From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>, <bpf@vger.kernel.org>
Cc: "Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Emil Tsalapatis" <emil@etsalapatis.com>, <kkd@meta.com>,
<kernel-team@meta.com>
Subject: Re: [PATCH bpf-next v2 12/17] bpf: Report Execution Context Safety errors
Date: Fri, 19 Jun 2026 16:44:56 -0700 [thread overview]
Message-ID: <DJDFBZS7ZEYD.YWY8TUQ7ULJS@gmail.com> (raw)
In-Reply-To: <20260619205934.1312876-13-memxor@gmail.com>
On Fri Jun 19, 2026 at 1:59 PM PDT, Kumar Kartikeya Dwivedi wrote:
> Augment selected sleepability and critical-section failures with Execution
> Context Safety reports. Keep the existing verifier messages and add source
> context, path history, and suggestions tied to the active context.
>
> Use the context history recorded earlier to anchor causal paths to lock, IRQ,
> RCU, and preempt regions instead of unrelated register updates.
>
> Cover global calls while holding a lock, sleepable global function calls,
> sleepable helpers, sleepable kfunc calls from disallowed contexts, operations
> that exit while a context is still active, and unmatched context exits.
>
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> ---
> kernel/bpf/diagnostics.c | 165 +++++++++++++++++++++++++++++++++++++++
> kernel/bpf/diagnostics.h | 14 ++++
> kernel/bpf/verifier.c | 114 +++++++++++++++++++++++++++
> 3 files changed, 293 insertions(+)
>
> diff --git a/kernel/bpf/diagnostics.c b/kernel/bpf/diagnostics.c
> index 19e72b07afc1..7c903e502973 100644
> --- a/kernel/bpf/diagnostics.c
> +++ b/kernel/bpf/diagnostics.c
> @@ -844,6 +844,7 @@ static u32 bpf_diag_current_frameno(const struct bpf_verifier_env *env)
> }
>
> static int bpf_diag_stack_argno(u8 slot);
> +static const char *bpf_diag_context_name(enum bpf_diag_context_kind kind);
>
> void bpf_diag_report_register_type(struct bpf_verifier_env *env,
> u32 insn_idx, int regno,
> @@ -953,6 +954,170 @@ void bpf_diag_report_call_type(struct bpf_verifier_env *env, u32 insn_idx,
> bpf_diag_report_suggestion(env, "%s", suggestion);
> }
>
> +static const char *bpf_diag_context_constraint(enum bpf_diag_context_kind kind)
> +{
> + switch (kind) {
> + case BPF_DIAG_CONTEXT_RCU:
> + return "RCU read-side critical sections cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_PREEMPT:
> + return "preemption-disabled code cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_IRQ:
> + return "IRQ-disabled code cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_LOCK:
> + return "code holding a BPF spin lock cannot call operations that may sleep";
> + case BPF_DIAG_CONTEXT_NONE:
> + default:
> + return NULL;
> + }
> +}
> +
> +static void bpf_diag_format_active_context(char *buf, size_t size, u32 depth,
> + const char *context)
> +{
> + if (depth == 1)
> + scnprintf(buf, size, "an active %s (depth 1)", context);
> + else
> + scnprintf(buf, size, "%u active %ss (depth %u)", depth,
> + context, depth);
> +}
> +
> +static u32 bpf_diag_context_depth(struct bpf_verifier_env *env,
> + enum bpf_diag_context_kind kind)
> +{
> + switch (kind) {
> + case BPF_DIAG_CONTEXT_RCU:
> + return env->cur_state->active_rcu_locks;
> + case BPF_DIAG_CONTEXT_PREEMPT:
> + return env->cur_state->active_preempt_locks;
> + case BPF_DIAG_CONTEXT_IRQ:
> + return env->cur_state->active_irq_id ? 1 : 0;
> + case BPF_DIAG_CONTEXT_LOCK:
> + return env->cur_state->active_locks;
> + case BPF_DIAG_CONTEXT_NONE:
> + default:
> + return 0;
> + }
> +}
> +
> +void bpf_diag_report_execution_context(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion)
> +{
> + u32 depth = bpf_diag_context_depth(env, ctx_kind);
> + struct bpf_diag_history_opts opts = {
> + .scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> + .ctx_kind = ctx_kind,
> + .ctx_depth = depth,
> + };
> + const char *depth_buf;
> +
> + bpf_diag_report_header(env, BPF_DIAG_CATEGORY_EXECUTION_CONTEXT_SAFETY,
> + "operation is not allowed in this context");
> + if (bpf_diag_context_constraint(ctx_kind)) {
> + if (depth) {
> + depth_buf = bpf_diag_scratch_buf(env,
> + 2,
> + NULL);
> + if (depth_buf)
> + bpf_diag_format_active_context((char *)depth_buf,
> + BPF_DIAG_SCRATCH_STR_LEN,
> + depth, context);
> + else
> + depth_buf = "";
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used in %s because %s. This path is still inside %s.",
> + operation, context,
> + bpf_diag_context_constraint(ctx_kind),
> + depth_buf);
> + } else {
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used in %s because %s.",
> + operation, context,
> + bpf_diag_context_constraint(ctx_kind));
> + }
> + } else {
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used in %s.",
> + operation, context);
> + }
> +
> + bpf_diag_report_section(env, "At");
> + bpf_diag_report_source(env, insn_idx, "error",
> + "%s is not allowed in %s", operation, context);
> +
> + if (ctx_kind != BPF_DIAG_CONTEXT_NONE)
> + bpf_diag_print_history(env, &opts);
> +
> + bpf_diag_report_suggestion(env, "%s", suggestion);
> +}
> +
> +void bpf_diag_report_context_still_active(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion)
> +{
> + u32 depth = bpf_diag_context_depth(env, ctx_kind);
> + struct bpf_diag_history_opts opts = {
> + .scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> + .ctx_kind = ctx_kind,
> + .ctx_depth = depth,
> + };
> + const char *depth_buf;
> +
> + depth_buf = bpf_diag_scratch_buf(env, 2, NULL);
> + if (depth_buf)
> + bpf_diag_format_active_context((char *)depth_buf,
> + BPF_DIAG_SCRATCH_STR_LEN, depth,
> + context);
> + else
> + depth_buf = "";
> +
> + bpf_diag_report_header(env, BPF_DIAG_CATEGORY_EXECUTION_CONTEXT_SAFETY,
> + "operation is not allowed in this context");
> + bpf_diag_report_reason(env,
> + "The operation %s cannot be used while this path is still inside %s. Leave the region before this operation.",
> + operation, depth_buf);
> +
> + bpf_diag_report_section(env, "At");
> + bpf_diag_report_source(env, insn_idx, "error",
> + "%s is not allowed before leaving %s",
> + operation, context);
> +
> + bpf_diag_print_history(env, &opts);
> +
> + bpf_diag_report_suggestion(env, "%s", suggestion);
> +}
> +
> +void bpf_diag_report_context_underflow(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *suggestion)
> +{
> + struct bpf_diag_history_opts opts = {
> + .scope = BPF_DIAG_HISTORY_SCOPE_CONTEXT,
> + .ctx_kind = ctx_kind,
> + };
> + const char *context = bpf_diag_context_name(ctx_kind);
> +
> + bpf_diag_report_header(env, BPF_DIAG_CATEGORY_EXECUTION_CONTEXT_SAFETY,
> + "unmatched context exit");
> + bpf_diag_report_reason(env,
> + "The operation %s tries to leave %s, but this path has no active %s to leave. The current depth is 0.",
> + operation, context, context);
> +
> + bpf_diag_report_section(env, "At");
> + bpf_diag_report_source(env, insn_idx, "error",
> + "%s has no matching enter on this path",
> + operation);
> +
> + bpf_diag_print_history(env, &opts);
> +
> + bpf_diag_report_suggestion(env, "%s", suggestion);
> +}
> +
> void bpf_diag_report_invalid_deref(struct bpf_verifier_env *env, u32 insn_idx,
> int regno, const char *reg_name,
> const char *type_name,
> diff --git a/kernel/bpf/diagnostics.h b/kernel/bpf/diagnostics.h
> index 07d06d366f22..4611d94e7a18 100644
> --- a/kernel/bpf/diagnostics.h
> +++ b/kernel/bpf/diagnostics.h
> @@ -202,6 +202,20 @@ void bpf_diag_report_call_type(struct bpf_verifier_env *env, u32 insn_idx,
> int argno, int regno, int stack_arg_slot,
> const char *call_name, const char *arg_name,
> const char *reason, const char *suggestion);
> +void bpf_diag_report_execution_context(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion);
> +void bpf_diag_report_context_still_active(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *context,
> + const char *suggestion);
> +void bpf_diag_report_context_underflow(struct bpf_verifier_env *env,
> + u32 insn_idx, const char *operation,
> + enum bpf_diag_context_kind ctx_kind,
> + const char *suggestion);
The names are overly long which pushes indent way to far to the right.
Maybe one bpf_diag() helper with enum that multiplexes
"execution context" vs "context still active" vs ...
next prev parent reply other threads:[~2026-06-19 23:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 20:59 [PATCH bpf-next v2 00/17] Redesign Verification Errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 01/17] bpf: Add verifier diagnostics report helpers Kumar Kartikeya Dwivedi
2026-06-19 21:09 ` sashiko-bot
2026-06-19 20:59 ` [PATCH bpf-next v2 02/17] bpf: Add source and instruction diagnostic context Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 03/17] bpf: Add verifier diagnostic event log Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 04/17] bpf: Prune verifier diagnostics on backtracking Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 05/17] bpf: Track verifier register diagnostic events Kumar Kartikeya Dwivedi
2026-06-19 21:18 ` sashiko-bot
2026-06-19 23:35 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 06/17] bpf: Track verifier reference " Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 07/17] bpf: Track verifier context " Kumar Kartikeya Dwivedi
2026-06-19 21:13 ` sashiko-bot
2026-06-19 21:19 ` Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 08/17] bpf: Report Register Type Safety errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 09/17] bpf: Report Memory Safety bounds errors Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 23:40 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 10/17] bpf: Report Resource Lifetime reference leaks Kumar Kartikeya Dwivedi
2026-06-19 21:12 ` sashiko-bot
2026-06-19 23:42 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 11/17] bpf: Report Call Type Safety argument errors Kumar Kartikeya Dwivedi
2026-06-19 21:47 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 12/17] bpf: Report Execution Context Safety errors Kumar Kartikeya Dwivedi
2026-06-19 21:19 ` sashiko-bot
2026-06-19 23:44 ` Alexei Starovoitov [this message]
2026-06-19 20:59 ` [PATCH bpf-next v2 13/17] bpf: Report Program Structure CFG errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 14/17] bpf: Report Policy helper and kfunc errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 15/17] bpf: Report Verifier Limit errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 16/17] bpf: Report Verifier Internal errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 17/17] bpf: Gate verifier diagnostics on log level Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJDFBZS7ZEYD.YWY8TUQ7ULJS@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=kernel-team@meta.com \
--cc=kkd@meta.com \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox