Re: [syzbot] [bpf?] WARNING in push_jmp_history

From: Eduard Zingerman
Date: Mon Oct 07 2024 - 18:18:28 EST


On Mon, 2024-10-07 at 11:35 -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c02d24a5af66 Add linux-next specific files for 20241003
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=17382707980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=94f9caf16c0af42d
> dashboard link: https://syzkaller.appspot.com/bug?extid=7e46cdef14bf496a3ab4
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b82707980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f4c327980000

When I try this reproducer the bpf syscall never exits (waited for 5 minutes).
Here is the reproducer as a selftest:

SEC("kprobe")
__success
__naked void syzbot_bug(void)
{
asm volatile (
" r2 = *(u32 *)(r1 +140)\n" // 0
" r3 = *(u32 *)(r1 +76)\n" // 1
" r0 = r2\n" // 2
" if w0 > 0xffffff07 goto 1f\n" // 3
" if r3 <= r0 goto +16\n" // 4
" exit\n" // 5
"1: r6 = *(u16 *)(r1 +0)\n" // 6
" r7 = r6\n" // 7
"2: w7 += 447767737\n" // 8
" if w7 & 0x702000 goto 2b\n" // 9
" w7 &= 2024974\n" // 10
" r5 = r1\n" // 11
" r7 += r5\n" // 12
" if r7 s> 0x37d2 goto +0\n" // 13
" w3 *= w0\n" // 14
" r5 -= r7\n" // 15
" r4 = r5\n" // 16
" r0 += -458748\n" // 17
" if r3 < r4 goto 3f\n" // 18
" w0 >>= w0\n" // 19
"3: goto +0\n" // 20
" exit\n" // 21
::: __clobber_all);
}

(e.g. can be put to tools/testing/selftests/bpf/progs/verifier_and.c
or any other verifier_*.c).

Inserting a few printks shows that the following instructions are
verified in a loop:

... verification starts ...
[ 2.094272] do_check: env->insn_idx 0
[ 2.094345] do_check: env->insn_idx 1
[ 2.094417] do_check: env->insn_idx 2
[ 2.094486] do_check: env->insn_idx 3
[ 2.094585] do_check: env->insn_idx 4
[ 2.094675] do_check: env->insn_idx 5
[ 2.094748] do_check: env->insn_idx 21
[ 2.094879] do_check: env->insn_idx 6
[ 2.095005] do_check: env->insn_idx 7
[ 2.095074] do_check: env->insn_idx 8 <------ let's call this point LBL
[ 2.095156] do_check: env->insn_idx 9
[ 2.095264] do_check: env->insn_idx 8
[ 2.095372] do_check: env->insn_idx 9
[ 2.095497] do_check: env->insn_idx 8
[ 2.095579] do_check: env->insn_idx 9
[ 2.095716] do_check: env->insn_idx 8
[ 2.095892] do_check: env->insn_idx 9
[ 2.096070] do_check: env->insn_idx 8
[ 2.096151] do_check: env->insn_idx 9
[ 2.096314] do_check: env->insn_idx 8
[ 2.096402] do_check: env->insn_idx 9
[ 2.096570] do_check: env->insn_idx 8
[ 2.096646] do_check: env->insn_idx 9
[ 2.096840] do_check: env->insn_idx 8
[ 2.096921] do_check: env->insn_idx 9
[ 2.097040] do_check: env->insn_idx 10
[ 2.097113] do_check: env->insn_idx 11
[ 2.097195] do_check: env->insn_idx 12
[ 2.097417] do_check: env->insn_idx 13
[ 2.097521] do_check: env->insn_idx 14
[ 2.097597] do_check: env->insn_idx 15
[ 2.097688] do_check: env->insn_idx 16
[ 2.097774] do_check: env->insn_idx 17
[ 2.097866] do_check: env->insn_idx 18
[ 2.097990] do_check: env->insn_idx 19
[ 2.098050] do_check: env->insn_idx 20
[ 2.098119] do_check: env->insn_idx 21
[ 2.098195] do_check: env->insn_idx 20
[ 2.098347] do_check: env->insn_idx 21
[ 2.098414] do_check: env->insn_idx 14
[ 2.098556] do_check: env->insn_idx 15
[ 2.098629] do_check: env->insn_idx 16
[ 2.098700] do_check: env->insn_idx 17
[ 2.098767] do_check: env->insn_idx 18
[ 2.098842] do_check: env->insn_idx 8
[ 2.098984] do_check: env->insn_idx 9
[ 2.099108] do_check: env->insn_idx 8
[ 2.099171] do_check: env->insn_idx 9
[ 2.099304] do_check: env->insn_idx 8
[ 2.099368] do_check: env->insn_idx 9
[ 2.099505] do_check: env->insn_idx 8
[ 2.099568] do_check: env->insn_idx 9
[ 2.099703] do_check: env->insn_idx 8
[ 2.099774] do_check: env->insn_idx 9
[ 2.099921] do_check: env->insn_idx 8
[ 2.099984] do_check: env->insn_idx 9
[ 2.100133] do_check: env->insn_idx 8
[ 2.100200] do_check: env->insn_idx 9
[ 2.100349] do_check: env->insn_idx 8
[ 2.100413] do_check: env->insn_idx 9
[ 2.100503] do_check: env->insn_idx 10
[ 2.100566] do_check: env->insn_idx 11
[ 2.100636] do_check: env->insn_idx 12
[ 2.100813] do_check: env->insn_idx 13
[ 2.100909] do_check: env->insn_idx 14
[ 2.100972] do_check: env->insn_idx 15
[ 2.101047] do_check: env->insn_idx 16
[ 2.101117] do_check: env->insn_idx 17
[ 2.101185] do_check: env->insn_idx 18
[ 2.101250] do_check: env->insn_idx 14
[ 2.101389] do_check: env->insn_idx 15
[ 2.101462] do_check: env->insn_idx 16
[ 2.101531] do_check: env->insn_idx 17
[ 2.101598] do_check: env->insn_idx 18

... verification repeats from LBL ...

[...]