bpf: Set -ENOMEM to err in bpf_int_jit_compile().

syzkaller reported a splat below. [0]

It always followed another splat by fault injection in
bpf_int_jit_compile(). [1]

Instead of proceeding with __bpf_prog_ret0_warn() and seeing
a splat later, let's return -ENOMEM to userspace.

[0]:
WARNING: CPU: 1 PID: 36 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x10 kernel/bpf/core.c:2357
Modules linked in:
CPU: 1 UID: 0 PID: 36 Comm: kworker/1:1 Not tainted 6.14.0-13344-ga9843689e2de #28 PREEMPT(voluntary)  167b7ecb8f281ed56016416cdf1d8bb342db88fc
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:__bpf_prog_ret0_warn+0xa/0x10 kernel/bpf/core.c:2357
Code: ff eb 84 e8 b8 cf ee ff e9 7a ff ff ff e8 ae cf ee ff e9 70 ff ff ff 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa e8 97 cf ee ff 90 <0f> 0b 90 31 c0 c3 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0000:ffa0000000267050 EFLAGS: 00010293
RAX: ffffffff81881569 RBX: ffa0000000393030 RCX: ff11000100dc4500
RDX: 0000000000000000 RSI: ffa0000000393048 RDI: ff1100010b812a00
RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff0e5ef77 R12: 0000000000000000
R13: dffffc0000000000 R14: ff1100010b812a00 R15: ffa0000000393048
FS:  0000000000000000(0000) GS:ff11000192213000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff451d686ec CR3: 00000001037eb004 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
 <TASK>
 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 bpf_prog_run_pin_on_cpu include/linux/filter.h:742 [inline]
 bpf_prog_run_clear_cb+0x7f/0x140 include/linux/filter.h:983
 run_filter+0x156/0x260 net/packet/af_packet.c:2135
 packet_rcv+0x491/0x15b0 net/packet/af_packet.c:2208
 dev_queue_xmit_nit+0xc27/0xcb0 net/core/dev.c:2592
 xmit_one net/core/dev.c:3831 [inline]
 dev_hard_start_xmit+0x1d5/0x720 net/core/dev.c:3851
 sch_direct_xmit+0x242/0x4a0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4127 [inline]
 __dev_queue_xmit+0x186d/0x37a0 net/core/dev.c:4654
 dev_queue_xmit include/linux/netdevice.h:3355 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip6_finish_output2+0x11f3/0x16e0 net/ipv6/ip6_output.c:141
 dst_output include/net/dst.h:459 [inline]
 NF_HOOK+0x160/0x470 include/linux/netfilter.h:314
 mld_sendpack+0x7f7/0xd70 net/ipv6/mcast.c:1868
 mld_send_cr net/ipv6/mcast.c:2169 [inline]
 mld_ifc_work+0x835/0xde0 net/ipv6/mcast.c:2702
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xa77/0x16a0 kernel/workqueue.c:3319
 worker_thread+0x8b6/0xd50 kernel/workqueue.c:3400
 kthread+0x413/0x870 kernel/kthread.c:464
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:245
 </TASK>

[1]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 1 UID: 0 PID: 4562 Comm: syz.4.1225 Not tainted 6.14.0-13344-ga9843689e2de #28 PREEMPT(voluntary)  167b7ecb8f281ed56016416cdf1d8bb342db88fc
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xfa/0x120
 should_fail_ex+0x501/0x610
 should_failslab+0xba/0x120
 __kmalloc_cache_noprof+0x5d/0x310
 bpf_int_jit_compile+0x1292/0x18b0
 bpf_prog_select_runtime+0x439/0x780

Fixes: fa9dd59 ("bpf: get rid of pure_initcall dependency to enable jits")
Reported-by: syzkaller <[email protected]>
Signed-off-by: Kuniyuki Iwashima <[email protected]>

Author: q2ven

arch/arc/net/bpf_jit_core.c

@@ -1335,21 +1335,25 @@ static int jit_patch_relocations(struct jit_context *ctx)
  * to get the necessary data for the real compilation phase,
  * jit_compile().
  */
-static struct bpf_prog *do_normal_pass(struct bpf_prog *prog)
+static struct bpf_prog *do_normal_pass(struct bpf_prog *prog, int *err)
 {
 	struct jit_context ctx;
 
 	/* Bail out if JIT is disabled. */
 	if (!prog->jit_requested)
 		return prog;
 
-	if (jit_ctx_init(&ctx, prog)) {
+	*err = jit_ctx_init(&ctx, prog);
+	if (*err) {
 		jit_ctx_cleanup(&ctx);
 		return prog;
 	}
 
 	/* Get the lengths and allocate buffer. */
-	if (jit_prepare(&ctx)) {
+	*err = jit_prepare(&ctx);
+	if (*err) {
+		if (*err != -ENOMEM)
+			*err = 0;
 		jit_ctx_cleanup(&ctx);
 		return prog;
 	}
@@ -1374,15 +1378,16 @@ static struct bpf_prog *do_normal_pass(struct bpf_prog *prog)
  * again to get the newly translated addresses in order to resolve
  * the "call"s.
  */
-static struct bpf_prog *do_extra_pass(struct bpf_prog *prog)
+static struct bpf_prog *do_extra_pass(struct bpf_prog *prog, int *err)
 {
 	struct jit_context ctx;
 
 	/* Skip if there's no context to resume from. */
 	if (check_jit_context(prog))
 		return prog;
 
-	if (jit_ctx_init(&ctx, prog)) {
+	*err = jit_ctx_init(&ctx, prog);
+	if (*err) {
 		jit_ctx_cleanup(&ctx);
 		return prog;
 	}
@@ -1417,9 +1422,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 
 	/* Was this program already translated? */
 	if (!prog->jited)
-		return do_normal_pass(prog);
+		return do_normal_pass(prog, err);
 	else
-		return do_extra_pass(prog);
+		return do_extra_pass(prog, err);
 
 	return prog;
 }

arch/arm/net/bpf_jit_32.c

@@ -2164,8 +2164,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 */
 	tmp = bpf_jit_blind_constants(prog);
 
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 	if (tmp != prog) {
 		tmp_blinded = true;
 		prog = tmp;
@@ -2180,6 +2183,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 */
 	ctx.offsets = kcalloc(prog->len, sizeof(int), GFP_KERNEL);
 	if (ctx.offsets == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out;
 	}
@@ -2214,6 +2218,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	if (ctx.imm_count) {
 		ctx.imms = kcalloc(ctx.imm_count, sizeof(u32), GFP_KERNEL);
 		if (ctx.imms == NULL) {
+			*err = -ENOMEM;
 			prog = orig_prog;
 			goto out_off;
 		}
@@ -2239,6 +2244,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 * we must fall back to the interpretation
 	 */
 	if (header == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_imms;
 	}

arch/arm64/net/bpf_jit_comp.c

@@ -1843,8 +1843,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	/* If blinding was requested and we failed during blinding,
 	 * we must fall back to the interpreter.
 	 */
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 	if (tmp != prog) {
 		tmp_blinded = true;
 		prog = tmp;
@@ -1854,6 +1857,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			prog = orig_prog;
 			goto out;
 		}
@@ -1875,6 +1879,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 
 	ctx.offset = kvcalloc(prog->len + 1, sizeof(int), GFP_KERNEL);
 	if (ctx.offset == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_off;
 	}
@@ -1914,6 +1919,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 					      sizeof(u32), &header, &image_ptr,
 					      jit_fill_hole);
 	if (!ro_header) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_off;
 	}

arch/loongarch/net/bpf_jit.c

@@ -1209,8 +1209,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 * we must fall back to the interpreter. Otherwise, we save
 	 * the new JITed code.
 	 */
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 
 	if (tmp != prog) {
 		tmp_blinded = true;
@@ -1221,6 +1224,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			prog = orig_prog;
 			goto out;
 		}
@@ -1240,6 +1244,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 
 	ctx.offset = kvcalloc(prog->len + 1, sizeof(u32), GFP_KERNEL);
 	if (ctx.offset == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_offset;
 	}
@@ -1266,6 +1271,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	header = bpf_jit_binary_alloc(image_size, &image_ptr,
 				      sizeof(u32), jit_fill_hole);
 	if (header == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_offset;
 	}

arch/mips/net/bpf_jit_comp.c

@@ -932,8 +932,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 * the new JITed code.
 	 */
 	tmp = bpf_jit_blind_constants(prog);
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 	if (tmp != prog) {
 		tmp_blinded = true;
 		prog = tmp;
@@ -948,8 +951,10 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 */
 	ctx.descriptors = kcalloc(prog->len + 1, sizeof(*ctx.descriptors),
 				  GFP_KERNEL);
-	if (ctx.descriptors == NULL)
+	if (ctx.descriptors == NULL) {
+		*err = -ENOMEM;
 		goto out_err;
+	}
 
 	/* First pass discovers used resources */
 	if (build_body(&ctx) < 0)
@@ -991,8 +996,10 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	 * Not able to allocate memory for the structure then
 	 * we must fall back to the interpretation
 	 */
-	if (header == NULL)
+	if (header == NULL) {
+		*err = -ENOMEM;
 		goto out_err;
+	}
 
 	/* Actual pass to generate final JIT code */
 	ctx.target = (u32 *)image_ptr;

arch/parisc/net/bpf_jit_core.c

@@ -54,8 +54,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 		return orig_prog;
 
 	tmp = bpf_jit_blind_constants(prog);
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 	if (tmp != prog) {
 		tmp_blinded = true;
 		prog = tmp;
@@ -65,6 +68,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			prog = orig_prog;
 			goto out;
 		}
@@ -82,6 +86,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	ctx->prog = prog;
 	ctx->offset = kcalloc(prog->len, sizeof(int), GFP_KERNEL);
 	if (!ctx->offset) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_offset;
 	}
@@ -117,6 +122,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 						     sizeof(long),
 						     bpf_fill_ill_insns);
 			if (!jit_data->header) {
+				*err = -ENOMEM;
 				prog = orig_prog;
 				goto out_offset;
 			}

arch/powerpc/net/bpf_jit_comp.c

@@ -155,8 +155,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 		return org_fp;
 
 	tmp_fp = bpf_jit_blind_constants(org_fp);
-	if (IS_ERR(tmp_fp))
+	if (IS_ERR(tmp_fp)) {
+		if (PTR_ERR(tmp_fp) == -ENOMEM)
+			*err = -ENOMEM;
 		return org_fp;
+	}
 
 	if (tmp_fp != org_fp) {
 		bpf_blinded = true;
@@ -167,6 +170,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			fp = org_fp;
 			goto out;
 		}
@@ -195,6 +199,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 
 	addrs = kcalloc(flen + 1, sizeof(*addrs), GFP_KERNEL);
 	if (addrs == NULL) {
+		*err = -ENOMEM;
 		fp = org_fp;
 		goto out_addrs;
 	}
@@ -246,6 +251,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 	fhdr = bpf_jit_binary_pack_alloc(alloclen, &fimage, 4, &hdr, &image,
 					      bpf_jit_fill_ill_insns);
 	if (!fhdr) {
+		*err = -ENOMEM;
 		fp = org_fp;
 		goto out_addrs;
 	}

arch/riscv/net/bpf_jit_core.c

@@ -55,8 +55,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 		return orig_prog;
 
 	tmp = bpf_jit_blind_constants(prog);
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 	if (tmp != prog) {
 		tmp_blinded = true;
 		prog = tmp;
@@ -66,6 +69,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			prog = orig_prog;
 			goto out;
 		}
@@ -85,6 +89,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	ctx->prog = prog;
 	ctx->offset = kcalloc(prog->len, sizeof(int), GFP_KERNEL);
 	if (!ctx->offset) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_offset;
 	}
@@ -128,6 +133,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 							  &jit_data->header, &jit_data->image,
 							  bpf_fill_ill_insns);
 			if (!jit_data->ro_header) {
+				*err = -ENOMEM;
 				prog = orig_prog;
 				goto out_offset;
 			}

arch/s390/net/bpf_jit_comp.c

@@ -2274,8 +2274,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 	 * If blinding was requested and we failed during blinding,
 	 * we must fall back to the interpreter.
 	 */
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_fp;
+	}
 	if (tmp != fp) {
 		tmp_blinded = true;
 		fp = tmp;
@@ -2285,6 +2288,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			fp = orig_fp;
 			goto out;
 		}
@@ -2301,6 +2305,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp, int *err)
 	memset(&jit, 0, sizeof(jit));
 	jit.addrs = kvcalloc(fp->len + 1, sizeof(*jit.addrs), GFP_KERNEL);
 	if (jit.addrs == NULL) {
+		*err = -ENOMEM;
 		fp = orig_fp;
 		goto free_addrs;
 	}

arch/sparc/net/bpf_jit_comp_64.c

@@ -1496,8 +1496,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	/* If blinding was requested and we failed during blinding,
 	 * we must fall back to the interpreter.
 	 */
-	if (IS_ERR(tmp))
+	if (IS_ERR(tmp)) {
+		if (PTR_ERR(tmp) == -ENOMEM)
+			*err = -ENOMEM;
 		return orig_prog;
+	}
 	if (tmp != prog) {
 		tmp_blinded = true;
 		prog = tmp;
@@ -1507,6 +1510,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	if (!jit_data) {
 		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);
 		if (!jit_data) {
+			*err = -ENOMEM;
 			prog = orig_prog;
 			goto out;
 		}
@@ -1528,6 +1532,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 
 	ctx.offset = kmalloc_array(prog->len, sizeof(unsigned int), GFP_KERNEL);
 	if (ctx.offset == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_off;
 	}
@@ -1570,6 +1575,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog, int *err)
 	header = bpf_jit_binary_alloc(image_size, &image_ptr,
 				      sizeof(u32), jit_fill_hole);
 	if (header == NULL) {
+		*err = -ENOMEM;
 		prog = orig_prog;
 		goto out_off;
 	}