From: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
To: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
<sashiko@lists.linux.dev>,
"Paul Chaignon" <paul.chaignon@gmail.com>
Cc: <bpf@vger.kernel.org>
Subject: Re: [PATCH bpf-next 1/2] bpf: Print breakdown of insns processed by subprogs
Date: Wed, 29 Apr 2026 02:07:33 +0200 [thread overview]
Message-ID: <DI578ZDDKR6K.QH52KXPV1CLN@gmail.com> (raw)
In-Reply-To: <DI56ZVH6HKDK.1L8J5HPA37J09@gmail.com>
On Wed Apr 29, 2026 at 1:55 AM CEST, Kumar Kartikeya Dwivedi wrote:
> On Wed Apr 29, 2026 at 1:08 AM CEST, sashiko-bot wrote:
>> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>> - [High] Out-of-bounds read in `bpf_subprog_is_global()` when printing verification stats for programs with hidden subprograms.
>> --
>>
>> commit 08128f883e58301e0f97b1d4a94656be63b8f790
>> Author: Paul Chaignon <paul.chaignon@gmail.com>
>>
>> bpf: Print breakdown of insns processed by subprogs
>>
>> This patch tracks the number of instructions processed by each global
>> function (subprog) during BPF verification. It then reports this
>> breakdown in the verifier logs under BPF_LOG_STATS.
>>
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 03f9e16c2abe..b48389b48eb6 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>
>> [ ... ]
>>
>>> @@ -18288,6 +18295,13 @@ static void print_verification_stats(struct bpf_verifier_env *env)
>>> verbose(env, "+");
>>> }
>>> verbose(env, "\n");
>>> + verbose(env, "insns processed %d", env->subprog_info[0].insn_processed);
>>> + for (i = 1; i < env->subprog_cnt; i++) {
>>> + if (!bpf_subprog_is_global(env, i))
>>
>> Could this introduce a regression due to an out-of-bounds read on the
>> func_info_aux array if there are hidden subprograms?
>>
>> At load time, if BTF is present, env->prog->aux->func_info_aux is allocated
>> with exactly func_info_cnt elements, and env->subprog_cnt initially matches
>> func_info_cnt.
>>
>> During verification, if a feature like bpf_throw is used without an explicit
>> callback, add_hidden_subprog() is called which increments env->subprog_cnt
>> but does not resize the func_info_aux array.
>>
>> Since this loop iterates up to the updated env->subprog_cnt, when i reaches
>> the index of a hidden subprogram, bpf_subprog_is_global() will access
>> aux[i].linkage where i >= func_info_cnt:
>>
>> kernel/bpf/verifier.c:bpf_subprog_is_global() {
>> struct bpf_func_info_aux *aux = env->prog->aux->func_info_aux;
>>
>> return aux && aux[subprog].linkage == BTF_FUNC_GLOBAL;
>> }
>>
>> Is it possible to skip hidden subprograms here, or limit the check to
>> func_info_cnt?
>
> Don't see it happening, since hidden subprogs never get verified, so we won't
> invoke bpf_subprog_is_global() with such a subprog index.
Ah, no, stupid me. We get here after fixing up and adding the hidden subprog. So
we can still do OOB since subprog_cnt includes the hidden_subprog_cnt. How about
the following as a fix? I checked over other places where we iterate over all of
the subprogs and those look fine, so instead of changing bpf_subprog_is_global()
we can adjust this function to only consider real subprogs. Didn't compile test.
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b48389b48eb6..b9266e3d46c7 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18281,22 +18281,24 @@ static int do_check_main(struct bpf_verifier_env *env)
static void print_verification_stats(struct bpf_verifier_env *env)
{
+ /* Skip over hidden subprogs which are not verified. */
+ int subprog_cnt = env->subprog_cnt - env->hidden_subprog_cnt;
int i;
if (env->log.level & BPF_LOG_STATS) {
verbose(env, "verification time %lld usec\n",
div_u64(env->verification_time, 1000));
verbose(env, "stack depth ");
- for (i = 0; i < env->subprog_cnt; i++) {
+ for (i = 0; i < subprog_cnt; i++) {
u32 depth = env->subprog_info[i].stack_depth;
verbose(env, "%d", depth);
- if (i + 1 < env->subprog_cnt)
+ if (i + 1 < subprog_cnt)
verbose(env, "+");
}
verbose(env, "\n");
verbose(env, "insns processed %d", env->subprog_info[0].insn_processed);
- for (i = 1; i < env->subprog_cnt; i++) {
+ for (i = 1; i < subprog_cnt; i++) {
if (!bpf_subprog_is_global(env, i))
continue;
verbose(env, "+%d", env->subprog_info[i].insn_processed);
next prev parent reply other threads:[~2026-04-29 0:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 14:55 [PATCH bpf-next 1/2] bpf: Print breakdown of insns processed by subprogs Paul Chaignon
2026-04-28 14:55 ` [PATCH bpf-next 2/2] selftests/bpf: Test insns processed breakdown Paul Chaignon
2026-04-28 16:18 ` Kumar Kartikeya Dwivedi
2026-04-28 23:14 ` sashiko-bot
2026-04-28 23:08 ` [PATCH bpf-next 1/2] bpf: Print breakdown of insns processed by subprogs sashiko-bot
2026-04-28 23:55 ` Kumar Kartikeya Dwivedi
2026-04-29 0:07 ` Kumar Kartikeya Dwivedi [this message]
2026-04-29 14:01 ` Paul Chaignon
2026-04-29 15:53 ` Paul Chaignon
2026-04-29 22:17 ` Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI578ZDDKR6K.QH52KXPV1CLN@gmail.com \
--to=memxor@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox