bpf: verifier: permit non-zero returns from async callbacks

The verifier currently enforces a zero return value for all async
callbacks—a constraint originally introduced for bpf_timer. That
restriction is too narrow for other async use cases.

Relax the rule by allowing non-zero return codes from async callbacks in
general, while preserving the zero-return requirement for bpf_timer to
maintain its existing semantics.

Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250923112404.668720-5-mykyta.yatsenko5@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c1b726fb22c8ee83f025065bd41c4e639daf6294..02b93a54a4464acd9dd2d1da08be2bd4219b1e1d 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -10789,7 +10789,7 @@ static int set_timer_callback_state(struct bpf_verifier_env *env,
        __mark_reg_not_init(env, &callee->regs[BPF_REG_4]);
        __mark_reg_not_init(env, &callee->regs[BPF_REG_5]);
        callee->in_async_callback_fn = true;
-       callee->callback_ret_range = retval_range(0, 1);
+       callee->callback_ret_range = retval_range(0, 0);
        return 0;
 }
 
@@ -17073,9 +17073,8 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
        }
 
        if (frame->in_async_callback_fn) {
-               /* enforce return zero from async callbacks like timer */
                exit_ctx = "At async callback return";
-               range = retval_range(0, 0);
+               range = frame->callback_ret_range;
                goto enforce_retval;
        }