Linux Kernel BPF Program Recursion Vulnerability in Raw Tracepoint Probes

A vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) programs attached to raw tracepoint probes has been addressed. This issue arose when a BPF program linked to the 'contention_begin' raw tracepoint used the 'bpf_trace_printk' helper, which requires the 'trace_printk_lock' lock. This created a recursive call situation, leading to warnings. The vulnerability can be reproduced by attaching a BPF program as a raw tracepoint on 'contention_begin', which then calls the 'bpf_trace_printk' helper. When 'perf bench' is run, it forces the spin lock code to take the slow path, triggering the 'contention_begin' tracepoint and causing the recursion.

Impact

The vulnerability could lead to a deadlock situation, where the BPF program's recursive calls to the same tracepoint create a cycle that prevents further execution, potentially causing performance degradation or system unresponsiveness.

Reproduction

To reproduce this vulnerability, attach a BPF program to the 'contention_begin' raw tracepoint. The BPF program should use the 'bpf_trace_printk' helper. Then, run 'perf bench' to force the spin lock code to take the slow path, which will trigger the 'contention_begin' tracepoint and initiate the recursive calls, creating the deadlock situation.

Remediation

The vulnerability has been fixed by modifying the BPF program execution logic to prevent recursion. This was achieved by using the 'active' field of the BPF program, which is currently utilized by trampoline programs to manage execution state.