From: Eduard Zingerman <eddyz87@gmail.com>
To: syzbot <syzbot+3afc814e8df1af64b653@syzkaller.appspotmail.com>,
andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, haoluo@google.com,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
sdf@fomichev.me, song@kernel.org,
syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] WARNING in maybe_exit_scc
Date: Mon, 15 Sep 2025 16:40:17 -0700 [thread overview]
Message-ID: <b1717a5b75475b8e14afaee4825a40a3808bd0cb.camel@gmail.com> (raw)
In-Reply-To: <81bb1cf72e9c5f56c92ab43636a0626a1046d748.camel@gmail.com>
On Mon, 2025-09-15 at 15:34 -0700, Eduard Zingerman wrote:
[...]
> > verifier bug: scc exit: no visit info for call chain (1)(1)
> > WARNING: CPU: 1 PID: 6013 at kernel/bpf/verifier.c:1949 maybe_exit_scc+0x768/0x8d0 kernel/bpf/verifier.c:1949
>
> Both this and [1] are reported for very similar programs:
>
> <this> <[1]>
> --------------------------------------------------------------------------------------------
> (b7) r0 = -1023213567 (b7) r0 = -1023213567
> (bf) r3 = r10 (bf) r3 = r10
> (07) r3 += -512 (07) r3 += -504
> (72) *(u8 *)(r10 -16) = -8 (72) *(u8 *)(r10 -16) = -8
> (71) r4 = *(u8 *)(r10 -16) (71) r4 = *(u8 *)(r10 -16)
> (65) if r4 s> 0xff000000 goto pc+2 (65) if r4 s> 0xff000000 goto pc+2
> (2d) if r0 > r4 goto pc+5 (2d) if r0 > r4 goto pc+5
> (20) r0 = *(u32 *)skb[60673] (20) r0 = *(u32 *)skb[60673]
> (7b) *(u64 *)(r3 +0) = r0 (7b) *(u64 *)(r3 +0) = r0
> (1d) if r4 == r4 goto pc+0 (1d) if r4 == r4 goto pc+0
> (7a) *(u64 *)(r10 -512) = -256 (7a) *(u64 *)(r10 -512) = -256
> (db) lock *(u64 *)(r3 +0) |= r0 (db) r0 = atomic64_fetch_and((u64 *)(r3 +0), r0)
> (b5) if r0 <= 0x0 goto pc-2 (b5) if r0 <= 0x0 goto pc-2
> (95) exit (95) exit
>
> So, I assume it's the same issue. Looking into it.
>
> [1] https://lore.kernel.org/bpf/68c85b0d.050a0220.2ff435.03a5.GAE@google.com/T/#u
Minimal reproducer:
SEC("socket")
__caps_unpriv(CAP_BPF)
__naked void syzbot_bug(void)
{
asm volatile (
"r0 = 100;"
"1:"
"*(u64 *)(r10 - 512) = r0;"
"if r0 <= 0x0 goto 1b;"
"exit;"
::: __clobber_all);
}
And corresponding verifier log:
Live regs before insn:
0: .......... (b7) r0 = 100
1 1: 0......... (7b) *(u64 *)(r10 -512) = r0
1 2: 0......... (b5) if r0 <= 0x0 goto pc-2
3: 0......... (95) exit
Global function syzbot_bug() doesn't return scalar. Only those are supported.
0: R1=ctx() R10=fp0
; asm volatile ( @ verifier_and.c:118
0: (b7) r0 = 100 ; R0_w=100
1: (7b) *(u64 *)(r10 -512) = r0 ; R0_w=100 R10=fp0 fp-512_w=100
2: (b5) if r0 <= 0x0 goto pc-2
mark_precise: frame0: last_idx 2 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r0 stack= before 1: (7b) *(u64 *)(r10 -512) = r0
mark_precise: frame0: regs=r0 stack= before 0: (b7) r0 = 100
2: R0_w=100
3: (95) exit
from 2 to 1 (speculative execution): R0_w=scalar() R1=ctx() R10=fp0 fp-512_w=100
1: R0_w=scalar() R1=ctx() R10=fp0 fp-512_w=100
1: (7b) *(u64 *)(r10 -512) = r0
verifier bug: scc exit: no visit info for call chain (1)
processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
[...]
next prev parent reply other threads:[~2025-09-15 23:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-15 18:28 [syzbot] [bpf?] WARNING in maybe_exit_scc syzbot
2025-09-15 22:34 ` Eduard Zingerman
2025-09-15 23:40 ` Eduard Zingerman [this message]
2025-09-16 9:14 ` Eduard Zingerman
2025-09-16 10:20 ` syzbot
2025-09-29 7:57 ` Luis Gerhorst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1717a5b75475b8e14afaee4825a40a3808bd0cb.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=syzbot+3afc814e8df1af64b653@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox