Hi,
On 5/2/26 8:52 PM, Aaron Tomlin wrote:
> The primary remit of the eBPF verifier is to ensure that eBPF programs
> can neither crash the kernel nor corrupt memory. Nevertheless,
> administrative utilities such as "bpftrace --unsafe" permit the loading
> of programs that employ destructive or mutating helpers, most notably
> bpf_probe_write_user() and bpf_override_return().
>
> Since commit b28573ebfabe ("bpf: Remove bpf_probe_write_user() warning
> message"), the kernel no longer issues a warning when an attempt is made to
> invoke such destructive helpers.
>
> Consequently, this patch introduces a novel kernel taint flag,
> TAINT_UNSAFE_BPF ("V"). Tainting the kernel establishes a permanent and
> readily auditable indicator (i.e., /proc/sys/kernel/tainted) to alert
> maintainers and that the kernel's execution flow or user memory may have
> been compromised by an eBPF program.
>
> Signed-off-by: Aaron Tomlin <[email protected]>
> ---
> Documentation/admin-guide/tainted-kernels.rst | 54 ++++++++++---------
> include/linux/panic.h | 3 +-
> kernel/panic.c | 1 +
> kernel/trace/bpf_trace.c | 3 ++
> 4 files changed, 36 insertions(+), 25 deletions(-)
>
> diff --git a/Documentation/admin-guide/tainted-kernels.rst
> b/Documentation/admin-guide/tainted-kernels.rst
> index 9ead927a37c0..630f24996e7b 100644
> --- a/Documentation/admin-guide/tainted-kernels.rst
> +++ b/Documentation/admin-guide/tainted-kernels.rst
> @@ -79,30 +79,31 @@ which bits are set::
> Table for decoding tainted state
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> -=== === ====== ========================================================
> -Bit Log Number Reason that got the kernel tainted
> -=== === ====== ========================================================
> - 0 G/P 1 proprietary module was loaded
> - 1 _/F 2 module was force loaded
> - 2 _/S 4 kernel running on an out of specification system
> - 3 _/R 8 module was force unloaded
> - 4 _/M 16 processor reported a Machine Check Exception (MCE)
> - 5 _/B 32 bad page referenced or some unexpected page flags
> - 6 _/U 64 taint requested by userspace application
> - 7 _/D 128 kernel died recently, i.e. there was an OOPS or BUG
> - 8 _/A 256 ACPI table overridden by user
> - 9 _/W 512 kernel issued warning
> - 10 _/C 1024 staging driver was loaded
> - 11 _/I 2048 workaround for bug in platform firmware applied
> - 12 _/O 4096 externally-built ("out-of-tree") module was loaded
> - 13 _/E 8192 unsigned module was loaded
> - 14 _/L 16384 soft lockup occurred
> - 15 _/K 32768 kernel has been live patched
> - 16 _/X 65536 auxiliary taint, defined for and used by distros
> - 17 _/T 131072 kernel was built with the struct randomization plugin
> - 18 _/N 262144 an in-kernel test has been run
> - 19 _/J 524288 userspace used a mutating debug operation in fwctl
> -=== === ====== ========================================================
> +=== === ====== ========================================================
> +Bit Log Number Reason that got the kernel tainted
> +=== === ====== ========================================================
> + 0 G/P 1 proprietary module was loaded
> + 1 _/F 2 module was force loaded
> + 2 _/S 4 kernel running on an out of specification system
> + 3 _/R 8 module was force unloaded
> + 4 _/M 16 processor reported a Machine Check Exception (MCE)
> + 5 _/B 32 bad page referenced or some unexpected page flags
> + 6 _/U 64 taint requested by userspace application
> + 7 _/D 128 kernel died recently, i.e. there was an OOPS or BUG
> + 8 _/A 256 ACPI table overridden by user
> + 9 _/W 512 kernel issued warning
> + 10 _/C 1024 staging driver was loaded
> + 11 _/I 2048 workaround for bug in platform firmware applied
> + 12 _/O 4096 externally-built ("out-of-tree") module was loaded
> + 13 _/E 8192 unsigned module was loaded
> + 14 _/L 16384 soft lockup occurred
> + 15 _/K 32768 kernel has been live patched
> + 16 _/X 65536 auxiliary taint, defined for and used by distros
> + 17 _/T 131072 kernel was built with the struct randomization plugin
> + 18 _/N 262144 an in-kernel test has been run
> + 19 _/J 524288 userspace used a mutating debug operation in fwctl
> + 20 _/V 1048576 an unsafe eBPF program (mutating helper) was loaded
> +=== === ======= ========================================================
>
> Note: The character ``_`` is representing a blank in this table to make
> reading
> easier.
> @@ -189,3 +190,8 @@ More detailed explanation for tainting
> 19) ``J`` if userspace opened /dev/fwctl/* and performed a
> FWTCL_RPC_DEBUG_WRITE
> to use the devices debugging features. Device debugging features could
> cause the device to malfunction in undefined ways.
> +
> + 20) ``V`` if an eBPF program utilising unsafe, mutating helpers (such as
> + bpf_probe_write_user() or bpf_override_return()) was loaded. These
> helpers
> + bypass standard eBPF safety guarantees and can alter execution flow or
> + corrupt memory.
(If this patch goes forward:)
In this same file (above), there is a little script around line 77 where
it should be changed:
s/20/21/
Also please update tools/debugging/kernel-chktaint for this taint flag.
--
~Randy
