From: sashiko-bot@kernel.org
To: "Paul Houssel" <paulhoussel2@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v3 1/2] bpf: render CGROUP_LSM_NUM configurable as a KConfig
Date: Wed, 06 May 2026 21:08:56 +0000 [thread overview]
Message-ID: <20260506210856.C6C29C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260506150547.767315-2-paulhoussel2@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Increasing CONFIG_CGROUP_LSM_NUM to its maximum value (300) causes an excessive stack allocation in cgroup_bpf_inherit(), which will trigger a FRAME_WARN build failure and risks stack overflow.
--
commit 33800a93ec2833bc433c78926307347450251cdb
Author: Paul Houssel <paulhoussel2@gmail.com>
bpf: render CGROUP_LSM_NUM configurable as a KConfig
This commit makes the maximum number of concurrently attachable per-cgroup
LSM hooks configurable at build time via the new CONFIG_CGROUP_LSM_NUM
option. It allows the value to be tuned from 0 to 300, replacing the
previous hardcoded limit of 10.
> diff --git a/include/linux/bpf-cgroup-defs.h b/include/linux/bpf-cgroup-defs.h
> index c9e6b26abab6d..9ab5ca3dbaba3 100644
> --- a/include/linux/bpf-cgroup-defs.h
> +++ b/include/linux/bpf-cgroup-defs.h
[ ... ]
> #ifdef CONFIG_BPF_LSM
> /* Maximum number of concurrently attachable per-cgroup LSM hooks. */
> -#define CGROUP_LSM_NUM 10
> +#define CGROUP_LSM_NUM CONFIG_CGROUP_LSM_NUM
> #else
> #define CGROUP_LSM_NUM 0
> #endif
> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> index eb3de35734f09..050af0b72651d 100644
> --- a/kernel/bpf/Kconfig
> +++ b/kernel/bpf/Kconfig
[ ... ]
> +config CGROUP_LSM_NUM
> + int "Maximum number of per-cgroup LSM hooks"
> + depends on BPF_LSM
> + depends on CGROUP_BPF
> + range 0 300
If this is configured to the maximum value of 300, could this cause a
regression by overflowing the kernel stack in cgroup_bpf_inherit()?
In include/linux/bpf-cgroup-defs.h, MAX_CGROUP_BPF_ATTACH_TYPE scales
dynamically based on CGROUP_LSM_NUM. At 300, MAX_CGROUP_BPF_ATTACH_TYPE
grows to 328 (28 base hooks + 300).
In kernel/bpf/cgroup.c, cgroup_bpf_inherit() computes NR as
ARRAY_SIZE(cgrp->bpf.effective) and declares a local stack array:
kernel/bpf/cgroup.c:cgroup_bpf_inherit() {
...
#define NR ARRAY_SIZE(cgrp->bpf.effective)
struct bpf_prog_array *arrays[NR] = {};
...
}
On 64-bit architectures, this array of pointers would consume 2624 bytes
(328 * 8) on the stack. Does this exceed the standard CONFIG_FRAME_WARN
limits and risk build failures or runtime stack overflows?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260506150547.767315-1-paulhoussel2@gmail.com?part=1
next prev parent reply other threads:[~2026-05-06 21:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 15:05 [PATCH v3 0/2] Introduce CONFIG_CGROUP_LSM_NUM to render BPF_LSM_CGROUP attachment limit configurable Paul Houssel
2026-05-06 15:05 ` [PATCH v3 1/2] bpf: render CGROUP_LSM_NUM configurable as a KConfig Paul Houssel
2026-05-06 15:52 ` bot+bpf-ci
2026-05-06 16:11 ` Paul Chaignon
2026-05-06 21:08 ` sashiko-bot [this message]
2026-05-07 16:39 ` Paul Houssel
2026-05-08 22:16 ` Alexei Starovoitov
2026-05-06 15:05 ` [PATCH v3 2/2] selftests/bpf: add tests to verify the enforcement of CONFIG_CGROUP_LSM_NUM Paul Houssel
2026-05-06 16:05 ` Paul Chaignon
2026-05-06 21:24 ` sashiko-bot
2026-05-06 16:13 ` [PATCH v3 0/2] Introduce CONFIG_CGROUP_LSM_NUM to render BPF_LSM_CGROUP attachment limit configurable Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506210856.C6C29C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=paulhoussel2@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox