bpf: Reject stack arguments in non-JITed programs

The interpreter does not understand the bpf register r11
(BPF_REG_PARAMS) used for stack arguments. So reject interpreter
usage if stack arguments are used either in the main program or
any subprogram.

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260513045049.2390444-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index ae10b9ca018df5254616864a78a0f8c335c7e77a..958d86f0beac3c8d4f89032a6cf0bd1246b79f36 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2599,7 +2599,7 @@ struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct
                goto finalize;
 
        if (IS_ENABLED(CONFIG_BPF_JIT_ALWAYS_ON) ||
-           bpf_prog_has_kfunc_call(fp))
+           bpf_prog_has_kfunc_call(fp) || (env && env->subprog_info[0].stack_arg_cnt))
                jit_needed = true;
 
        if (!bpf_prog_select_interpreter(fp))

diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
index ba86039789fdf9ab30550a1b6fa0a86db7d0d156..19056016eed8b4b6bddb22aa2ec22a37304dc689 100644 (file)
--- a/kernel/bpf/fixups.c
+++ b/kernel/bpf/fixups.c
@@ -1407,6 +1407,12 @@ int bpf_fixup_call_args(struct bpf_verifier_env *env)
                verbose(env, "calling kernel functions are not allowed in non-JITed programs\n");
                return -EINVAL;
        }
+       for (i = 1; i < env->subprog_cnt; i++) {
+               if (bpf_in_stack_arg_cnt(&env->subprog_info[i])) {
+                       verbose(env, "stack args are not supported in non-JITed programs\n");
+                       return -EINVAL;
+               }
+       }
        if (env->subprog_cnt > 1 && env->prog->aux->tail_call_reachable) {
                /* When JIT fails the progs with bpf2bpf calls and tail_calls
                 * have to be rejected, since interpreter doesn't support them yet.