Trampoline-based tracing programs that call bpf_get_func_ip() rely on func_ip stored on stack. Mixing them with tracing programs that do not share this requirement creates asymmetric expectations in tail calls. Reject the combination of !call_get_func_ip progs with call_get_func_ip progs in __bpf_prog_map_compatible() to address the issue. Fixes: 1e37392cccde ("bpf: Enable BPF_TRAMP_F_IP_ARG for trampolines with call_get_func_ip") Signed-off-by: Leon Hwang --- include/linux/bpf.h | 3 ++- kernel/bpf/core.c | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 2a2f6448a5fb..65793fd146c5 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -288,7 +288,8 @@ struct bpf_map_owner { u32 jited:1, xdp_has_frags:1, sleepable:1, - kprobe_write_ctx:1; + kprobe_write_ctx:1, + call_get_func_ip:1; u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; const struct btf_type *attach_func_proto; enum bpf_attach_type expected_attach_type; diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index f99a901b5e48..01fce3fba0be 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2403,6 +2403,7 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, map->owner->xdp_has_frags = aux->xdp_has_frags; map->owner->sleepable = fp->sleepable; map->owner->kprobe_write_ctx = aux->kprobe_write_ctx; + map->owner->call_get_func_ip = fp->call_get_func_ip; map->owner->expected_attach_type = fp->expected_attach_type; map->owner->attach_func_proto = aux->attach_func_proto; for_each_cgroup_storage_type(i) { @@ -2418,6 +2419,9 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, map->owner->sleepable == fp->sleepable; if (ret && (!map->owner->kprobe_write_ctx && aux->kprobe_write_ctx)) ret = false; + if (ret && (!map->owner->call_get_func_ip && fp->call_get_func_ip && + prog_type == BPF_PROG_TYPE_TRACING)) + ret = false; if (ret && map->map_type == BPF_MAP_TYPE_PROG_ARRAY && map->owner->expected_attach_type != fp->expected_attach_type) -- 2.52.0