From: sashiko-bot@kernel.org
To: "Paul Chaignon" <paul.chaignon@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 1/2] bpf: Print breakdown of insns processed by subprogs
Date: Wed, 29 Apr 2026 02:26:57 +0000 [thread overview]
Message-ID: <20260429022658.5AC1BC2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <5c3514dbc879f22ba3f9eff8a2c730e13bd0572c.1777398528.git.paul.chaignon@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Out-of-bounds array read of `env->prog->aux->func_info_aux` in `bpf_subprog_is_global` during `print_verification_stats`.
--
commit ef2118bdc82dd49b98dca03db90f551c13fc5d86
Author: Paul Chaignon <paul.chaignon@gmail.com>
bpf: Print breakdown of insns processed by subprogs
When using global functions, the verifier performs function-by-function
verification, and only the sum of instructions processed is reported.
This patch implements a breakdown of instructions processed per global
function under BPF_LOG_STATS, as is done for stack depths.
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> @@ -18288,6 +18295,13 @@ static void print_verification_stats(struct bpf_verifier_env *env)
> verbose(env, "+");
> }
> verbose(env, "\n");
> + verbose(env, "insns processed %d", env->subprog_info[0].insn_processed);
> + for (i = 1; i < env->subprog_cnt; i++) {
> + if (!bpf_subprog_is_global(env, i))
Does this code cause an out-of-bounds read of the func_info_aux array?
If a default exception callback is injected during verification,
add_hidden_subprog() increments env->subprog_cnt but does not resize the
func_info_aux array.
When print_verification_stats() later iterates up to the new env->subprog_cnt
and calls bpf_subprog_is_global(env, i):
kernel/bpf/verifier.c:bpf_subprog_is_global() {
struct bpf_func_info_aux *aux = env->prog->aux->func_info_aux;
return aux && aux[subprog].linkage == BTF_FUNC_GLOBAL;
}
Could this read past the end of the aux array when i reaches the index of
the newly added hidden subprogram?
> + continue;
> + verbose(env, "+%d", env->subprog_info[i].insn_processed);
> + }
> + verbose(env, "\n");
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/5c3514dbc879f22ba3f9eff8a2c730e13bd0572c.1777398528.git.paul.chaignon@gmail.com?part=1
prev parent reply other threads:[~2026-04-29 2:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 21:39 [PATCH bpf-next v2 1/2] bpf: Print breakdown of insns processed by subprogs Paul Chaignon
2026-04-28 21:40 ` [PATCH bpf-next v2 2/2] selftests/bpf: Test insns processed breakdown Paul Chaignon
2026-04-29 2:36 ` sashiko-bot
2026-04-29 9:30 ` Alexei Starovoitov
2026-04-29 2:26 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429022658.5AC1BC2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.