Re: [syzbot] [bpf?] WARNING in push_jmp_history

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Eduard Zingerman <eddyz87@gmail.com>
To: syzbot <syzbot+7e46cdef14bf496a3ab4@syzkaller.appspotmail.com>,
	 andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	daniel@iogearbox.net,  haoluo@google.com,
	john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
	 linux-kernel@vger.kernel.org, martin.lau@linux.dev,
	sdf@fomichev.me,  song@kernel.org,
	syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] WARNING in push_jmp_history
Date: Mon, 07 Oct 2024 15:18:12 -0700	[thread overview]
Message-ID: <cfec3ec1b7092e1dde01eb1896ec7fba7ed714f4.camel@gmail.com> (raw)
In-Reply-To: <670429f6.050a0220.49194.0517.GAE@google.com>

On Mon, 2024-10-07 at 11:35 -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    c02d24a5af66 Add linux-next specific files for 20241003
> git tree:       linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=17382707980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=94f9caf16c0af42d
> dashboard link: https://syzkaller.appspot.com/bug?extid=7e46cdef14bf496a3ab4
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b82707980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f4c327980000

When I try this reproducer the bpf syscall never exits (waited for 5 minutes).
Here is the reproducer as a selftest:

SEC("kprobe")
__success
__naked void syzbot_bug(void)
{
	asm volatile (
	"   r2 = *(u32 *)(r1 +140)\n"		// 0
	"   r3 = *(u32 *)(r1 +76)\n"		// 1
	"   r0 = r2\n"				// 2
	"   if w0 > 0xffffff07 goto 1f\n"	// 3
	"   if r3 <= r0 goto +16\n"		// 4
	"   exit\n"				// 5
	"1: r6 = *(u16 *)(r1 +0)\n"		// 6
	"   r7 = r6\n"				// 7
	"2: w7 += 447767737\n"			// 8
	"   if w7 & 0x702000 goto 2b\n"		// 9
	"   w7 &= 2024974\n"			// 10
	"   r5 = r1\n"				// 11
	"   r7 += r5\n"				// 12
	"   if r7 s> 0x37d2 goto +0\n"		// 13
	"   w3 *= w0\n"				// 14
	"   r5 -= r7\n"				// 15
	"   r4 = r5\n"				// 16
	"   r0 += -458748\n"			// 17
	"   if r3 < r4 goto 3f\n"		// 18
	"   w0 >>= w0\n"			// 19
	"3: goto +0\n"				// 20
	"   exit\n"				// 21
	::: __clobber_all);
}

(e.g. can be put to tools/testing/selftests/bpf/progs/verifier_and.c
 or any other verifier_*.c).

Inserting a few printks shows that the following instructions are
verified in a loop:
               
           ... verification starts ...
[    2.094272] do_check: env->insn_idx 0
[    2.094345] do_check: env->insn_idx 1
[    2.094417] do_check: env->insn_idx 2
[    2.094486] do_check: env->insn_idx 3
[    2.094585] do_check: env->insn_idx 4
[    2.094675] do_check: env->insn_idx 5
[    2.094748] do_check: env->insn_idx 21
[    2.094879] do_check: env->insn_idx 6
[    2.095005] do_check: env->insn_idx 7
[    2.095074] do_check: env->insn_idx 8 <------ let's call this point LBL
[    2.095156] do_check: env->insn_idx 9
[    2.095264] do_check: env->insn_idx 8
[    2.095372] do_check: env->insn_idx 9
[    2.095497] do_check: env->insn_idx 8
[    2.095579] do_check: env->insn_idx 9
[    2.095716] do_check: env->insn_idx 8
[    2.095892] do_check: env->insn_idx 9
[    2.096070] do_check: env->insn_idx 8
[    2.096151] do_check: env->insn_idx 9
[    2.096314] do_check: env->insn_idx 8
[    2.096402] do_check: env->insn_idx 9
[    2.096570] do_check: env->insn_idx 8
[    2.096646] do_check: env->insn_idx 9
[    2.096840] do_check: env->insn_idx 8
[    2.096921] do_check: env->insn_idx 9
[    2.097040] do_check: env->insn_idx 10
[    2.097113] do_check: env->insn_idx 11
[    2.097195] do_check: env->insn_idx 12
[    2.097417] do_check: env->insn_idx 13
[    2.097521] do_check: env->insn_idx 14
[    2.097597] do_check: env->insn_idx 15
[    2.097688] do_check: env->insn_idx 16
[    2.097774] do_check: env->insn_idx 17
[    2.097866] do_check: env->insn_idx 18
[    2.097990] do_check: env->insn_idx 19
[    2.098050] do_check: env->insn_idx 20
[    2.098119] do_check: env->insn_idx 21
[    2.098195] do_check: env->insn_idx 20
[    2.098347] do_check: env->insn_idx 21
[    2.098414] do_check: env->insn_idx 14
[    2.098556] do_check: env->insn_idx 15
[    2.098629] do_check: env->insn_idx 16
[    2.098700] do_check: env->insn_idx 17
[    2.098767] do_check: env->insn_idx 18
[    2.098842] do_check: env->insn_idx 8
[    2.098984] do_check: env->insn_idx 9
[    2.099108] do_check: env->insn_idx 8
[    2.099171] do_check: env->insn_idx 9
[    2.099304] do_check: env->insn_idx 8
[    2.099368] do_check: env->insn_idx 9
[    2.099505] do_check: env->insn_idx 8
[    2.099568] do_check: env->insn_idx 9
[    2.099703] do_check: env->insn_idx 8
[    2.099774] do_check: env->insn_idx 9
[    2.099921] do_check: env->insn_idx 8
[    2.099984] do_check: env->insn_idx 9
[    2.100133] do_check: env->insn_idx 8
[    2.100200] do_check: env->insn_idx 9
[    2.100349] do_check: env->insn_idx 8
[    2.100413] do_check: env->insn_idx 9
[    2.100503] do_check: env->insn_idx 10
[    2.100566] do_check: env->insn_idx 11
[    2.100636] do_check: env->insn_idx 12
[    2.100813] do_check: env->insn_idx 13
[    2.100909] do_check: env->insn_idx 14
[    2.100972] do_check: env->insn_idx 15
[    2.101047] do_check: env->insn_idx 16
[    2.101117] do_check: env->insn_idx 17
[    2.101185] do_check: env->insn_idx 18
[    2.101250] do_check: env->insn_idx 14
[    2.101389] do_check: env->insn_idx 15
[    2.101462] do_check: env->insn_idx 16
[    2.101531] do_check: env->insn_idx 17
[    2.101598] do_check: env->insn_idx 18

    ... verification repeats from LBL ...

[...]

next prev parent reply	other threads:[~2024-10-07 22:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-07 18:35 [syzbot] [bpf?] WARNING in push_jmp_history syzbot
2024-10-07 22:18 ` Eduard Zingerman [this message]
2024-10-08  8:43 ` syzbot
2024-10-08  9:41   ` Eduard Zingerman
2024-10-08 10:01     ` Vlastimil Babka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cfec3ec1b7092e1dde01eb1896ec7fba7ed714f4.camel@gmail.com \
    --to=eddyz87@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=syzbot+7e46cdef14bf496a3ab4@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox