Re: [PATCH bpf-next] bpf: reject sleepable BPF_LSM_CGROUP programs at load time

[David Windsor]

On Sun, Jun 7, 2026 at 4:27 AM Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote:
>
> On Fri Jun 5, 2026 at 11:40 PM CEST, Song Liu wrote:
> > On Fri, Jun 5, 2026 at 7:57 AM David Windsor <dwindsor@xxxxxxxxx> wrote:
> >>
> >> The cgroup shim runs under rcu_read_lock_dont_migrate(), so we should
> >> not attach any sleepable BPF programs there. Add support to the verifier
> >> to explicitly reject attempts to load sleepable BPF programs destined
> >> for LSM cgroup attachment.
> >>
> >> Without this, we get the following splat from a BPF_LSM_CGROUP
> >> program marked BPF_F_SLEEPABLE attached to file_open when it calls
> >> bpf_get_dentry_xattr():
> >>
> >>   BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1567
> >>   in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 34317, name: load
> >>   preempt_count: 0, expected: 0
> >>   RCU nest depth: 2, expected: 0
> >>   Call Trace:
> >>    down_read+0x76/0x480
> >>    ext4_xattr_get+0x11f/0x700
> >>    __vfs_getxattr+0xf0/0x150
> >>    bpf_get_dentry_xattr+0xbb/0xf0
> >>    bpf_prog_e76a298dac9218c6_test_open+0x6a/0x85
> >>    __cgroup_bpf_run_lsm_current+0x326/0x840
> >>    bpf_trampoline_6442534646+0x62/0x14d
> >>    security_file_open+0x34/0x60
> >>    do_dentry_open+0x340/0x1260
> >>    vfs_open+0x7a/0x440
> >>    path_openat+0x1bac/0x30a0
> >>
> >> libbpf provides a .s named section variant for every sleepable
> >> program type except lsm_cgroup, reflecting that per-cgroup LSM programs
> >> are intended to only run in a non-sleepable context.
> >>
> >> The above splat was obtained by bypassing libbpf by using bpf(2)
> >> directly.
> >>
> >> Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
> >> Signed-off-by: David Windsor <dwindsor@xxxxxxxxx>
> >
> > We should add a "__failure __msg(...)" selftest for the reject case.
> >
>
> David,
> Please follow up with selftest for the fix.

Thanks, will do.

If this gets selected for backporting, it'll fail on 6.1 and another
version; I can send the fixups if needed.