Re: [PATCH bpf v2 1/3] bpf, tcx: reject offloaded programs on attach

[Alexei Starovoitov]

On Fri Apr 24, 2026 at 3:41 AM PDT, Jiayuan Chen wrote:
> An offloaded prog's bpf_func is replaced by bpf_prog_warn_on_exec(),
> since it's supposed to run on the NIC, not the host. But tcx doesn't
> check this and happily attaches it to the software path, so the first
> packet hits the WARN.
>
> XDP already guards this in dev_xdp_attach(); tcx just never got the
> same check. Add it to tcx_prog_attach(), tcx_link_attach() and also
> tcx_link_update() so the fix cannot be bypassed by loading a normal
> program and then swapping it out via BPF_LINK_UPDATE.
>
> Use bpf_prog_is_offloaded() rather than bpf_prog_is_dev_bound() +
> bpf_offload_dev_match() (as XDP does): bpf_prog_dev_bound_init()
> already rejects BPF_F_XDP_DEV_BOUND_ONLY for BPF_PROG_TYPE_SCHED_CLS,
> so a dev-bound SCHED_CLS program is always offloaded. The simpler
> check is sufficient and also rejects attaching a program offloaded to
> device A onto device B.
>
> Fixes: e420bed025071 ("bpf: Add fd-based tcx multi-prog infra with link support")
> Reported-by: Yinhao Hu <dddddd@xxxxxxxxxxx>
> Reported-by: Kaiyan Mei <M202472210@xxxxxxxxxxx>
> Reported-by: Dongliang Mu <dzm91@xxxxxxxxxxx>
> Closes: https://lore.kernel.org/bpf/64d8e2b5-a214-4f3c-b9e8-bcedbcb2c602@xxxxxxxxxxx/
> Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
> ---
>  kernel/bpf/tcx.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/kernel/bpf/tcx.c b/kernel/bpf/tcx.c
> index 02db0113b8e7c..1144627483d53 100644
> --- a/kernel/bpf/tcx.c
> +++ b/kernel/bpf/tcx.c
> @@ -16,6 +16,9 @@ int tcx_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog)
>  	struct net_device *dev;
>  	int ret;
>  
> +	if (bpf_prog_is_offloaded(prog->aux))
> +		return -EINVAL;
> +

instead of sprinkling the check everywhere do it at the source of the bug.

pw-bot: cr