On Tue, Jul 22, 2025 at 03:28:40PM -0700, Martin KaFai Lau wrote: > On 7/22/25 7:32 AM, Paul Chaignon wrote: > > The following BPF program, simplified from a syzkaller repro, causes a > > kernel warning: > > > > r0 = *(u8 *)(r1 + 169); > > exit; > > > > With pointer field sk being at offset 168 in __sk_buff. This access is > > detected as a narrower read in bpf_skb_is_valid_access because it > > doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed > > and later proceeds to bpf_convert_ctx_access. At that point, > > target_size is null and the verifier errors with a kernel warning and: > > I think it meant target_size is 0. I suspect !cnt is the condition causing > the 'verifier bug: ...'. Please check. No need to resend. The patch lgtm. I also initially though the error was triggered because cnt was 0, but it is not. In case of narrower load, the offset is aligned before calling convert_ctx_access, which means we match offsetof(struct __sk_buff, sk) in bpf_convert_ctx_access. An instruction is added and cnt is thus 1. target_size however stays 0 so we hit the verifier bug error.
