Re: [PATCH net] net/sched: act_bpf: use rcu_dereference_bh() to read the filter
From: Amery Hung
Date: Mon Jun 29 2026 - 12:45:15 EST
On Mon, Jun 29, 2026 at 8:54 AM Sechang Lim <rhkrqnwk98@xxxxxxxxx> wrote:
>
> tcf_bpf_act() can run from the tc egress path, which holds only
> rcu_read_lock_bh(), but reads prog->filter with rcu_dereference() and
> trips lockdep:
>
> WARNING: suspicious RCU usage
> net/sched/act_bpf.c:47 suspicious rcu_dereference_check() usage!
> 1 lock held by syz.2.1588/12756:
> #0: (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit net/core/dev.c:4792
> tcf_bpf_act+0x6ae/0x940 net/sched/act_bpf.c:47
> tcf_classify+0x6e4/0x1080 net/sched/cls_api.c:1860
> sch_handle_egress net/core/dev.c:4545 [inline]
> __dev_queue_xmit+0x2185/0x2c00 net/core/dev.c:4808
> packet_sendmsg+0x3dfa/0x5120 net/packet/af_packet.c:3114
>
> The other tc actions and cls_bpf already use rcu_dereference_bh() here.
> Do the same.
>
> Fixes: 1f211a1b929c ("net, sched: add clsact qdisc")
> Signed-off-by: Sechang Lim <rhkrqnwk98@xxxxxxxxx>
Reviewed-by: Amery Hung <ameryhung@xxxxxxxxx>
> ---
> net/sched/act_bpf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
> index 58a074651176..09d46e195e33 100644
> --- a/net/sched/act_bpf.c
> +++ b/net/sched/act_bpf.c
> @@ -44,7 +44,7 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb,
> tcf_lastuse_update(&prog->tcf_tm);
> bstats_update(this_cpu_ptr(prog->common.cpu_bstats), skb);
>
> - filter = rcu_dereference(prog->filter);
> + filter = rcu_dereference_bh(prog->filter);
> if (at_ingress) {
> __skb_push(skb, skb->mac_len);
> filter_res = bpf_prog_run_data_pointers(filter, skb);
> --
> 2.43.0
>
>