Re: [PATCH bpf-next v1 15/17] bpf: Report Verifier Limit errors

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Large local character arrays (`chain[256]` and `reason[512]`) are allocated on the stack in verifier functions, risking kernel stack overflow.
--

commit 58bfdd96949c20f24a4355e1c77d8bbbd610ef4d
Author: Kumar Kartikeya Dwivedi <memxor@gmail.com>

bpf: Report Verifier Limit errors

This commit augments selected verifier limit failures with detailed reports.
These reports focus on the limit that was exceeded and the observed value or
condition across stack constraints, call frames, and instruction complexity.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> @@ -5233,6 +5267,8 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx,
>  	bool tail_call_reachable = false;
>  	int total;
>  	int tmp;
> +	char chain[256];
> +	char reason[512];

[Severity: Medium]
Could this cause kernel stack overflows? Although these variables are only
populated in slow error-reporting paths, C compilers typically allocate
local variables in the function's prologue.

This adds 768 bytes to the stack frame. Since this is only used on failure
paths, could these strings be dynamically allocated (e.g., using kasprintf)
to avoid bloating the stack?

[ ... ]
> @@ -9443,11 +9557,22 @@ static int setup_func_entry(struct bpf_verifier_env *env, int subprog, int calls
>  			    struct bpf_verifier_state *state)
>  {
>  	struct bpf_func_state *caller, *callee;
> +	char chain[256];
> +	char reason[512];
>  	int err;

[Severity: Medium]
Does this present a similar stack bloat risk? setup_func_entry() is invoked
deep within the verifier's call stack, for example:

do_check() -> do_check_insn() -> check_call() -> set_callee_state() ->
setup_func_entry()

Adding an additional ~800-byte frame size expansion here might trigger frame
warnings or kernel stack exhaustion.

>  	if (state->curframe + 1 >= MAX_CALL_FRAMES) {

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605063412.974640-1-memxor@gmail.com?part=15