summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYonghong Song <yonghong.song@linux.dev>2026-05-13 07:50:49 +0300
committerAlexei Starovoitov <ast@kernel.org>2026-05-13 19:27:31 +0300
commitdc8f1cf6787c4bb1d8cabfac1e44d2d0ab435caa (patch)
tree8bfec0c7e43032524e82fcba3606ff4b214b3acc
parent2af4e792773f9fc05e5dbd5f297707cfe15cd817 (diff)
downloadlinux-dc8f1cf6787c4bb1d8cabfac1e44d2d0ab435caa.tar.xz
bpf: Reject stack arguments in non-JITed programs
The interpreter does not understand the bpf register r11 (BPF_REG_PARAMS) used for stack arguments. So reject interpreter usage if stack arguments are used either in the main program or any subprogram. Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260513045049.2390444-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-rw-r--r--kernel/bpf/core.c2
-rw-r--r--kernel/bpf/fixups.c6
2 files changed, 7 insertions, 1 deletions
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index ae10b9ca018d..958d86f0beac 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2599,7 +2599,7 @@ struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct
goto finalize;
if (IS_ENABLED(CONFIG_BPF_JIT_ALWAYS_ON) ||
- bpf_prog_has_kfunc_call(fp))
+ bpf_prog_has_kfunc_call(fp) || (env && env->subprog_info[0].stack_arg_cnt))
jit_needed = true;
if (!bpf_prog_select_interpreter(fp))
diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
index ba86039789fd..19056016eed8 100644
--- a/kernel/bpf/fixups.c
+++ b/kernel/bpf/fixups.c
@@ -1407,6 +1407,12 @@ int bpf_fixup_call_args(struct bpf_verifier_env *env)
verbose(env, "calling kernel functions are not allowed in non-JITed programs\n");
return -EINVAL;
}
+ for (i = 1; i < env->subprog_cnt; i++) {
+ if (bpf_in_stack_arg_cnt(&env->subprog_info[i])) {
+ verbose(env, "stack args are not supported in non-JITed programs\n");
+ return -EINVAL;
+ }
+ }
if (env->subprog_cnt > 1 && env->prog->aux->tail_call_reachable) {
/* When JIT fails the progs with bpf2bpf calls and tail_calls
* have to be rejected, since interpreter doesn't support them yet.