From 53099ca2742ec852dc2d83ccefff1d613d243f4d Mon Sep 17 00:00:00 2001
From: Luis Gerhorst <gerhorst@cs.fau.de>
Date: Wed, 31 Jan 2024 17:33:54 +0100
Subject: [PATCH] bpf: sysctl for bpf_complexity_limit_insns (for parca-agent)

---
 include/linux/bpf.h   |  2 +-
 kernel/bpf/syscall.c  | 10 +++++++++-
 kernel/bpf/verifier.c |  4 ++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index df8a260b1fc4..8f74a65aae23 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1660,7 +1660,7 @@ struct bpf_array {
 	};
 };
 
-#define BPF_COMPLEXITY_LIMIT_INSNS      1000000 /* yes. 1M insns */
+extern int bpf_complexity_limit_insns;
 #define MAX_TAIL_CALL_CNT 33
 
 /* Maximum number of loops for bpf_loop and bpf_iter_num.
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 4dfb7f225504..7cbd88b7fb04 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -58,6 +58,7 @@ static DEFINE_SPINLOCK(link_idr_lock);
 int sysctl_unprivileged_bpf_disabled __read_mostly =
 	IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
 
+int bpf_complexity_limit_insns = 1000000; /* yes. 1M insns */
 int bpf_complexity_limit_jmp_seq = 8192;
 int bpf_spec_v1 = 0;
 int bpf_spec_v1_complexity_limit_jmp_seq = 4096;
@@ -2588,7 +2589,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
 		return -EPERM;
 
 	if (attr->insn_cnt == 0 ||
-	    attr->insn_cnt > (bpf_capable() ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))
+	    attr->insn_cnt > (bpf_capable() ? bpf_complexity_limit_insns : BPF_MAXINSNS))
 		return -E2BIG;
 	if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
 	    type != BPF_PROG_TYPE_CGROUP_SKB &&
@@ -5486,6 +5487,13 @@ static struct ctl_table bpf_syscall_table[] = {
 		.mode		= 0644,
 		.proc_handler	= bpf_stats_handler,
 	},
+	{
+		.procname	= "bpf_complexity_limit_insns",
+		.data		= &bpf_complexity_limit_insns,
+		.maxlen		= sizeof(bpf_complexity_limit_insns),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec,
+	},
 	{
 		.procname	= "bpf_complexity_limit_jmp_seq",
 		.data		= &bpf_complexity_limit_jmp_seq,
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 043be689adcd..a1f83bce2528 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16227,7 +16227,7 @@ static int do_check(struct bpf_verifier_env *env)
 		insn = &insns[env->insn_idx];
 		class = BPF_CLASS(insn->code);
 
-		if (++env->insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
+		if (++env->insn_processed > bpf_complexity_limit_insns) {
 			verbose(env,
 				"BPF program is too large. Processed %d insn\n",
 				env->insn_processed);
@@ -18916,7 +18916,7 @@ static void print_verification_stats(struct bpf_verifier_env *env)
 	}
 	verbose(env, "processed %d insns (limit %d) max_states_per_insn %d "
 		"total_states %d peak_states %d mark_read %d\n",
-		env->insn_processed, BPF_COMPLEXITY_LIMIT_INSNS,
+		env->insn_processed, bpf_complexity_limit_insns,
 		env->max_states_per_insn, env->total_states,
 		env->peak_states, env->longest_mark_read_walk);
 }
-- 
GitLab