From nobody Mon Jun 15 01:27:29 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A2CC3AA4E0; Tue, 7 Apr 2026 10:48:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775558924; cv=none; b=dF6JVkpbDqZ9Q3dVU3OnTfaXmgQic/Fl5D5gzM5XXBgyYu2q1XPemA0qXYkj5EtQSHfmBkX+Nv4oIwkHrzCWa+uxFexlgK8Doq/J9jSEg913+Gqn7dv2zDRQcx6VgibYSjYLyMZSZvNwewUupn4OCQXal/dA8Y62klYrXhB1xbo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775558924; c=relaxed/simple; bh=00l58+E7d7W7EjKv0MTjo17DPYW/vSP39MhtKCxYo3k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=NJIN2Y2RXlM5ZZ32lBmsxPWic98OVOMq8+Xw6PYZpd3W9zE4jDVpi8+rkIqEiVLC5pYAhvbhk3eaKDff9zTE/RbGqDrA7b2L6fnkgJXrw0v0UwCY/q/nTEt9QOGH+DxRKBtKemYtK5pJVE7BfYNyTNiwfyGqYQOgx3bnzBOoC6A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=ILQdYue/; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="ILQdYue/" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From: Reply-To:Content-ID:Content-Description:In-Reply-To:References; bh=fyJpmyBcC0c7wgp6GHS2X+37xYvhdQrxR7XrAUmv46U=; b=ILQdYue/GDcf//OaOT/C/eRjTe yDRjyyPA7BaXJHg0FwBXfI7/BiD2QN9UO4fO2YQITTxw4vv9Px98i+jv4H/6UWC9KmaOjOpYgjf0c UHAsTEk4MQYE0gHhU12M6DVdPkLl49WUl1LTMzghBzAwo6bNOnmekdqa0kuDXT5tQF1NUUGCKUsYL vbpwywjJ3ipqkYw2+6/mgq2ryixz6K0zfDjNMyH6rrBeQDjmxdU0WRZdBOSNjWWevgOgGwiyddsYb pMqyt66vdm7Jc75N8n4gurUZ8guk5198UCgzaSq9bZRRVY3zomk5FHz7PKDFBqmYcbaSovnmITQw2 wg8xPEVQ==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wA3z0-007aUU-2C; Tue, 07 Apr 2026 10:48:33 +0000 From: Breno Leitao Date: Tue, 07 Apr 2026 03:48:11 -0700 Subject: [PATCH] bpf: Fix suspicious RCU usage in LPM trie for sleepable programs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260407-bpf_rcu-v1-1-fbc9398d05c5@debian.org> X-B4-Tracking: v=1; b=H4sIAOvg1GkC/yXMQQqDMBBG4asM/9pA1JBCrlJE6jjTThdWEpWCe HdpXb7F93YUySYFiXZk2azYZ0KiuiLw6zE9xdmIRGh8E33wNzfM2mdenUYOXjloyxEVYc6i9v2 f7t3VZR3ewsuP4zhO7/ACsWsAAAA= X-Change-ID: 20260407-bpf_rcu-f6c40fc4f3c6 To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@meta.com, stable@vger.kernel.org, Breno Leitao X-Mailer: b4 0.16-dev-453a6 X-Developer-Signature: v=1; a=openpgp-sha256; l=2619; i=leitao@debian.org; h=from:subject:message-id; bh=00l58+E7d7W7EjKv0MTjo17DPYW/vSP39MhtKCxYo3k=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBp1OD8RJvEC4ekC1Vn+3mlpGO2OiNs/u7inMbh4 VouXm0v0meJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCadTg/AAKCRA1o5Of/Hh3 bWdbD/9/rVgQPpYgtGVXoMqO49sw1jXzgBGINChDfuTQn1ZNoNMI+nJJJ7XafyFhPXL8IXYxjAd NvuiOv603omdQORw2YVF5Mu7tRz1Uz43qG3cRZ28FXphRWgEERvicjbEKxUYuUQ86fBM4nn5IUW MiF+zN/PBZ2U+uMtTexVpJvUkqxlP/clnnfVdpBY4zwlVWnVsNRy+s2tSRVEssf+cl5HUF1DD14 Yk49skDcEN1euG9qAaTOOhY3AJ91I7/Awg6IDfSfbGWOlMfQXNt8zFRzL+ecq/BDF6G7iAHgaLw FR8Uw4kHS1UqkShBgrfnlpEiW03eA6q9ZNHX0WHX8jZ6WF+bBkKGl37tCWk0uFIxNVjTIfnKW9Q JiDw38gqT3s3FKKygJ+J09LY2XrauYbRxePQGoy11WfhFWdWmj/8NKZqBAt1kJ8HmpyXQWDam2p jLO3UAHjwUZQJhbtbzioU6J8DcQOC1hwTWFDheS3quNWG7clTwgCwJhZrn19W1aCQz0vX79UyP6 4rUBubfmA0vsW1c6NP8YlAIo+WL8LHJ4EnrMHEZqyknmcibHKAMYRZpyPQOlCf+97iWzBirPGpN CjhIk0+xEktb0sCT5dlVXFdySeglCKKvOU8kAxB0OMOSm+SJ42wG+INqe878x3s94nbP+Nl3jXf G9mUEbXVqrMIAgg== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao trie_lookup_elem() uses rcu_dereference_check() with rcu_read_lock_bh_held() as the lockdep condition. This is insufficient when the lookup is called from a sleepable BPF program, which holds rcu_read_lock_trace() (via __bpf_prog_enter_sleepable) instead of rcu_read_lock_bh(). With CONFIG_PROVE_LOCKING enabled, this triggers the following warning: WARNING: suspicious RCU usage kernel/bpf/lpm_trie.c:249 suspicious rcu_dereference_check() usage! rcu_scheduler_active =3D 2, debug_locks =3D 1 1 lock held by .../...: #0: ffffffff86ca5bd8 (rcu_tasks_trace_srcu_struct){....}-{0:0}, at: __bpf_prog_enter_sleepable+0x26/0x280 Call Trace: dump_stack_lvl+0x69/0xa0 lockdep_rcu_suspicious+0x13f/0x1d0 trie_lookup_elem+0x99e/0x9d0 bpf_prog_3980d36ecbef0e34_net_check_ip_pod+0x42a/0x510 bpf_prog_57df4ce643736a70_enforce_security_socket_connect+0x3e9/0x69e bpf_trampoline_6442540179+0x60/0xf9 security_socket_connect+0x25/0x80 __sys_connect+0x15c/0x280 __x64_sys_connect+0x76/0x80 do_syscall_64+0xe6/0x930 Use bpf_rcu_lock_held() instead, which checks all three RCU flavors (regular, bh, and trace) and is the canonical helper for BPF map operations. Fixes: 694cea395fded ("bpf: Allow RCU-protected lookups to happen from bh c= ontext") Cc: stable@vger.kernel.org Signed-off-by: Breno Leitao --- I've hacked a reproducer for this issue, and it could be found at https://github.com/leitao/linux/commit/59c83f313face36107ef1e8392e27b1cf488= 7b70 --- kernel/bpf/lpm_trie.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c index 0f57608b385d4..ac36063cb7e62 100644 --- a/kernel/bpf/lpm_trie.c +++ b/kernel/bpf/lpm_trie.c @@ -246,7 +246,7 @@ static void *trie_lookup_elem(struct bpf_map *map, void= *_key) =20 /* Start walking the trie from the root node ... */ =20 - for (node =3D rcu_dereference_check(trie->root, rcu_read_lock_bh_held()); + for (node =3D rcu_dereference_check(trie->root, bpf_rcu_lock_held()); node;) { unsigned int next_bit; size_t matchlen; @@ -280,7 +280,7 @@ static void *trie_lookup_elem(struct bpf_map *map, void= *_key) */ next_bit =3D extract_bit(key->data, node->prefixlen); node =3D rcu_dereference_check(node->child[next_bit], - rcu_read_lock_bh_held()); + bpf_rcu_lock_held()); } =20 if (!found) --- base-commit: 59c83f313face36107ef1e8392e27b1cf4887b70 change-id: 20260407-bpf_rcu-f6c40fc4f3c6 Best regards, -- =20 Breno Leitao