bpf: fix max call depth check

fix off by one error in max call depth check
and add a test

Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 738e919..52ad60b 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2126,9 +2126,9 @@ static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
        struct bpf_func_state *caller, *callee;
        int i, subprog, target_insn;
 
-       if (state->curframe >= MAX_CALL_FRAMES) {
+       if (state->curframe + 1 >= MAX_CALL_FRAMES) {
                verbose(env, "the call stack of %d frames is too deep\n",
-                       state->curframe);
+                       state->curframe + 2);
                return -E2BIG;
        }
 

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index b5a7a6c..5d0a574 100644 (file)
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -8885,6 +8885,41 @@ static struct bpf_test tests[] = {
                .errstr = "combined stack",
        },
        {
+               "calls: stack depth check using three frames. test5",
+               .insns = {
+                       /* main */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
+                       BPF_EXIT_INSN(),
+                       /* A */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
+                       BPF_EXIT_INSN(),
+                       /* B */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
+                       BPF_EXIT_INSN(),
+                       /* C */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
+                       BPF_EXIT_INSN(),
+                       /* D */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
+                       BPF_EXIT_INSN(),
+                       /* E */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
+                       BPF_EXIT_INSN(),
+                       /* F */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
+                       BPF_EXIT_INSN(),
+                       /* G */
+                       BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
+                       BPF_EXIT_INSN(),
+                       /* H */
+                       BPF_MOV64_IMM(BPF_REG_0, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .prog_type = BPF_PROG_TYPE_XDP,
+               .errstr = "call stack",
+               .result = REJECT,
+       },
+       {
                "calls: spill into caller stack frame",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),