All of lore.kernel.org
 help / color / mirror / Atom feed
From: Yonghong Song <yonghong.song@linux.dev>
To: Paul Chaignon <paul.chaignon@gmail.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	netfilter-devel@vger.kernel.org,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Petar Penkov <ppenkov@google.com>,
	Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH bpf 3/4] bpf: Improve ctx access verifier error message
Date: Fri, 1 Aug 2025 09:30:53 -0700	[thread overview]
Message-ID: <91bb735f-088e-4346-9b2c-874caf0bc1ce@linux.dev> (raw)
In-Reply-To: <cc94316c30dd76fae4a75a664b61a2dbfe68e205.1754039605.git.paul.chaignon@gmail.com>



On 8/1/25 2:49 AM, Paul Chaignon wrote:
> We've already had two "error during ctx access conversion" warnings
> triggered by syzkaller. Let's improve the error message by dumping the
> cnt variable so that we can more easily differentiate between the
> different error cases.
>
> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> ---
>   kernel/bpf/verifier.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 399f03e62508..0806295945e4 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -21445,7 +21445,7 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env)
>   					 &target_size);
>   		if (cnt == 0 || cnt >= INSN_BUF_SIZE ||
>   		    (ctx_field_size && !target_size)) {
> -			verifier_bug(env, "error during ctx access conversion");
> +			verifier_bug(env, "error during ctx access conversion (%d)", cnt);

For the above, users still will not know what '(%d)' mean. So if we want to
provide better verification measure, we should do
	if (cnt == 0 || cnt >= INSN_BUF_SIZE) {
		verifier_bug(env, "error during ctx access conversion (insn cnt %d)", cnt);
		return -EFAULT;
	} else if (ctx_field_size && !target_size) {
		verifier_bug(env, "error during ctx access conversion (ctx_field_size %d, target_size 0)", ctx_field_size);
		return -EFAULT;
	}

Another thing. The current log message is:
	verifier bug: error during ctx access conversion (0)(1)

The '(0)' corresponds to insn cnt. The same one is due to the following:

#define verifier_bug_if(cond, env, fmt, args...)                                                \
         ({                                                                                      \
                 bool __cond = (cond);                                                           \
                 if (unlikely(__cond)) {                                                         \
                         BPF_WARN_ONCE(1, "verifier bug: " fmt "(" #cond ")\n", ##args);         \
                         bpf_log(&env->log, "verifier bug: " fmt "(" #cond ")\n", ##args);       \
                 }                                                                               \
                 (__cond);                                                                       \
         })
#define verifier_bug(env, fmt, args...) verifier_bug_if(1, env, fmt, ##args)

Based on the above, the error message '(1)' is always there, esp. for verifier_bug(...) case?
Does this make sense?

>   			return -EFAULT;
>   		}
>   


  parent reply	other threads:[~2025-08-01 16:31 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-01  9:47 [PATCH bpf 1/4] bpf: Check flow_dissector ctx accesses are aligned Paul Chaignon
2025-08-01  9:48 ` [PATCH bpf 2/4] bpf: Check netfilter " Paul Chaignon
2025-08-01 15:54   ` Yonghong Song
2025-08-01 16:06   ` Eduard Zingerman
2025-08-01  9:49 ` [PATCH bpf 3/4] bpf: Improve ctx access verifier error message Paul Chaignon
2025-08-01 16:09   ` Eduard Zingerman
2025-08-01 16:19     ` Paul Chaignon
2025-08-01 16:24       ` Eduard Zingerman
2025-08-01 16:30   ` Yonghong Song [this message]
2025-08-01 21:47     ` Alexei Starovoitov
2025-08-02  0:00       ` Yonghong Song
2025-08-01  9:49 ` [PATCH bpf 4/4] selftests/bpf: Test for unaligned flow_dissector ctx access Paul Chaignon
2025-08-01 16:17   ` Eduard Zingerman
2025-08-01 16:33   ` Yonghong Song
2025-08-01 15:52 ` [PATCH bpf 1/4] bpf: Check flow_dissector ctx accesses are aligned Yonghong Song
2025-08-01 16:04 ` Eduard Zingerman
2025-08-01 16:30 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=91bb735f-088e-4346-9b2c-874caf0bc1ce@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=martin.lau@linux.dev \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=paul.chaignon@gmail.com \
    --cc=ppenkov@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.