On 7/23/25 1:13 AM, Paul Chaignon wrote:
On Tue, Jul 22, 2025 at 03:28:40PM -0700, Martin KaFai Lau wrote:
On 7/22/25 7:32 AM, Paul Chaignon wrote:
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. At that point,
target_size is null and the verifier errors with a kernel warning and:
I think it meant target_size is 0. I suspect !cnt is the condition causing
the 'verifier bug: ...'. Please check. No need to resend. The patch lgtm.
I also initially though the error was triggered because cnt was 0, but
it is not. In case of narrower load, the offset is aligned before
calling convert_ctx_access, which means we match
offsetof(struct __sk_buff, sk) in bpf_convert_ctx_access. An
instruction is added and cnt is thus 1. target_size however stays 0 so
we hit the verifier bug error.
Got it. I have added this details to the commit message. Applied. Thanks!
