6.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charalampos Mitrodimas charmitro@posteo.net
[ Upstream commit 7f12c33850482521c961c5c15a50ebe9b9a88d1e ]
The commit ee971630f20f ("bpf: Allow some trace helpers for all prog types") made bpf_get_cgroup_classid_curr helper available to all BPF program types, not just networking programs.
This helper calls __task_get_classid() which internally calls task_cls_state() requiring rcu_read_lock_bh_held(). This works in networking/tc context where RCU BH is held, but triggers an RCU warning when called from other contexts like BPF syscall programs that run under rcu_read_lock_trace():
WARNING: suspicious RCU usage 6.15.0-rc4-syzkaller-g079e5c56a5c4 #0 Not tainted ----------------------------- net/core/netclassid_cgroup.c:24 suspicious rcu_dereference_check() usage!
Fix this by also accepting rcu_read_lock_held() and rcu_read_lock_trace_held() as valid RCU contexts in the task_cls_state() function. This ensures the helper works correctly in all needed RCU contexts where it might be called, regular RCU, RCU BH (for networking), and RCU trace (for BPF syscall programs).
Fixes: ee971630f20f ("bpf: Allow some trace helpers for all prog types") Reported-by: syzbot+b4169a1cfb945d2ed0ec@syzkaller.appspotmail.com Signed-off-by: Charalampos Mitrodimas charmitro@posteo.net Signed-off-by: Daniel Borkmann daniel@iogearbox.net Acked-by: Daniel Borkmann daniel@iogearbox.net Link: https://lore.kernel.org/bpf/20250611-rcu-fix-task_cls_state-v3-1-3d30e1de753... Closes: https://syzkaller.appspot.com/bug?extid=b4169a1cfb945d2ed0ec Signed-off-by: Sasha Levin sashal@kernel.org --- net/core/netclassid_cgroup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/netclassid_cgroup.c b/net/core/netclassid_cgroup.c index d22f0919821e..dff66d8fb325 100644 --- a/net/core/netclassid_cgroup.c +++ b/net/core/netclassid_cgroup.c @@ -21,7 +21,9 @@ static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state struct cgroup_cls_state *task_cls_state(struct task_struct *p) { return css_cls_state(task_css_check(p, net_cls_cgrp_id, - rcu_read_lock_bh_held())); + rcu_read_lock_held() || + rcu_read_lock_bh_held() || + rcu_read_lock_trace_held())); } EXPORT_SYMBOL_GPL(task_cls_state);