From: syzbot ci <syzbot+cif1531a0a181338a9@syzkaller.appspotmail.com>
To: a.s.protopopov@gmail.com, ameryhung@gmail.com, andrii@kernel.org,
ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net,
eddyz87@gmail.com, eyal.birger@gmail.com, jolsa@kernel.org,
kpsingh@kernel.org, linux-kernel@vger.kernel.org,
memxor@gmail.com, rongtao@cestc.cn, xukuohai@huaweicloud.com,
yonghong.song@linux.dev
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: bpf: Introduce static-defined tracing probe for BPF
Date: Sat, 27 Jun 2026 13:51:47 -0700 [thread overview]
Message-ID: <6a4037e3.80e5668d.5d0ef.0011.GAE@google.com> (raw)
In-Reply-To: <cover.1782571533.git.xukuohai@huawei.com>
syzbot ci has tested the following series
[v1] bpf: Introduce static-defined tracing probe for BPF
https://lore.kernel.org/all/cover.1782571533.git.xukuohai@huawei.com
* [RFC PATCH bpf-next 01/12] libbpf: Prepare bpf SDT probe section for the linker
* [RFC PATCH bpf-next 02/12] libbpf: Introduce bpf SDT probe macros
* [RFC PATCH bpf-next 03/12] libbpf: Add bpf_sdt_notes section parser
* [RFC PATCH bpf-next 04/12] bpf: Create insn_array map for bpf SDT probe
* [RFC PATCH bpf-next 05/12] bpf: Collect SDT probe BTF IDs from BTF decl tags
* [RFC PATCH bpf-next 06/12] bpf: Add type check for SDT probe site
* [RFC PATCH bpf-next 07/12] bpf: Record probe name in SDT map
* [RFC PATCH bpf-next 08/12] libbpf: Add libbpf support to load SDT observer program
* [RFC PATCH bpf-next 09/12] bpf: Add kernel support to load SDT observer program
* [RFC PATCH bpf-next 10/12] bpf: Support attach and detach for SDT observer program
* [RFC PATCH bpf-next 11/12] bpf, x86: Add JIT support SDT for probe
* [RFC PATCH bpf-next 12/12] selftests/bpf: Add tests for bpf SDT probe
and found the following issue:
general protection fault in do_jit
Full report is available here:
https://ci.syzbot.org/series/86d21ab6-d0e1-4dd3-b7e1-af4571d27460
***
general protection fault in do_jit
tree: bpf-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next.git
base: 53435562a725962e4de0c29653223129ba11643a
arch: amd64
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
config: https://ci.syzbot.org/builds/549153a4-d4b8-46a4-8266-df26ad835e2f/config
syz repro: https://ci.syzbot.org/findings/2efaa7e4-eae0-45d0-b336-f0e311f8356e/syz_repro
Oops: general protection fault, probably for non-canonical address 0xdffffc000000010e: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000870-0x0000000000000877]
CPU: 1 UID: 0 PID: 5818 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:do_jit+0x7c8c/0x12a90 arch/x86/net/bpf_jit_comp.c:2806
Code: 49 83 c4 44 4c 89 e0 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 0a 84 00 00 45 03 34 24 48 8b bc 24 a0 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 10 00 74 17 e8 49 30 b0 00 48 8b bc 24 a0 01 00 00 48 ba 00
RSP: 0018:ffffc900038cf640 EFLAGS: 00010202
RAX: 000000000000010e RBX: 000000000000001c RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000870
RBP: ffffc900038cfa00 R08: ffff88816bb0d940 R09: 0000000000000096
R10: 00000000000000fb R11: 0000000000000000 R12: ffff8881749b8044
R13: ffff88816c445450 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f06814986c0(0000) GS:ffff8882a9224000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0680472780 CR3: 000000001cfc8000 CR4: 00000000000006f0
Call Trace:
<TASK>
bpf_int_jit_compile+0x8af/0x1620 arch/x86/net/bpf_jit_comp.c:3946
bpf_prog_jit_compile kernel/bpf/core.c:2571 [inline]
__bpf_prog_select_runtime+0x4e2/0xb20 kernel/bpf/core.c:2640
bpf_migrate_filter net/core/filter.c:1318 [inline]
bpf_prepare_filter+0x10ef/0x1280 net/core/filter.c:1366
sk_attach_filter+0x24/0x140 net/core/filter.c:1550
tun_attach_filter+0x176/0x280 drivers/net/tun.c:2992
__tun_chr_ioctl+0x15f1/0x1e10 drivers/net/tun.c:3344
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f068059ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0681498028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0680815fa0 RCX: 00007f068059ce59
RDX: 0000200000000300 RSI: 00000000401054d5 RDI: 0000000000000003
RBP: 00007f0680632e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0680816038 R14: 00007f0680815fa0 R15: 00007fff056e7c98
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:do_jit+0x7c8c/0x12a90 arch/x86/net/bpf_jit_comp.c:2806
Code: 49 83 c4 44 4c 89 e0 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 0a 84 00 00 45 03 34 24 48 8b bc 24 a0 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 10 00 74 17 e8 49 30 b0 00 48 8b bc 24 a0 01 00 00 48 ba 00
RSP: 0018:ffffc900038cf640 EFLAGS: 00010202
RAX: 000000000000010e RBX: 000000000000001c RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000870
RBP: ffffc900038cfa00 R08: ffff88816bb0d940 R09: 0000000000000096
R10: 00000000000000fb R11: 0000000000000000 R12: ffff8881749b8044
R13: ffff88816c445450 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f06814986c0(0000) GS:ffff8882a9224000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f06805ea540 CR3: 000000001cfc8000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
0: 49 83 c4 44 add $0x44,%r12
4: 4c 89 e0 mov %r12,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 0f b6 04 10 movzbl (%rax,%rdx,1),%eax
f: 84 c0 test %al,%al
11: 0f 85 0a 84 00 00 jne 0x8421
17: 45 03 34 24 add (%r12),%r14d
1b: 48 8b bc 24 a0 01 00 mov 0x1a0(%rsp),%rdi
22: 00
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) <-- trapping instruction
2e: 74 17 je 0x47
30: e8 49 30 b0 00 call 0xb0307e
35: 48 8b bc 24 a0 01 00 mov 0x1a0(%rsp),%rdi
3c: 00
3d: 48 rex.W
3e: ba .byte 0xba
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).
The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.
next prev parent reply other threads:[~2026-06-27 20:51 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-27 22:51 [RFC PATCH bpf-next 00/12] bpf: Introduce static-defined tracing probe for BPF Xu Kuohai
2026-06-27 20:51 ` syzbot ci [this message]
2026-06-27 22:51 ` [RFC PATCH bpf-next 01/12] libbpf: Prepare bpf SDT probe section for the linker Xu Kuohai
2026-06-27 17:05 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 02/12] libbpf: Introduce bpf SDT probe macros Xu Kuohai
2026-06-27 15:01 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 03/12] libbpf: Add bpf_sdt_notes section parser Xu Kuohai
2026-06-27 15:03 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 04/12] bpf: Create insn_array map for bpf SDT probe Xu Kuohai
2026-06-27 15:18 ` sashiko-bot
2026-06-27 15:34 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 05/12] bpf: Collect SDT probe BTF IDs from BTF decl tags Xu Kuohai
2026-06-27 15:20 ` sashiko-bot
2026-06-27 15:34 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 06/12] bpf: Add type check for SDT probe site Xu Kuohai
2026-06-27 15:04 ` sashiko-bot
2026-06-27 15:22 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 07/12] bpf: Record probe name in SDT map Xu Kuohai
2026-06-27 15:06 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 08/12] libbpf: Add libbpf support to load SDT observer program Xu Kuohai
2026-06-27 15:12 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 09/12] bpf: Add kernel " Xu Kuohai
2026-06-27 15:12 ` sashiko-bot
2026-06-27 15:22 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 10/12] bpf: Support attach and detach for " Xu Kuohai
2026-06-27 17:12 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 11/12] bpf, x86: Add JIT support SDT for probe Xu Kuohai
2026-06-27 15:13 ` sashiko-bot
2026-06-27 15:22 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 12/12] selftests/bpf: Add tests for bpf SDT probe Xu Kuohai
2026-06-27 15:25 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a4037e3.80e5668d.5d0ef.0011.GAE@google.com \
--to=syzbot+cif1531a0a181338a9@syzkaller.appspotmail.com \
--cc=a.s.protopopov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=eyal.birger@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=rongtao@cestc.cn \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xukuohai@huaweicloud.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.