From: Aaron Lu <ziqianlu@bytedance.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
Cc: Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Pu Lehui <pulehui@huawei.com>,
Luiz Capitulino <luizcap@amazon.com>,
Wei Wei <weiwei.danny@bytedance.com>,
Yuchen Zhang <zhangyuchen.lcr@bytedance.com>
Subject: Re: Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel
Date: Mon, 16 Jun 2025 15:06:17 +0800 [thread overview]
Message-ID: <20250616070617.GA66@bytedance> (raw)
In-Reply-To: <20250605070921.GA3795@bytedance>
Ping?
On Thu, Jun 05, 2025 at 03:09:21PM +0800, Aaron Lu wrote:
> Hello,
>
> Wei reported when loading his bpf prog in 5.10.200 kernel, host would
> panic, this didn't happen in 5.10.135 kernel. Test on latest v5.10.238
> still has this panic.
If a fix is not easy for these stable kernels, I think we should revert
this commit? Because for whatever bpf progs, the bpf verifier should not
panic the kernel.
Regarding revert, per my test, the following four commits in linux-5.10.y
branch have to be reverted and after that, the kernel does not panic
anymore:
commit 2474ec58b96d("bpf: allow precision tracking for programs with subprogs")
commit 7ca3e7459f4a("bpf: stop setting precise in current state")
commit 1952a4d5e4cf("bpf: aggressively forget precise markings during
state checkpointing")
commit 4af2d9ddb7e7("selftests/bpf: make test_align selftest more
robust")
>
> [ 26.531718] BUG: kernel NULL pointer dereference, address: 0000000000000168
> [ 26.538093] #PF: supervisor read access in kernel mode
> [ 26.542727] #PF: error_code(0x0000) - not-present page
> [ 26.548093] PGD 10f3e9067 P4D 10f332067 PUD 10f0c5067 PMD 0
> [ 26.553211] Oops: 0000 [#1] SMP NOPTI
> [ 26.556531] CPU: 2 PID: 541 Comm: main Not tainted 5.10.238-00267-g01e7e36b8606 #63
> [ 26.563816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 26.572357] RIP: 0010:__mark_chain_precision+0x24b/0x4d0
> [ 26.576572] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6
> [ 26.589100] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216
> [ 26.592612] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003
> [ 26.597416] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78
> [ 26.601362] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004
> [ 26.604261] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000
> [ 26.607202] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140
> [ 26.610327] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000
> [ 26.613678] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 26.616105] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0
> [ 26.619059] Call Trace:
> [ 26.620118] adjust_reg_min_max_vals+0x133/0x340
> [ 26.622048] ? krealloc+0x63/0xe0
> [ 26.623435] do_check+0x38c/0xa80
> [ 26.624859] do_check_common+0x15b/0x280
> [ 26.626496] bpf_check+0xbe1/0xd30
> [ 26.627939] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.629796] ? trace_hardirqs_on+0x1a/0xd0
> [ 26.631503] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.633402] bpf_prog_load+0x422/0x8a0
> [ 26.634987] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.636864] ? __handle_mm_fault+0x3cb/0x6d0
> [ 26.638658] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.640543] ? lock_release+0xe3/0x110
> [ 26.642114] __do_sys_bpf+0x485/0xdf0
> [ 26.643624] do_syscall_64+0x33/0x40
> [ 26.645110] entry_SYSCALL_64_after_hwframe+0x67/0xd1
> [ 26.647190] RIP: 0033:0x409a6e
> [ 26.648470] Code: 24 28 44 8b 44 24 2c e9 70 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48
> [ 26.656154] RSP: 002b:000000c00199edc0 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
> [ 26.659451] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000409a6e
> [ 26.662375] RDX: 0000000000000098 RSI: 000000c00199f290 RDI: 0000000000000005
> [ 26.665267] RBP: 000000c00199ee00 R08: 0000000000000000 R09: 0000000000000000
> [ 26.668204] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
> [ 26.671125] R13: 0000000000000080 R14: 000000c000002380 R15: 8080808080808080
> [ 26.674085] Modules linked in:
> [ 26.675363] CR2: 0000000000000168
> [ 26.676772] ---[ end trace 3fc192ee4dabbf12 ]---
> [ 26.678667] RIP: 0010:__mark_chain_precision+0x24b/0x4d0
> [ 26.680926] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6
> [ 26.688665] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216
> [ 26.690828] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003
> [ 26.693777] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78
> [ 26.696680] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004
> [ 26.699651] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000
> [ 26.702561] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140
> [ 26.705522] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000
> [ 26.708806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 26.711179] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0
> [ 26.714143] Kernel panic - not syncing: Fatal exception
> [ 26.716893] Kernel Offset: disabled
> [ 26.718911] Rebooting in 5 seconds..
next prev parent reply other threads:[~2025-06-16 7:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-05 7:09 Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel Aaron Lu
2025-06-16 7:06 ` Aaron Lu [this message]
2025-06-23 8:17 ` Greg Kroah-Hartman
2025-06-23 11:55 ` Aaron Lu
2025-06-23 12:03 ` Greg Kroah-Hartman
2025-06-24 1:32 ` Pu Lehui
2025-06-24 3:52 ` Aaron Lu
2025-06-24 6:41 ` Pu Lehui
2025-06-24 10:33 ` Greg Kroah-Hartman
2025-06-25 9:33 ` Aaron Lu
2025-07-12 13:42 ` Greg Kroah-Hartman
2025-07-15 2:10 ` Aaron Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250616070617.GA66@bytedance \
--to=ziqianlu@bytedance.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=luizcap@amazon.com \
--cc=pulehui@huawei.com \
--cc=stable@vger.kernel.org \
--cc=weiwei.danny@bytedance.com \
--cc=zhangyuchen.lcr@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.