On 7/22/25 7:32 AM, Paul Chaignon wrote:
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. At that point,
target_size is null and the verifier errors with a kernel warning and:
I think it meant target_size is 0. I suspect !cnt is the condition causing the
'verifier bug: ...'. Please check. No need to resend. The patch lgtm.
