From: Aaron Lu <ziqianlu@bytedance.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
Cc: Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Pu Lehui <pulehui@huawei.com>,
Luiz Capitulino <luizcap@amazon.com>,
Wei Wei <weiwei.danny@bytedance.com>,
Yuchen Zhang <zhangyuchen.lcr@bytedance.com>
Subject: Re: Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel
Date: Mon, 16 Jun 2025 15:06:17 +0800 [thread overview]
Message-ID: <20250616070617.GA66@bytedance> (raw)
In-Reply-To: <20250605070921.GA3795@bytedance>
Ping?
On Thu, Jun 05, 2025 at 03:09:21PM +0800, Aaron Lu wrote:
> Hello,
>
> Wei reported when loading his bpf prog in 5.10.200 kernel, host would
> panic, this didn't happen in 5.10.135 kernel. Test on latest v5.10.238
> still has this panic.
If a fix is not easy for these stable kernels, I think we should revert
this commit? Because for whatever bpf progs, the bpf verifier should not
panic the kernel.
Regarding revert, per my test, the following four commits in linux-5.10.y
branch have to be reverted and after that, the kernel does not panic
anymore:
commit 2474ec58b96d("bpf: allow precision tracking for programs with subprogs")
commit 7ca3e7459f4a("bpf: stop setting precise in current state")
commit 1952a4d5e4cf("bpf: aggressively forget precise markings during
state checkpointing")
commit 4af2d9ddb7e7("selftests/bpf: make test_align selftest more
robust")
>
> [ 26.531718] BUG: kernel NULL pointer dereference, address: 0000000000000168
> [ 26.538093] #PF: supervisor read access in kernel mode
> [ 26.542727] #PF: error_code(0x0000) - not-present page
> [ 26.548093] PGD 10f3e9067 P4D 10f332067 PUD 10f0c5067 PMD 0
> [ 26.553211] Oops: 0000 [#1] SMP NOPTI
> [ 26.556531] CPU: 2 PID: 541 Comm: main Not tainted 5.10.238-00267-g01e7e36b8606 #63
> [ 26.563816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 26.572357] RIP: 0010:__mark_chain_precision+0x24b/0x4d0
> [ 26.576572] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6
> [ 26.589100] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216
> [ 26.592612] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003
> [ 26.597416] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78
> [ 26.601362] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004
> [ 26.604261] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000
> [ 26.607202] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140
> [ 26.610327] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000
> [ 26.613678] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 26.616105] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0
> [ 26.619059] Call Trace:
> [ 26.620118] adjust_reg_min_max_vals+0x133/0x340
> [ 26.622048] ? krealloc+0x63/0xe0
> [ 26.623435] do_check+0x38c/0xa80
> [ 26.624859] do_check_common+0x15b/0x280
> [ 26.626496] bpf_check+0xbe1/0xd30
> [ 26.627939] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.629796] ? trace_hardirqs_on+0x1a/0xd0
> [ 26.631503] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.633402] bpf_prog_load+0x422/0x8a0
> [ 26.634987] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.636864] ? __handle_mm_fault+0x3cb/0x6d0
> [ 26.638658] ? srso_alias_return_thunk+0x5/0x7f
> [ 26.640543] ? lock_release+0xe3/0x110
> [ 26.642114] __do_sys_bpf+0x485/0xdf0
> [ 26.643624] do_syscall_64+0x33/0x40
> [ 26.645110] entry_SYSCALL_64_after_hwframe+0x67/0xd1
> [ 26.647190] RIP: 0033:0x409a6e
> [ 26.648470] Code: 24 28 44 8b 44 24 2c e9 70 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48
> [ 26.656154] RSP: 002b:000000c00199edc0 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
> [ 26.659451] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000409a6e
> [ 26.662375] RDX: 0000000000000098 RSI: 000000c00199f290 RDI: 0000000000000005
> [ 26.665267] RBP: 000000c00199ee00 R08: 0000000000000000 R09: 0000000000000000
> [ 26.668204] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
> [ 26.671125] R13: 0000000000000080 R14: 000000c000002380 R15: 8080808080808080
> [ 26.674085] Modules linked in:
> [ 26.675363] CR2: 0000000000000168
> [ 26.676772] ---[ end trace 3fc192ee4dabbf12 ]---
> [ 26.678667] RIP: 0010:__mark_chain_precision+0x24b/0x4d0
> [ 26.680926] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6
> [ 26.688665] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216
> [ 26.690828] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003
> [ 26.693777] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78
> [ 26.696680] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004
> [ 26.699651] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000
> [ 26.702561] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140
> [ 26.705522] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000
> [ 26.708806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 26.711179] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0
> [ 26.714143] Kernel panic - not syncing: Fatal exception
> [ 26.716893] Kernel Offset: disabled
> [ 26.718911] Rebooting in 5 seconds..
next prev parent reply other threads:[~2025-06-16 7:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-05 7:09 Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel Aaron Lu
2025-06-16 7:06 ` Aaron Lu [this message]
2025-06-23 8:17 ` Greg Kroah-Hartman
2025-06-23 11:55 ` Aaron Lu
2025-06-23 12:03 ` Greg Kroah-Hartman
2025-06-24 1:32 ` Pu Lehui
2025-06-24 3:52 ` Aaron Lu
2025-06-24 6:41 ` Pu Lehui
2025-06-24 10:33 ` Greg Kroah-Hartman
2025-06-25 9:33 ` Aaron Lu
2025-07-12 13:42 ` Greg Kroah-Hartman
2025-07-15 2:10 ` Aaron Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250616070617.GA66@bytedance \
--to=ziqianlu@bytedance.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=luizcap@amazon.com \
--cc=pulehui@huawei.com \
--cc=stable@vger.kernel.org \
--cc=weiwei.danny@bytedance.com \
--cc=zhangyuchen.lcr@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox