From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>, <bpf@vger.kernel.org>
Cc: "Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Emil Tsalapatis" <emil@etsalapatis.com>, <kkd@meta.com>,
<kernel-team@meta.com>
Subject: Re: [PATCH bpf-next v2 12/17] bpf: Report Execution Context Safety errors
Date: Fri, 19 Jun 2026 16:44:56 -0700 [thread overview]
Message-ID: <DJDFBZS7ZEYD.YWY8TUQ7ULJS@gmail.com> (raw)
In-Reply-To: <20260619205934.1312876-13-memxor@gmail.com>
On Fri Jun 19, 2026 at 1:59 PM PDT, Kumar Kartikeya Dwivedi wrote:
> Augment selected sleepability and critical-section failures with Execution
> Context Safety reports. Keep the existing verifier messages and add source
> context, path history, and suggestions tied to the active context.
>
> Use the context history recorded earlier to anchor causal paths to lock, IRQ,
> RCU, and preempt regions instead of unrelated register updates.
>
> Cover global calls while holding a lock, sleepable global function calls,
> sleepable helpers, sleepable kfunc calls from disallowed contexts, operations
> that exit while a context is still active, and unmatched context exits.
>
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> ---
> kernel/bpf/diagnostics.c | 165 +++++++++++++++++++++++++++++++++++++++
> kernel/bpf/diagnostics.h | 14 ++++
> kernel/bpf/verifier.c | 114 +++++++++++++++++++++++++++
> 3 files changed, 293 insertions(+)
>
> diff --git a/kernel/bpf/diagnostics.c b/kernel/bpf/diagnostics.c
> index 19e72b07afc1..7c903e502973 100644
> --- a/kernel/bpf/diagnostics.c
> +++ b/kernel/bpf/diagnostics.c
> @@ -844,6 +844,7 @@ static u32 bpf_diag_current_frameno(const struct bpf_verifier_env *env)
> }
>
> static int bpf_diag_stack_argno(u8 slot);
> +static const char *bpf_diag_context_name(enum bpf_diag_context_kind kind);
>
> void bpf_diag_report_register_type(struct bpf_verifier_env *env,
> u32 insn_idx, int regno,
> @@ -953,6 +954,170 @@ void bpf_diag_report_call_type(struct bpf_verifier_env *env, u32 insn_idx,
> bpf_diag_report_suggestion(env, "%s", suggestion);
> }
>
> +static const char *bpf_diag_context_constraint(enum bpf_diag_context_kind kind)
> +{
> + switch (kind) {
> + case BPF_DIAG_CONTEXT_RCU:
> + return "RCU read-side critical sections cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_PREEMPT:
> + return "preemption-disabled code cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_IRQ:
> + return "IRQ-disabled code cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_LOCK:
> + return "code holding a BPF spin lock cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_NONE:
> + default:
> + return NULL;
> + }
> +}
> +
> +static void bpf_diag_format_active_context(char *buf, size_t size, u32 depth,
> + const char *context)
> +{
> + if (depth == 1)
> + scnprintf(buf, size, "an active %s (depth 1)", context);
> + else
> + scnprintf(buf, size, "%u active %ss (depth %u)", depth,
> + context, depth);
> +}
> +
> +static u32 bpf_diag_context_depth(struct bpf_verifier_env *env,
> + enum bpf_diag_context_kind kind)
> +{
> + switch (kind) {
> + case BPF_DIAG_CONTEXT_RCU:
> + return env->cur_state->active_rcu_locks;
> + case BPF_DIAG_CONTEXT_PREEMPT:
> + return env->cur_state->active_preempt_locks;
> + case BPF_DIAG_CONTEXT_IRQ:
> + return env->cur_state->active_irq_id ? 1 : 0;
> + case BPF_DIAG_CONTEXT_LOCK:
> + return env->cur_state->active_locks;
> + case BPF_DIAG_CONTEXT_NONE:
> + default:
> + return 0;
> + }
> +}
> +
> +void bpf_diag_report_execution_context(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion)
> +{
> + u32 depth = bpf_diag_context_depth(env, ctx_kind);
> + struct bpf_diag_history_opts opts = {
> + .scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> + .ctx_kind = ctx_kind,
> + .ctx_depth = depth,
> + };
> + const char *depth_buf;
> +
> + bpf_diag_report_header(env, BPF_DIAG_CATEGORY_EXECUTION_CONTEXT_SAFETY,
> + "operation is not allowed in this context");
> + if (bpf_diag_context_constraint(ctx_kind)) {
> + if (depth) {
> + depth_buf = bpf_diag_scratch_buf(env,
> + 2,
> + NULL);
> + if (depth_buf)
> + bpf_diag_format_active_context((char *)depth_buf,
> + BPF_DIAG_SCRATCH_STR_LEN,
> + depth, context);
> + else
> + depth_buf = "";
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used in %s because %s. This path is still inside %s.",
> + operation, context,
> + bpf_diag_context_constraint(ctx_kind),
> + depth_buf);
> + } else {
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used in %s because %s.",
> + operation, context,
> + bpf_diag_context_constraint(ctx_kind));
> + }
> + } else {
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used in %s.",
> + operation, context);
> + }
> +
> + bpf_diag_report_section(env, "At");
> + bpf_diag_report_source(env, insn_idx, "error",
> + "%s is not allowed in %s", operation, context);
> +
> + if (ctx_kind != BPF_DIAG_CONTEXT_NONE)
> + bpf_diag_print_history(env, &opts);
> +
> + bpf_diag_report_suggestion(env, "%s", suggestion);
> +}
> +
> +void bpf_diag_report_context_still_active(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion)
> +{
> + u32 depth = bpf_diag_context_depth(env, ctx_kind);
> + struct bpf_diag_history_opts opts = {
> + .scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> + .ctx_kind = ctx_kind,
> + .ctx_depth = depth,
> + };
> + const char *depth_buf;
> +
> + depth_buf = bpf_diag_scratch_buf(env, 2, NULL);
> + if (depth_buf)
> + bpf_diag_format_active_context((char *)depth_buf,
> + BPF_DIAG_SCRATCH_STR_LEN, depth,
> + context);
> + else
> + depth_buf = "";
> +
> + bpf_diag_report_header(env, BPF_DIAG_CATEGORY_EXECUTION_CONTEXT_SAFETY,
> + "operation is not allowed in this context");
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used while this path is still inside %s. Leave the region before this operation.",
> + operation, depth_buf);
> +
> + bpf_diag_report_section(env, "At");
> + bpf_diag_report_source(env, insn_idx, "error",
> + "%s is not allowed before leaving %s",
> + operation, context);
> +
> + bpf_diag_print_history(env, &opts);
> +
> + bpf_diag_report_suggestion(env, "%s", suggestion);
> +}
> +
> +void bpf_diag_report_context_underflow(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *suggestion)
> +{
> + struct bpf_diag_history_opts opts = {
> + .scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> + .ctx_kind = ctx_kind,
> + };
> + const char *context = bpf_diag_context_name(ctx_kind);
> +
> + bpf_diag_report_header(env, BPF_DIAG_CATEGORY_EXECUTION_CONTEXT_SAFETY,
> + "unmatched context exit");
> + bpf_diag_report_reason(env,
> + "The operation %s tries to leave %s, but this path has no active %s to leave. The current depth is 0.",
> + operation, context, context);
> +
> + bpf_diag_report_section(env, "At");
> + bpf_diag_report_source(env, insn_idx, "error",
> + "%s has no matching enter on this path",
> + operation);
> +
> + bpf_diag_print_history(env, &opts);
> +
> + bpf_diag_report_suggestion(env, "%s", suggestion);
> +}
> +
> void bpf_diag_report_invalid_deref(struct bpf_verifier_env *env, u32 insn_idx,
> int regno, const char *reg_name,
> const char *type_name,
> diff --git a/kernel/bpf/diagnostics.h b/kernel/bpf/diagnostics.h
> index 07d06d366f22..4611d94e7a18 100644
> --- a/kernel/bpf/diagnostics.h
> +++ b/kernel/bpf/diagnostics.h
> @@ -202,6 +202,20 @@ void bpf_diag_report_call_type(struct bpf_verifier_env *env, u32 insn_idx,
> int argno, int regno, int stack_arg_slot,
> const char *call_name, const char *arg_name,
> const char *reason, const char *suggestion);
> +void bpf_diag_report_execution_context(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion);
> +void bpf_diag_report_context_still_active(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion);
> +void bpf_diag_report_context_underflow(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *suggestion);
The names are overly long which pushes indent way to far to the right.
Maybe one bpf_diag() helper with enum that multiplexes
"execution context" vs "context still active" vs ...
next prev parent reply other threads:[~2026-06-19 23:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 20:59 [PATCH bpf-next v2 00/17] Redesign Verification Errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 01/17] bpf: Add verifier diagnostics report helpers Kumar Kartikeya Dwivedi
2026-06-19 21:09 ` sashiko-bot
2026-06-19 20:59 ` [PATCH bpf-next v2 02/17] bpf: Add source and instruction diagnostic context Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 03/17] bpf: Add verifier diagnostic event log Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 04/17] bpf: Prune verifier diagnostics on backtracking Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 05/17] bpf: Track verifier register diagnostic events Kumar Kartikeya Dwivedi
2026-06-19 21:18 ` sashiko-bot
2026-06-19 23:35 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 06/17] bpf: Track verifier reference " Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 07/17] bpf: Track verifier context " Kumar Kartikeya Dwivedi
2026-06-19 21:13 ` sashiko-bot
2026-06-19 21:19 ` Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 08/17] bpf: Report Register Type Safety errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 09/17] bpf: Report Memory Safety bounds errors Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 23:40 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 10/17] bpf: Report Resource Lifetime reference leaks Kumar Kartikeya Dwivedi
2026-06-19 21:12 ` sashiko-bot
2026-06-19 23:42 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 11/17] bpf: Report Call Type Safety argument errors Kumar Kartikeya Dwivedi
2026-06-19 21:47 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 12/17] bpf: Report Execution Context Safety errors Kumar Kartikeya Dwivedi
2026-06-19 21:19 ` sashiko-bot
2026-06-19 23:44 ` Alexei Starovoitov [this message]
2026-06-19 20:59 ` [PATCH bpf-next v2 13/17] bpf: Report Program Structure CFG errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 14/17] bpf: Report Policy helper and kfunc errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 15/17] bpf: Report Verifier Limit errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 16/17] bpf: Report Verifier Internal errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 17/17] bpf: Gate verifier diagnostics on log level Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJDFBZS7ZEYD.YWY8TUQ7ULJS@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=kernel-team@meta.com \
--cc=kkd@meta.com \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.