On Mon, Dec 16, 2024 at 9:45 AM Arthur Fabre <afabre@xxxxxxxxxxxxxx> wrote: > > On Fri Dec 13, 2024 at 10:27 PM CET, Arthur Fabre wrote: > > A BPF function can return before its exit instruction: LD_ABS, LD_IND, > > and tail_call() can all cause it to return prematurely. > > > > When such a function is called by another BPF function, the verifier > > doesn't take this into account when calculating the bounds of r0 in the > > caller after the callee returns. > > I've just realized r0 isn't he only problem: a caller can pass a > reference to its stack to a callee, and the verifier also tracks the > value of this. > > If the callee writes to the caller's stack after the abnormal return > (tail_call, ld_abs), the verifier will also incorrectly assume the > write always happens. > > I think we need to treat these abnormal returns as a branch that can > exit. That way the verifier will explore both possibilities, and the > combined result will really reflect what can happen. > I'll try that out for a v3. Good idea. Makes sense to me.