From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Aaron Lu <ziqianlu@bytedance.com>
Cc: Pu Lehui <pulehui@huawei.com>,
stable@vger.kernel.org, Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Wei Wei <weiwei.danny@bytedance.com>,
Yuchen Zhang <zhangyuchen.lcr@bytedance.com>
Subject: Re: Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel
Date: Sat, 12 Jul 2025 15:42:51 +0200 [thread overview]
Message-ID: <2025071246-armhole-salsa-ba8f@gregkh> (raw)
In-Reply-To: <20250625093311.GA388@bytedance>
On Wed, Jun 25, 2025 at 05:33:11PM +0800, Aaron Lu wrote:
> On Tue, Jun 24, 2025 at 11:33:20AM +0100, Greg Kroah-Hartman wrote:
> > On Tue, Jun 24, 2025 at 02:41:56PM +0800, Pu Lehui wrote:
> > >
> > >
> > > On 2025/6/24 11:52, Aaron Lu wrote:
> > > > On Tue, Jun 24, 2025 at 09:32:54AM +0800, Pu Lehui wrote:
> > > > > Hi Aaron, Greg,
> > > > >
> > > > > Sorry for the late. Just found a fix [0] for this issue, we don't need to
> > > > > revert this bugfix series. Hope that will help!
> > > > >
> > > > > Link: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4bb7ea946a37
> > > > > [0]
> > > >
> > > > I can confirm this also fixed the panic issue on top of 5.10.238.
> > > >
> > > > Hi Greg,
> > > >
> > > > The cherry pick is not clean but can be trivially fixed. I've appended
> > > > the patch I've used for test below for your reference in case you want
> > > > to take it and drop that revert series. Thanks.
> > > >
> > > > > > From f0e1047ee11e4ab902a413736e4fd4fb32b278c8 Mon Sep 17 00:00:00 2001
> > > > From: Andrii Nakryiko <andrii@kernel.org>
> > > > Date: Thu, 9 Nov 2023 16:26:37 -0800
> > > > Subject: [PATCH] bpf: fix precision backtracking instruction iteration
> > > >
> > > > commit 4bb7ea946a370707315ab774432963ce47291946 upstream.
> > > >
> > > > Fix an edge case in __mark_chain_precision() which prematurely stops
> > > > backtracking instructions in a state if it happens that state's first
> > > > and last instruction indexes are the same. This situations doesn't
> > > > necessarily mean that there were no instructions simulated in a state,
> > > > but rather that we starting from the instruction, jumped around a bit,
> > > > and then ended up at the same instruction before checkpointing or
> > > > marking precision.
> > > >
> > > > To distinguish between these two possible situations, we need to consult
> > > > jump history. If it's empty or contain a single record "bridging" parent
> > > > state and first instruction of processed state, then we indeed
> > > > backtracked all instructions in this state. But if history is not empty,
> > > > we are definitely not done yet.
> > > >
> > > > Move this logic inside get_prev_insn_idx() to contain it more nicely.
> > > > Use -ENOENT return code to denote "we are out of instructions"
> > > > situation.
> > > >
> > > > This bug was exposed by verifier_loop1.c's bounded_recursion subtest, once
> > > > the next fix in this patch set is applied.
> > > >
> > > > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> > > > Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
> > > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > > > Link: https://lore.kernel.org/r/20231110002638.4168352-3-andrii@kernel.org
> > > > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> > >
> > > Alright, this patch should target for linux-5.10.y and linux-5.15.y.
> > >
> > > And better to add here with the follow tag:
> > >
> > > Reported-by: Wei Wei <weiwei.danny@bytedance.com>
> > > Closes: https://lore.kernel.org/all/20250605070921.GA3795@bytedance/
> >
> > Thanks, I've dropped the reverts and now queued this up. Let's push out
> > a -rc2 and see how that goes through testing...
>
> Thanks Greg.
>
> 5.15 stable tree also has this problem and after applying the above
> patch to 5.15.185, the problem is also fixed. I appreciate if you can
> also queue it for 5.15 stable branch, thanks.
Now applied, thanks.
greg k-h
next prev parent reply other threads:[~2025-07-12 13:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-05 7:09 Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel Aaron Lu
2025-06-16 7:06 ` Aaron Lu
2025-06-23 8:17 ` Greg Kroah-Hartman
2025-06-23 11:55 ` Aaron Lu
2025-06-23 12:03 ` Greg Kroah-Hartman
2025-06-24 1:32 ` Pu Lehui
2025-06-24 3:52 ` Aaron Lu
2025-06-24 6:41 ` Pu Lehui
2025-06-24 10:33 ` Greg Kroah-Hartman
2025-06-25 9:33 ` Aaron Lu
2025-07-12 13:42 ` Greg Kroah-Hartman [this message]
2025-07-15 2:10 ` Aaron Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025071246-armhole-salsa-ba8f@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=pulehui@huawei.com \
--cc=stable@vger.kernel.org \
--cc=weiwei.danny@bytedance.com \
--cc=zhangyuchen.lcr@bytedance.com \
--cc=ziqianlu@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox