = bpf_get_current_cgroup_id();
+2 -2
tools/testing/selftests/bpf/progs/iters_task_failure.c
··· 15 15 void bpf_rcu_read_unlock(void) __ksym; 16 16 17 17 SEC("?fentry.s/" SYS_PREFIX "sys_getpgid") 18 - __failure __msg("expected an RCU CS when using bpf_iter_task_next") 18 + __failure __msg("kernel func bpf_iter_task_new requires RCU critical section protection") 19 19 int BPF_PROG(iter_tasks_without_lock) 20 20 { 21 21 struct task_struct *pos; ··· 27 27 } 28 28 29 29 SEC("?fentry.s/" SYS_PREFIX "sys_getpgid") 30 - __failure __msg("expected an RCU CS when using bpf_iter_css_next") 30 + __failure __msg("kernel func bpf_iter_css_new requires RCU critical section protection") 31 31 int BPF_PROG(iter_css_without_lock) 32 32 { 33 33 u64 cg_id = bpf_get_current_cgroup_id();