Re: [syzbot] [bpf?] WARNING in bpf_check (4)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Puranjay Mohan <puranjay@kernel.org>
To: syzbot <syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com>,
	andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
	john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
	linux-kernel@vger.kernel.org, martin.lau@linux.dev,
	sdf@fomichev.me, song@kernel.org,
	syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] WARNING in bpf_check (4)
Date: Wed, 21 May 2025 18:31:41 +0000	[thread overview]
Message-ID: <mb61p7c29zugi.fsf@kernel.org> (raw)
In-Reply-To: <682dd10b.a00a0220.29bc26.028e.GAE@google.com>

syzbot <syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com> writes:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    172a9d94339c Merge tag '6.15-rc6-smb3-client-fixes' of git..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d15ef4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4f080d149583fe67
> dashboard link: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec
> compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=130462d4580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14efaef4580000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/98a89b9f34e4/non_bootable_disk-172a9d94.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/88f3b6a8815a/vmlinux-172a9d94.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/8835063aa13d/zImage-172a9d94.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 3102 at kernel/bpf/verifier.c:20723 opt_subreg_zext_lo32_rnd_hi32 kernel/bpf/verifier.c:20723 [inline]
> WARNING: CPU: 1 PID: 3102 at kernel/bpf/verifier.c:20723 bpf_check+0x2d58/0x2ed4 kernel/bpf/verifier.c:24078
> Modules linked in:
> Kernel panic - not syncing: kernel: panic_on_warn set ...
> CPU: 1 UID: 0 PID: 3102 Comm: syz-executor107 Not tainted 6.15.0-rc6-syzkaller #0 PREEMPT 
> Hardware name: ARM-Versatile Express
> Call trace: 
> [<802019e4>] (dump_backtrace) from [<80201ae0>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
>  r7:00000000 r6:828227fc r5:00000000 r4:82257e84
> [<80201ac8>] (show_stack) from [<8021ff7c>] (__dump_stack lib/dump_stack.c:94 [inline])
> [<80201ac8>] (show_stack) from [<8021ff7c>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
> [<8021ff28>] (dump_stack_lvl) from [<8021ffbc>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
>  r5:00000000 r4:82a70d4c
> [<8021ffa4>] (dump_stack) from [<802025f8>] (panic+0x120/0x374 kernel/panic.c:354)
> [<802024d8>] (panic) from [<802619e8>] (check_panic_on_warn kernel/panic.c:243 [inline])
> [<802024d8>] (panic) from [<802619e8>] (get_taint+0x0/0x1c kernel/panic.c:238)
>  r3:8280c604 r2:00000001 r1:8223ea4c r0:8224654c
>  r7:804020d0
> [<80261974>] (check_panic_on_warn) from [<80261b4c>] (__warn+0x80/0x188 kernel/panic.c:749)
> [<80261acc>] (__warn) from [<80261dcc>] (warn_slowpath_fmt+0x178/0x1f4 kernel/panic.c:776)
>  r8:00000009 r7:8225e3a4 r6:df989c44 r5:844f0000 r4:00000000
> [<80261c58>] (warn_slowpath_fmt) from [<804020d0>] (opt_subreg_zext_lo32_rnd_hi32 kernel/bpf/verifier.c:20723 [inline])
> [<80261c58>] (warn_slowpath_fmt) from [<804020d0>] (bpf_check+0x2d58/0x2ed4 kernel/bpf/verifier.c:24078)
>  r10:00000002 r9:84850000 r8:00000004 r7:00000002 r6:00000003 r5:000000c3
>  r4:ffffffff
> [<803ff378>] (bpf_check) from [<803d66d0>] (bpf_prog_load+0x68c/0xc20 kernel/bpf/syscall.c:2971)

I think this issue is triggered because insn_def_regno() doesn't
understand BPF_LOAD_ACQ and returns -1 for it. On arm32 and other
architectures that need zext, BPF_LOAD_ACQ will be marked for zext if
the load is < 64 bit, but when opt_subreg_zext_lo32_rnd_hi32() tries to
find the destination register to zext for BPF_LOAD_ACQ, it gets -1 from
insn_def_regno() and triggers the WARN().

This should be fixed by the the patch at the end.

Thanks,
Puranjay

#syz test

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 54c6953a8b84..9aa67e46cb8b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3643,6 +3643,9 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn,
 /* Return the regno defined by the insn, or -1. */
 static int insn_def_regno(const struct bpf_insn *insn)
 {
+       if (is_atomic_load_insn(insn))
+               return insn->dst_reg;
+
        switch (BPF_CLASS(insn->code)) {
        case BPF_JMP:
        case BPF_JMP32:

next prev parent reply	other threads:[~2025-05-21 18:31 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-21 13:11 [syzbot] [bpf?] WARNING in bpf_check (4) syzbot
2025-05-21 18:31 ` Puranjay Mohan [this message]
2025-05-21 18:58   ` syzbot
2025-07-06 21:47 ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:54c6953a8b8 dfblob:9aa67e46cb8 )
 OR (
bs:"Re: [syzbot] [bpf?] WARNING in bpf_check (4)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=mb61p7c29zugi.fsf@kernel.org \
    --to=puranjay@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.