seccomp, bpf: disable preemption before calling into bpf prog

Alexei Starovoitov · borkmann · commit e80d02dd7630 · 2019-02-22T00:14:19.000+01:00
All BPF programs must be called with preemption disabled. Fixes: 568f196 ("bpf: check that BPF programs run with preemption disabled") Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
@@ -267,6 +267,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
 	 * All filters in the list are evaluated and the lowest BPF return
 	 * value always takes priority (ignoring the DATA).
 	 */
+	preempt_disable();
 	for (; f; f = f->prev) {
 		u32 cur_ret = BPF_PROG_RUN(f->prog, sd);
 
@@ -275,6 +276,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
 			*match = f;
 		}
 	}
+	preempt_enable();
 	return ret;
 }
 #endif /* CONFIG_SECCOMP_FILTER */

Original file line number	Diff line number	Diff line change
`@@ -267,6 +267,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,`
`267`	`267`	`* All filters in the list are evaluated and the lowest BPF return`
`268`	`268`	`* value always takes priority (ignoring the DATA).`
`269`	`269`	`*/`
	`270`	`+ preempt_disable();`
`270`	`271`	`for (; f; f = f->prev) {`
`271`	`272`	`u32 cur_ret = BPF_PROG_RUN(f->prog, sd);`
`272`	`273`
`@@ -275,6 +276,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,`
`275`	`276`	`*match = f;`
`276`	`277`	`}`
`277`	`278`	`}`
	`279`	`+ preempt_enable();`
`278`	`280`	`return ret;`
`279`	`281`	`}`
`280`	`282`	`#endif /* CONFIG_SECCOMP_FILTER */`