From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Sechang Lim" <rhkrqnwk98@gmail.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>
Cc: "Paul Moore" <paul@paul-moore.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Jiri Olsa" <jolsa@kernel.org>, <bpf@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf] bpf: move security_bpf_prog_free() out of RCU callback
Date: Tue, 30 Jun 2026 16:17:26 -0700 [thread overview]
Message-ID: <DJMRMXI4W803.1JAJC33ATPG1M@gmail.com> (raw)
In-Reply-To: <20260626093711.2969648-1-rhkrqnwk98@gmail.com>
On Fri Jun 26, 2026 at 2:37 AM PDT, Sechang Lim wrote:
> __bpf_prog_put_rcu() is the call_rcu() callback for non-sleepable programs.
> security_bpf_prog_free() called from there fires bpf_prog_free in softirq;
> if a sleepable LSM prog is attached to that hook, might_fault() BUGs:
>
> BUG: sleeping function called from invalid context
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5038
> preempt_count: 101, expected: 0
> Call Trace:
> <IRQ>
> __bpf_prog_enter_sleepable+0x1cd/0x320 kernel/bpf/trampoline.c:1255
> bpf_trampoline_6442549705+0x53/0xd7
> security_bpf_prog_free+0xde/0x130 security/security.c:5465
> __bpf_prog_put_rcu+0xab/0xd0 kernel/bpf/syscall.c:2365
> rcu_do_batch kernel/rcu/tree.c:2617 [inline]
> handle_softirqs+0x236/0x800 kernel/softirq.c:622
> </IRQ>
>
> The call_rcu/call_rcu_tasks_trace split reflects the freed program's
> sleepability, not that of any attached observer.
>
> Move security_bpf_prog_free() to __bpf_prog_put_noref() before the RCU
> deferral.
>
> Fixes: 1b67772e4e3f ("bpf,lsm: Refactor bpf_prog_alloc/bpf_prog_free LSM hooks")
> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
> ---
> kernel/bpf/syscall.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 630d530782fe..f14c3f0f8827 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -2362,7 +2362,6 @@ static void __bpf_prog_put_rcu(struct rcu_head *rcu)
> kvfree(aux->func_info);
> kfree(aux->func_info_aux);
> free_uid(aux->user);
> - security_bpf_prog_free(aux->prog);
> bpf_prog_free(aux->prog);
> }
>
> @@ -2378,6 +2377,7 @@ static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred)
> if (prog->aux->attach_btf)
> btf_put(prog->aux->attach_btf);
>
> + security_bpf_prog_free(prog);
I don't think you can just move it like that, since LSM side
may rely on RCU GP.
I think removing security_bpf_prog_free from sleepable is cleaner.
pw-bot: cr
next prev parent reply other threads:[~2026-06-30 23:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 9:37 [PATCH bpf] bpf: move security_bpf_prog_free() out of RCU callback Sechang Lim
2026-06-30 23:17 ` Alexei Starovoitov [this message]
2026-07-01 8:05 ` Sechang Lim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJMRMXI4W803.1JAJC33ATPG1M@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=paul@paul-moore.com \
--cc=rhkrqnwk98@gmail.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox