From: sashiko-bot@kernel.org
To: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v1 09/17] bpf: Report Memory Safety bounds errors
Date: Fri, 05 Jun 2026 06:45:52 +0000 [thread overview]
Message-ID: <20260605064553.467DA1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605063412.974640-10-memxor@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Diagnostic message for `BPF_DIAG_MEM_NEGATIVE_MIN` prints a large positive number instead of a negative number when `reg_smin(reg)` is `S64_MIN` and `off` is negative, due to signed 64-bit integer wrap-around.
--
commit 176ba692cb9724623bf456ca5401c93a61c5ea8d
Author: Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Report Memory Safety bounds errors
This commit augments check_mem_region_access() range-proof failures with Memory
Safety reports. The existing terse verifier messages remain in place for
compatibility while the new report adds the failed proof, source context,
causal path, and guidance.
> diff --git a/kernel/bpf/diagnostics.c b/kernel/bpf/diagnostics.c
> index 920ac17758c20..0abe1ab19d252 100644
> --- a/kernel/bpf/diagnostics.c
> +++ b/kernel/bpf/diagnostics.c
[ ... ]
> +void bpf_diag_report_mem_bounds(struct bpf_verifier_env *env, u32 insn_idx,
> + int regno, const char *reg_name,
> + const char *type_name,
> + enum bpf_diag_mem_bounds_kind kind,
> + int off, int size, u32 mem_size,
> + const struct bpf_reg_state *reg)
> +{
[ ... ]
> + switch (kind) {
> + case BPF_DIAG_MEM_NEGATIVE_MIN:
> + scnprintf(proof, sizeof(proof),
> + "The smallest possible offset is %lld, below 0",
> + reg_smin(reg) + off);
> + break;
[Severity: Medium]
Will this print a contradictory positive number instead of a negative one when
reg_smin(reg) is S64_MIN and off is negative?
Looking at the caller in check_mem_region_access(), it triggers the
BPF_DIAG_MEM_NEGATIVE_MIN diagnostic if reg_smin(reg) == S64_MIN:
kernel/bpf/verifier.c:check_mem_region_access() {
if (reg_smin(reg) < 0 &&
(reg_smin(reg) == S64_MIN ||
...)) {
bpf_diag_report_mem_bounds(..., BPF_DIAG_MEM_NEGATIVE_MIN, ...);
}
}
If off is negative, reg_smin(reg) + off will underflow S64_MIN and wrap around
to a huge positive number like 9223372036854775807. The diagnostic output might
then read something confusing like:
"The smallest possible offset is 9223372036854775807, below 0"
Unlike the max bounds case which correctly handles wrapping, the min bounds
case appears to evaluate this unconditionally.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605063412.974640-1-memxor@gmail.com?part=9
next prev parent reply other threads:[~2026-06-05 6:45 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 6:33 [PATCH bpf-next v1 00/17] Redesign Verification Errors Kumar Kartikeya Dwivedi
2026-06-05 6:33 ` [PATCH bpf-next v1 01/17] bpf: Add verifier diagnostics report helpers Kumar Kartikeya Dwivedi
2026-06-05 6:42 ` sashiko-bot
2026-06-05 7:40 ` bot+bpf-ci
2026-06-05 18:58 ` Eduard Zingerman
2026-06-05 6:33 ` [PATCH bpf-next v1 02/17] bpf: Define verifier diagnostic categories Kumar Kartikeya Dwivedi
2026-06-05 19:10 ` Eduard Zingerman
2026-06-05 6:33 ` [PATCH bpf-next v1 03/17] bpf: Add source and instruction diagnostic context Kumar Kartikeya Dwivedi
2026-06-05 8:48 ` sashiko-bot
2026-06-05 20:22 ` Eduard Zingerman
2026-06-05 20:55 ` Kumar Kartikeya Dwivedi
2026-06-05 21:07 ` Eduard Zingerman
2026-06-05 6:33 ` [PATCH bpf-next v1 04/17] bpf: Track verifier branch diagnostic history Kumar Kartikeya Dwivedi
2026-06-05 6:50 ` sashiko-bot
2026-06-05 7:57 ` bot+bpf-ci
2026-06-05 21:41 ` Eduard Zingerman
2026-06-05 21:37 ` Eduard Zingerman
2026-06-05 6:33 ` [PATCH bpf-next v1 05/17] bpf: Track verifier register " Kumar Kartikeya Dwivedi
2026-06-05 6:53 ` sashiko-bot
2026-06-05 7:40 ` bot+bpf-ci
2026-06-05 22:31 ` Eduard Zingerman
2026-06-05 6:33 ` [PATCH bpf-next v1 06/17] bpf: Track verifier reference " Kumar Kartikeya Dwivedi
2026-06-05 6:33 ` [PATCH bpf-next v1 07/17] bpf: Track verifier context " Kumar Kartikeya Dwivedi
2026-06-05 6:46 ` sashiko-bot
2026-06-05 7:22 ` bot+bpf-ci
2026-06-05 6:33 ` [PATCH bpf-next v1 08/17] bpf: Report Register Type Safety errors Kumar Kartikeya Dwivedi
2026-06-05 6:57 ` sashiko-bot
2026-06-05 7:23 ` bot+bpf-ci
2026-06-05 6:33 ` [PATCH bpf-next v1 09/17] bpf: Report Memory Safety bounds errors Kumar Kartikeya Dwivedi
2026-06-05 6:45 ` sashiko-bot [this message]
2026-06-05 7:57 ` bot+bpf-ci
2026-06-05 6:34 ` [PATCH bpf-next v1 10/17] bpf: Report Resource Lifetime reference leaks Kumar Kartikeya Dwivedi
2026-06-05 6:45 ` sashiko-bot
2026-06-05 7:22 ` bot+bpf-ci
2026-06-05 6:34 ` [PATCH bpf-next v1 11/17] bpf: Report Call Type Safety argument errors Kumar Kartikeya Dwivedi
2026-06-05 6:47 ` sashiko-bot
2026-06-05 7:23 ` bot+bpf-ci
2026-06-05 6:34 ` [PATCH bpf-next v1 12/17] bpf: Report Execution Context Safety errors Kumar Kartikeya Dwivedi
2026-06-05 6:46 ` sashiko-bot
2026-06-05 7:23 ` bot+bpf-ci
2026-06-05 6:34 ` [PATCH bpf-next v1 13/17] bpf: Report Program Structure CFG errors Kumar Kartikeya Dwivedi
2026-06-05 6:51 ` sashiko-bot
2026-06-05 7:22 ` bot+bpf-ci
2026-06-05 6:34 ` [PATCH bpf-next v1 14/17] bpf: Report Policy helper and kfunc errors Kumar Kartikeya Dwivedi
2026-06-05 7:02 ` sashiko-bot
2026-06-05 6:34 ` [PATCH bpf-next v1 15/17] bpf: Report Verifier Limit errors Kumar Kartikeya Dwivedi
2026-06-05 6:53 ` sashiko-bot
2026-06-05 7:40 ` bot+bpf-ci
2026-06-05 6:34 ` [PATCH bpf-next v1 16/17] bpf: Report Verifier Internal errors Kumar Kartikeya Dwivedi
2026-06-05 6:34 ` [PATCH bpf-next v1 17/17] bpf: Gate verifier diagnostics on log level Kumar Kartikeya Dwivedi
2026-06-05 6:58 ` sashiko-bot
2026-06-05 7:40 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605064553.467DA1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox