On Fri Dec 13, 2024 at 10:27 PM CET, Arthur Fabre wrote: > A BPF function can return before its exit instruction: LD_ABS, LD_IND, > and tail_call() can all cause it to return prematurely. > > When such a function is called by another BPF function, the verifier > doesn't take this into account when calculating the bounds of r0 in the > caller after the callee returns. I've just realized r0 isn't he only problem: a caller can pass a reference to its stack to a callee, and the verifier also tracks the value of this. If the callee writes to the caller's stack after the abnormal return (tail_call, ld_abs), the verifier will also incorrectly assume the write always happens. I think we need to treat these abnormal returns as a branch that can exit. That way the verifier will explore both possibilities, and the combined result will really reflect what can happen. I'll try that out for a v3.