Re: [PATCH bpf-next v2 10/17] bpf: Report Resource Lifetime reference leaks

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Diagnostic history for nested IRQ-disabled regions prints the wrong context.
--

commit 3353d537a1807034f6c2c245d23ed71ed9b90936
Author: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: bpf: Report Resource Lifetime reference leaks

Augment selected Resource Lifetime Safety failures with structured diagnostics
while preserving the existing verifier messages. Report unreleased references
from check_reference_leak() using reference-scoped diagnostic history, and add
state reports for dynptr, iterator, lock, and IRQ-flag lifetime misuse.

> diff --git a/kernel/bpf/diagnostics.c b/kernel/bpf/diagnostics.c
> index 933540eb105bf..e9c58f84ec89e 100644
> --- a/kernel/bpf/diagnostics.c
> +++ b/kernel/bpf/diagnostics.c
[ ... ]
> @@ -1702,6 +1702,71 @@ void bpf_diag_report_mem_bounds(struct bpf_verifier_env *env, u32 insn_idx,
[ ... ]
> +void bpf_diag_report_irq_resource_state(struct bpf_verifier_env *env,
> +					u32 insn_idx, const char *problem,
> +					const char *reason,
> +					const char *suggestion,
> +					u32 depth)
> +{
> +	struct bpf_diag_history_opts opts = {
> +		.scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> +		.ctx_kind = BPF_DIAG_CONTEXT_IRQ,
> +		.ctx_depth = depth,
> +	};
> +
> +	bpf_diag_report_header(env, BPF_DIAG_CATEGORY_RESOURCE_LIFETIME_SAFETY,
> +			       problem);
> +	bpf_diag_report_reason(env, "%s", reason);
> +
> +	bpf_diag_report_section(env, "At");
> +	bpf_diag_report_source(env, insn_idx, "error", "%s", problem);
> +
> +	if (depth)
> +		bpf_diag_print_history(env, &opts);

[Severity: Medium]
Will this diagnostic history print the correct context for nested
IRQ-disabled regions?

In acquire_irq_state(), the depth parameter passed to bpf_diag_record_context()
is hardcoded to 1 regardless of whether bpf_local_irq_save() calls are nested:

kernel/bpf/verifier.c:acquire_irq_state() {
	...
	state->active_irq_id = s->id;
	bpf_diag_record_context(env, insn_idx, BPF_DIAG_CONTEXT_IRQ, true, 1);
	return s->id;
}

Because BPF allows nested IRQ-disabled regions, a sequence of nested saves
will all emit enter events with depth 1. When an inner region is properly
restored, its leave event is also recorded as depth 1.

If a diagnostic report is triggered later while still in the outer IRQ region,
bpf_diag_history_context_start_idx() searches backwards, skips the leave event
(as it only stops on leave if depth is 0), and incorrectly matches the enter
event of the already closed inner region.

Does the verifier need to track the actual nesting level instead of hardcoding 1
so that bpf_diag_history_context_start_idx() finds the currently active outer
region?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260619205934.1312876-1-memxor@gmail.com?part=10