BPF List
 help / color / mirror / Atom feed
From: Leon Hwang <leon.hwang@linux.dev>
To: Vincent Thiberville <vincent@harfanglab.fr>,
	"ast@kernel.org" <ast@kernel.org>,
	"daniel@iogearbox.net" <daniel@iogearbox.net>
Cc: "bpf@vger.kernel.org" <bpf@vger.kernel.org>
Subject: Re: PROBLEM: BPF interpreter fallback after JIT compilation of BPF_ADDR_PERCPU leads to kernel panic
Date: Tue, 30 Jun 2026 09:48:36 +0800	[thread overview]
Message-ID: <d255172d-d9e9-4116-9243-975cf4bdf3d0@linux.dev> (raw)
In-Reply-To: <MR1P264MB331494502C9D13D8A9EAFB99B7E82@MR1P264MB3314.FRAP264.PROD.OUTLOOK.COM>

Hi Vincent,

Thank you for the report.

On 29/6/26 22:42, Vincent Thiberville wrote:
> Hello BPF maintainers
> 
> I have stumbled upon what I believe is a kernel bug that occurs when a BPF program is executed
> in specific conditions. The in-the-wild situation is a fairly large BPF program that runs as a kretprobe,
> and the crash happened on up-to-date debian13 computers, with the parameter `net.core.bpf_jit_harden=2`.
> 
> I have managed to reduce the conditions to a fairly small reproducer (joined to this mail), that does the
> following:
> 
> 
>   *
> Call bpf_map_lookup_elem (1)
>   *
> Dereference the result if non null (2)
>   *
> Jump with a large enough offset (>=11000) over instructions using constants (3)
> 
> ```
>     0: .......... (62) *(u32 *)(r10 -4) = 0
>     1: .......... (bf) r2 = r10
>     2: ..2....... (07) r2 += -4
>     3: ..2....... (18) r1 = 0xffff8f0708cca200
>     5: .12....... (85) call bpf_map_lookup_elem#1
>     6: 0......... (15) if r0 == 0x0 goto pc+1
>     7: 0......... (79) r0 = *(u64 *)(r0 +0)
>     8: .......... (b7) r0 = 0
>     9: 0......... (15) if r0 == 0x12345678 goto pc+11001
>    10: 0......... (07) r0 += 1
>    11: 0......... (07) r0 += 1
> ...
> 11009: 0......... (07) r0 += 1
> 11010: .......... (b7) r0 = 0
> 11011: 0......... (95) exit
> ```
> 
> This program,  in most situations, will either be JIT compiled and run properly, or will be rejected with the
> error ENOTSUPP. But on machines with:
> 
> 
>   *
> `CONFIG_BPF_JIT_ALWAYS_ON` not set
>   *
> `net.core.bpf_jit_harden=2`


I tried your reproducer with latest bpf-next code, but failed. It did
not crash the kernel.

gcc -o bpf-interpreter-bug ./repro.c

uname -r
7.1.0-ga187b7f97305

zgrep BPF /proc/config.gz
# BPF subsystem
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set

sysctl -a | grep bpf_jit
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 2
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 528482304

./bpf-interpreter-bug
BPF_ADDR_PERCPU JIT bug reproducer

WARNING: this WILL crash the kernel. Run in a disposable VM.

Current config: bpf_jit_enable=1 bpf_jit_harden=2 bpf_jit_limit=528482304
Created per-cpu array map (fd 3)
Loaded target BPF program (fd 4)
Verifier:
processed 11011 insns (limit 1000000) max_states_per_insn 0 total_states
1 peak_states 1 mark_read 0

BPF program was unexpectedly JIT-compiled, the bug will not occur. Aborting.


Did I miss something?

> 
> the program will fail to be JIT compiled, will fallback to the interpreter, and when executed, will cause
> a invalid pointer dereference leading to a kernel panic.
> 
> To the best of my understanding, what happens is that:
> 
> 
>   *
> The JIT compiler will optimize the map lookup at (1)
>   *
> The JIT compiler will fail when reaching (3). This is because the JIT hardening enables constant blinding, which triples the size of the jump, overflowing 32767.
>   *
> Since the JIT compiler failed, and CONFIG_BPF_JIT_ALWAYS_ON is not set, the kernel falls back to the interpreter
>   *
> When executed, the interpreter will badly interpret (1), I suppose due to some JIT optimization not being cleaned after the JIT compiler failure.
>   *
> This will leave R0 with an invalid value, which is dereferenced when the interpreter reaches (2)
> 
> But of course this may not be what is happening, I am far from an expert and you will know better than me.
> 
> This is easily reproducible on debian images, which do not set CONFIG_BPF_JIT_ALWAYS_ON. I have reproduced it on 6.12.74+deb13+1-amd64,
> 6.12.94+deb13-amd64 and 7.0.13+deb14-amd64. Setting `net.core.bpf_jit_harden=2` and running the reproducer is enough to trigger the kernel panic.
> 
> I am not entirely sure when this bug was introduced, or if it is fixed on the latest version. From some research, it may be related to this patch:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7bdbf7446305
> 
> and there is a commit in review for bpf-next that mentions a fix for the aforementioned commit: `bpf: Disallow interpreter fallback for BPF_ADDR_PERCPU insn` in https://lore.kernel.org/bpf/20260622143557.22955-1-leon.hwang@linux.dev/T/#t


I've posted another patch series to fix the assorted interpreter
fallback issues:
https://lore.kernel.org/bpf/20260626154330.33619-1-leon.hwang@linux.dev/

Thanks,
Leon

> 
> that would indicate an impact since 6.10.
> 
> Joined to this mail are the reproducer for the issue, and the dmesg of a kernel panic caused by the reproducer on the standard debian image `debian-sid-nocloud-amd64-daily-20260629-2524.qcow2`.
> 
> Thank you for all your work and for your help on this matter.
> 
> Best Regards
> 
> Vincent Thiberville
> 
> 
> 


  reply	other threads:[~2026-06-30  1:48 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 14:42 PROBLEM: BPF interpreter fallback after JIT compilation of BPF_ADDR_PERCPU leads to kernel panic Vincent Thiberville
2026-06-30  1:48 ` Leon Hwang [this message]
2026-06-30 12:08   ` Vincent Thiberville
2026-07-01  2:49     ` Leon Hwang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d255172d-d9e9-4116-9243-975cf4bdf3d0@linux.dev \
    --to=leon.hwang@linux.dev \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=vincent@harfanglab.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox