From: sashiko-bot@kernel.org
To: "Alan Maguire" <alan.maguire@oracle.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 2/6] libbpf: Adjust btf_vlen() to return a __u32
Date: Tue, 14 Apr 2026 21:39:03 +0000 [thread overview]
Message-ID: <20260414213903.B2FA9C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260414195019.684531-3-alan.maguire@oracle.com>
Sashiko AI review found 2 potential issue(s):
- [High] Expansion of vlen from 16-bit to 24-bit introduces severe O(N^2) complexity issues in CO-RE relocation matching.
- [High] Lack of bounds checking in `btf_type_inc_vlen` corrupts the BTF type kind field upon overflow.
--
commit 05dfc0fce969915cd3d509a4e34a33558181e95d
Author: Alan Maguire <alan.maguire@oracle.com>
libbpf: Adjust btf_vlen() to return a __u32
Now that vlen is 24 bits, btf_vlen() must return a __u32.
Adjust use cases in libbpf accordingly.
> diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
> index 0ccc8f548cbaa..6ae3f2a15ad0c 100644
> --- a/tools/lib/bpf/relo_core.c
> +++ b/tools/lib/bpf/relo_core.c
[ ... ]
> @@ -1457,8 +1457,8 @@ static bool bpf_core_names_match(const struct btf *local_btf, size_t local_name_
> static int bpf_core_enums_match(const struct btf *local_btf, const struct btf_type *local_t,
> const struct btf *targ_btf, const struct btf_type *targ_t)
> {
> - __u16 local_vlen = btf_vlen(local_t);
> - __u16 targ_vlen = btf_vlen(targ_t);
> + __u32 local_vlen = btf_vlen(local_t);
> + __u32 targ_vlen = btf_vlen(targ_t);
> int i, j;
Can this widened vlen boundary create performance issues during CO-RE
relocation?
Looking at bpf_core_enums_match() and bpf_core_composites_match(), they
iterate over both local and target BTF type members using nested loops. With
the previous 16-bit limit, the worst-case was ~4.29 billion iterations. By
expanding vlen to 24 bits (max 16.7 million), the worst-case iterations
expand to ~281 trillion.
Could a crafted BTF payload stall the libbpf parser and consuming user-space
daemons for a significant amount of time?
Since vlen has been expanded to 24 bits, could we also overflow the kind
field when adding elements to a BTF type?
tools/lib/bpf/btf.c:btf_type_inc_vlen() {
t->info = btf_type_info(btf_kind(t), btf_vlen(t) + 1, btf_kflag(t));
}
tools/lib/bpf/libbpf_internal.h:btf_type_info() {
return (kflag << 31) | (kind << 24) | vlen;
}
If a program dynamically builds a BTF type and exceeds 16,777,215 elements,
vlen reaches 1 << 24. Since the vlen and kind fields are contiguous, does
this mutate the structure's type kind rather than safely rejecting the
overflow?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260414195019.684531-1-alan.maguire@oracle.com?part=2
next prev parent reply other threads:[~2026-04-14 21:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:50 [PATCH bpf-next 0/6] btf: Extend vlen, kind in struct btf_type Alan Maguire
2026-04-14 19:50 ` [PATCH bpf-next 1/6] bpf: Extend BTF UAPI vlen, kinds to use unused bits Alan Maguire
2026-04-14 20:42 ` bot+bpf-ci
2026-04-14 21:11 ` sashiko-bot
2026-04-15 15:48 ` Mykyta Yatsenko
2026-04-14 19:50 ` [PATCH bpf-next 2/6] libbpf: Adjust btf_vlen() to return a __u32 Alan Maguire
2026-04-14 21:39 ` sashiko-bot [this message]
2026-04-14 19:50 ` [PATCH bpf-next 3/6] libbpf: Add feature for kernel extended vlen/kind support Alan Maguire
2026-04-14 20:29 ` bot+bpf-ci
2026-04-14 21:58 ` sashiko-bot
2026-04-15 1:56 ` Alexei Starovoitov
2026-04-15 15:57 ` Mykyta Yatsenko
2026-04-16 8:57 ` Alan Maguire
2026-04-16 14:15 ` Alexei Starovoitov
2026-04-14 19:50 ` [PATCH bpf-next 4/6] bpftool: Support 24-bit vlen Alan Maguire
2026-04-14 22:12 ` sashiko-bot
2026-04-14 19:50 ` [PATCH bpf-next 5/6] selftests/bpf: Test BTF sanitization rejection for invalid vlen Alan Maguire
2026-04-14 22:26 ` sashiko-bot
2026-04-15 16:03 ` Mykyta Yatsenko
2026-04-14 19:50 ` [PATCH bpf-next 6/6] selftests/bpf: Fix up btf/invalid test for extended kind Alan Maguire
2026-04-14 22:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414213903.B2FA9C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alan.maguire@oracle.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.