[syzbot] [bpf?] WARNING in convert_ctx_accesses (2)
2 views
Skip to first unread message
syzbot
Sep 13, 2025, 4:23:34 AM (yesterday) Sep 13
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, s...@fomichev.me, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: 22f20375f5b7 Merge tag 'pci-v6.17-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1003d642580000
kernel config: https://syzkaller.appspot.com/x/.config?x=13bd892ec3b155a2
dashboard link: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1782f362580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c09b12580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-22f20375.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2e4b3490c173/vmlinux-22f20375.xz
kernel image: https://storage.googleapis.com/syzbot-assets/884bdc12ee68/Image-22f20375.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+136ca5...@syzkaller.appspotmail.com
------------[ cut here ]------------
verifier bug: error during ctx access conversion (0)(1)
WARNING: CPU: 0 PID: 3603 at kernel/bpf/verifier.c:21452 convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452
Modules linked in:
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 61402009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452
lr : convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452
sp : ffff8000894e39e0
x29: ffff8000894e39e0 x28: fcf0000012540000 x27: 0000000000000002
x26: f4ff800083265058 x25: 0000000000000000 x24: 0000000000000000
x23: ffff8000816c4744 x22: 0000000000000004 x21: 0000000000000002
x20: 0000000000000004 x19: ffff80008242a948 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000002
x14: f6f00000086b0080 x13: 0000000000000400 x12: 000000007e4ab000
x11: 00000023a2977bad x10: f6f00000086b0080 x9 : fbf0000007523c00
x8 : 0000000000000001 x7 : f6f00000086b0080 x6 : 0000000000000002
x5 : 0000000000000297 x4 : 0000000000000297 x3 : f5f0000005c20400
x2 : 0000000000000000 x1 : 0000000000000000 x0 : f6f00000086b0000
Call trace:
convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452 (P)
bpf_check+0x12f8/0x2aac kernel/bpf/verifier.c:24743
bpf_prog_load+0x634/0xb74 kernel/bpf/syscall.c:2979
__sys_bpf+0x2e0/0x1a3c kernel/bpf/syscall.c:6029
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:6137
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
el0_svc+0x34/0x10c arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 22f20375f5b7 Merge tag 'pci-v6.17-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1003d642580000
kernel config: https://syzkaller.appspot.com/x/.config?x=13bd892ec3b155a2
dashboard link: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1782f362580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c09b12580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-22f20375.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2e4b3490c173/vmlinux-22f20375.xz
kernel image: https://storage.googleapis.com/syzbot-assets/884bdc12ee68/Image-22f20375.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+136ca5...@syzkaller.appspotmail.com
------------[ cut here ]------------
verifier bug: error during ctx access conversion (0)(1)
WARNING: CPU: 0 PID: 3603 at kernel/bpf/verifier.c:21452 convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452
Modules linked in:
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 61402009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452
lr : convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452
sp : ffff8000894e39e0
x29: ffff8000894e39e0 x28: fcf0000012540000 x27: 0000000000000002
x26: f4ff800083265058 x25: 0000000000000000 x24: 0000000000000000
x23: ffff8000816c4744 x22: 0000000000000004 x21: 0000000000000002
x20: 0000000000000004 x19: ffff80008242a948 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000002
x14: f6f00000086b0080 x13: 0000000000000400 x12: 000000007e4ab000
x11: 00000023a2977bad x10: f6f00000086b0080 x9 : fbf0000007523c00
x8 : 0000000000000001 x7 : f6f00000086b0080 x6 : 0000000000000002
x5 : 0000000000000297 x4 : 0000000000000297 x3 : f5f0000005c20400
x2 : 0000000000000000 x1 : 0000000000000000 x0 : f6f00000086b0000
Call trace:
convert_ctx_accesses+0x9b0/0xb04 kernel/bpf/verifier.c:21452 (P)
bpf_check+0x12f8/0x2aac kernel/bpf/verifier.c:24743
bpf_prog_load+0x634/0xb74 kernel/bpf/syscall.c:2979
__sys_bpf+0x2e0/0x1a3c kernel/bpf/syscall.c:6029
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:6137
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
el0_svc+0x34/0x10c arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages