Merge branch 'bpf-jmp-seq-limit'

Alexei Starovoitov says: ==================== Patch 1 - jmp sequence limit Patch 2 - improve existing tests Patch 3 - add pyperf-based realistic bpf program that takes advantage of higher limit and use it as a stress test v1->v2: fixed nit in patch 3. added Andrii's acks ==================== Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2019-05-23 16:20:58 +0200
committer: Daniel Borkmann <daniel@iogearbox.net> 2019-05-23 16:20:59 +0200
commit: 29c677c86a15fadcf85f072f75d88ce37ceac452 (patch)
tree: f9b0f0dece13fb49d504ce72851404861c6b3849 /kernel
parent: 9efc7794496d531593751a3fb008030d5f9ba87c (diff)
parent: 7c9441066ab53168093c79477aabd575f7c14129 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 95f9354495ad..3f8b5443cc67 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -176,7 +176,7 @@ struct bpf_verifier_stack_elem {
 	struct bpf_verifier_stack_elem *next;
 };
 
-#define BPF_COMPLEXITY_LIMIT_STACK	1024
+#define BPF_COMPLEXITY_LIMIT_JMP_SEQ	8192
 #define BPF_COMPLEXITY_LIMIT_STATES	64
 
 #define BPF_MAP_PTR_UNPRIV	1UL
@@ -782,8 +782,9 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
 	if (err)
 		goto err;
 	elem->st.speculative |= speculative;
-	if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
-		verbose(env, "BPF program is too complex\n");
+	if (env->stack_size > BPF_COMPLEXITY_LIMIT_JMP_SEQ) {
+		verbose(env, "The sequence of %d jumps is too complex.\n",
+			env->stack_size);
 		goto err;
 	}
 	return &elem->st;
author	Daniel Borkmann <daniel@iogearbox.net>	2019-05-23 16:20:58 +0200
committer	Daniel Borkmann <daniel@iogearbox.net>	2019-05-23 16:20:59 +0200
commit	29c677c86a15fadcf85f072f75d88ce37ceac452 (patch)
tree	f9b0f0dece13fb49d504ce72851404861c6b3849 /kernel
parent	9efc7794496d531593751a3fb008030d5f9ba87c (diff)
parent	7c9441066ab53168093c79477aabd575f7c14129 (diff)