Re: [PATCH bpf-next] bpf: reject sleepable BPF_LSM_CGROUP programs at load time

From: Song Liu

Date: Fri Jun 05 2026 - 17:41:05 EST


On Fri, Jun 5, 2026 at 7:57 AM David Windsor <dwindsor@xxxxxxxxx> wrote:
>
> The cgroup shim runs under rcu_read_lock_dont_migrate(), so we should
> not attach any sleepable BPF programs there. Add support to the verifier
> to explicitly reject attempts to load sleepable BPF programs destined
> for LSM cgroup attachment.
>
> Without this, we get the following splat from a BPF_LSM_CGROUP
> program marked BPF_F_SLEEPABLE attached to file_open when it calls
> bpf_get_dentry_xattr():
>
> BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1567
> in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 34317, name: load
> preempt_count: 0, expected: 0
> RCU nest depth: 2, expected: 0
> Call Trace:
> down_read+0x76/0x480
> ext4_xattr_get+0x11f/0x700
> __vfs_getxattr+0xf0/0x150
> bpf_get_dentry_xattr+0xbb/0xf0
> bpf_prog_e76a298dac9218c6_test_open+0x6a/0x85
> __cgroup_bpf_run_lsm_current+0x326/0x840
> bpf_trampoline_6442534646+0x62/0x14d
> security_file_open+0x34/0x60
> do_dentry_open+0x340/0x1260
> vfs_open+0x7a/0x440
> path_openat+0x1bac/0x30a0
>
> libbpf provides a .s named section variant for every sleepable
> program type except lsm_cgroup, reflecting that per-cgroup LSM programs
> are intended to only run in a non-sleepable context.
>
> The above splat was obtained by bypassing libbpf by using bpf(2)
> directly.
>
> Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
> Signed-off-by: David Windsor <dwindsor@xxxxxxxxx>

We should add a "__failure __msg(...)" selftest for the reject case.

Other than this:

Acked-by: Song Liu <song@xxxxxxxxxx>