CVE-2023-54086

In the Linux kernel, the following vulnerability has been resolved:

bpf: Add preemptcount{sub,add} into btf id deny list

The recursion check in __bpfprogenter* and __bpfprogexit* leave preemptcount{sub,add} unprotected. When attaching trampoline to them we get panic as follows,

[ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 [ 867.843100] Call Trace: [ 867.843101] <TASK> [ 867.843104] asmexcint3+0x3a/0x40 [ 867.843108] RIP: 0010:preemptcountsub+0x1/0xa0 [ 867.843135] __bpfprogenter_recur+0x17/0x90 [ 867.843148] bpftrampoline64424681080+0x2e/0x1000 [ 867.843154] ? preemptcountsub+0x1/0xa0 [ 867.843157] preemptcountsub+0x5/0xa0 [ 867.843159] ? migrateenable+0xac/0xf0 [ 867.843164] __bpfprogexit_recur+0x2d/0x40 [ 867.843168] bpftrampoline64424681080+0x55/0x1000 ... [ 867.843788] preemptcountsub+0x5/0xa0 [ 867.843793] ? migrateenable+0xac/0xf0 [ 867.843829] __bpfprogexitrecur+0x2d/0x40 [ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) [ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) [ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) [ 867.843842] bpftrampoline64424681080+0x55/0x1000 ...

That is because in _bpfprogexitrecur, the preemptcount{sub,add} are called after prog->active is decreased.

Fixing this by adding these two functions into btf ids deny list.