This trades verification complexity for runtime overheads due to the nospec inserted because of the EINVAL. With increased limits this allows applying mitigations to large BPF progs such as the Parca Continuous Profiler's prog. However, this requires a jump-seq limit of 256k. In any case, the same principle should apply to smaller programs therefore include it even if the limit stays at 8k for now. Most programs in "VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions" (https://arxiv.org/pdf/2405.00078) only require a limit of 32k. Signed-off-by: Luis Gerhorst <luis.gerhorst@xxxxxx> Acked-by: Henriette Herzog <henriette.herzog@xxxxxx> Cc: Maximilian Ott <ott@xxxxxxxxx> Cc: Milan Stephan <milan.stephan@xxxxxx> --- kernel/bpf/verifier.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 033780578966..bde4ae1ea637 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -187,6 +187,7 @@ struct bpf_verifier_stack_elem { }; #define BPF_COMPLEXITY_LIMIT_JMP_SEQ 8192 +#define BPF_COMPLEXITY_LIMIT_SPEC_V1_VERIFICATION (BPF_COMPLEXITY_LIMIT_JMP_SEQ / 2) #define BPF_COMPLEXITY_LIMIT_STATES 64 #define BPF_MAP_KEY_POISON (1ULL << 63) @@ -1933,6 +1934,19 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, struct bpf_verifier_stack_elem *elem; int err; + if (!env->bypass_spec_v1 && + cur->speculative && + env->stack_size > BPF_COMPLEXITY_LIMIT_SPEC_V1_VERIFICATION) { + /* Avoiding nested speculative path verification because we are + * close to exceeding the jump sequence complexity limit. Will + * instead insert a speculation barrier which will impact + * performace. To improve performance, authors should reduce the + * program's complexity. Barrier will be inserted in + * do_check(). + */ + return ERR_PTR(-EINVAL); + } + elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL); if (!elem) { err = -ENOMEM; -- 2.48.1
