WARNING in bpf_check
0 views
Skip to first unread message
sanan....@gmail.com
Jun 26, 2026, 5:29:03 PM (3 days ago) Jun 26
to a...@kernel.org, dan...@iogearbox.net, john.fa...@gmail.com, and...@kernel.org, marti...@linux.dev, edd...@gmail.com, so...@kernel.org, yongho...@linux.dev, kps...@kernel.org, s...@fomichev.me, hao...@google.com, jo...@kernel.org, b...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com, con...@pgazz.com
Good day, dear maintainers,
We found a bug using a modified version of syzkaller.
Kernel Branch: 7.0-rc1
Kernel Config: <https://drive.google.com/open?id=1k9D2rcoA6Ta2EKqEXXLkEqia9y0Pezfk>
Unfortunately, we don't have any reproducer for this bug yet.
Thank you!
Best regards,
Sanan Hasanov
------------[ cut here ]------------
verifier bug: error during ctx access conversion (1)
WARNING: kernel/bpf/verifier.c:22670 at convert_ctx_accesses kernel/bpf/verifier.c:22670 [inline], CPU#0: syz.5.97/11999
WARNING: kernel/bpf/verifier.c:22670 at bpf_check+0x11a77/0x1c9a0 kernel/bpf/verifier.c:26032, CPU#0: syz.5.97/11999
Modules linked in:
CPU: 0 UID: 0 PID: 11999 Comm: syz.5.97 Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)}
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:convert_ctx_accesses kernel/bpf/verifier.c:22670 [inline]
RIP: 0010:bpf_check+0x11a79/0x1c9a0 kernel/bpf/verifier.c:26032
Code: 84 a7 00 00 41 88 1e 83 7c 24 08 00 0f 84 8e 00 00 00 e8 0a 1e de ff e9 fc 40 00 00 e8 00 1e de ff 48 8d 3d f9 87 ef 0f 89 de <67> 48 0f b9 3a 48 8b bc 24 78 01 00 00 48 c7 c6 c0 7f 78 8c 89 da
RSP: 0018:ffffc9000c19f640 EFLAGS: 00010283
RAX: ffffffff81bb16f0 RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9000f4d1000 RSI: 0000000000000001 RDI: ffffffff91aa9ef0
RBP: ffffc9000c19fb30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000040 R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000002
FS: 00007f01a33266c0(0000) GS:ffff88809826b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01a5347dac CR3: 000000004a65a000 CR4: 00000000000006f0
Call Trace:
<TASK>
bpf_prog_load+0x13be/0x19e0 kernel/bpf/syscall.c:3089
__sys_bpf+0x5c8/0x8a0 kernel/bpf/syscall.c:6228
__do_sys_bpf kernel/bpf/syscall.c:6341 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6339 [inline]
__x64_sys_bpf+0x81/0x90 kernel/bpf/syscall.c:6339
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0x760 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f01a50d3b6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01a3326018 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f01a5345fa0 RCX: 00007f01a50d3b6d
RDX: 0000000000000080 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f01a5177c3e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01a5346038 R14: 00007f01a5345fa0 R15: 00007ffe12d33220
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: a7 cmpsl %es:(%rdi),%ds:(%rsi)
1: 00 00 add %al,(%rax)
3: 41 88 1e mov %bl,(%r14)
6: 83 7c 24 08 00 cmpl $0x0,0x8(%rsp)
b: 0f 84 8e 00 00 00 je 0x9f
11: e8 0a 1e de ff call 0xffde1e20
16: e9 fc 40 00 00 jmp 0x4117
1b: e8 00 1e de ff call 0xffde1e20
20: 48 8d 3d f9 87 ef 0f lea 0xfef87f9(%rip),%rdi # 0xfef8820
27: 89 de mov %ebx,%esi
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: 48 8b bc 24 78 01 00 mov 0x178(%rsp),%rdi
35: 00
36: 48 c7 c6 c0 7f 78 8c mov $0xffffffff8c787fc0,%rsi
3d: 89 da mov %ebx,%edx
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
Modules linked in:
CPU: 0 UID: 0 PID: 11999 Comm: syz.5.97 Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)}
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:bpf_check+0x11a79/0x1c9a0
Code: 84 a7 00 00 41 88 1e 83 7c 24 08 00 0f 84 8e 00 00 00 e8 0a 1e de ff e9 fc 40 00 00 e8 00 1e de ff 48 8d 3d f9 87 ef 0f 89 de <67> 48 0f b9 3a 48 8b bc 24 78 01 00 00 48 c7 c6 c0 7f 78 8c 89 da
RSP: 0018:ffffc9000c19f640 EFLAGS: 00010283
RAX: ffffffff81bb16f0 RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9000f4d1000 RSI: 0000000000000001 RDI: ffffffff91aa9ef0
RBP: ffffc9000c19fb30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000040 R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000002
FS: 00007f01a33266c0(0000) GS:ffff88809826b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01a5347dac CR3: 000000004a65a000 CR4: 00000000000006f0
Call Trace:
<TASK>
bpf_prog_load+0x13be/0x19e0
__sys_bpf+0x5c8/0x8a0
__x64_sys_bpf+0x81/0x90
do_syscall_64+0x160/0x760
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f01a50d3b6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01a3326018 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f01a5345fa0 RCX: 00007f01a50d3b6d
RDX: 0000000000000080 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f01a5177c3e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01a5346038 R14: 00007f01a5345fa0 R15: 00007ffe12d33220
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 11999 Comm: syz.5.97 Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)}
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
vpanic+0x424/0xa30
panic+0xbe/0xc0
__warn+0x31c/0x500
__report_bug+0x28d/0x500
report_bug_entry+0x19a/0x280
handle_bug+0xca/0x200
exc_invalid_op+0x1a/0x50
asm_exc_invalid_op+0x1a/0x20
RIP: 0010:bpf_check+0x11a79/0x1c9a0
Code: 84 a7 00 00 41 88 1e 83 7c 24 08 00 0f 84 8e 00 00 00 e8 0a 1e de ff e9 fc 40 00 00 e8 00 1e de ff 48 8d 3d f9 87 ef 0f 89 de <67> 48 0f b9 3a 48 8b bc 24 78 01 00 00 48 c7 c6 c0 7f 78 8c 89 da
RSP: 0018:ffffc9000c19f640 EFLAGS: 00010283
RAX: ffffffff81bb16f0 RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9000f4d1000 RSI: 0000000000000001 RDI: ffffffff91aa9ef0
RBP: ffffc9000c19fb30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000040 R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000002
bpf_prog_load+0x13be/0x19e0
__sys_bpf+0x5c8/0x8a0
__x64_sys_bpf+0x81/0x90
do_syscall_64+0x160/0x760
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f01a50d3b6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01a3326018 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f01a5345fa0 RCX: 00007f01a50d3b6d
RDX: 0000000000000080 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f01a5177c3e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01a5346038 R14: 00007f01a5345fa0 R15: 00007ffe12d33220
</TASK>
Kernel Offset: disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
We found a bug using a modified version of syzkaller.
Kernel Branch: 7.0-rc1
Kernel Config: <https://drive.google.com/open?id=1k9D2rcoA6Ta2EKqEXXLkEqia9y0Pezfk>
Unfortunately, we don't have any reproducer for this bug yet.
Thank you!
Best regards,
Sanan Hasanov
------------[ cut here ]------------
verifier bug: error during ctx access conversion (1)
WARNING: kernel/bpf/verifier.c:22670 at convert_ctx_accesses kernel/bpf/verifier.c:22670 [inline], CPU#0: syz.5.97/11999
WARNING: kernel/bpf/verifier.c:22670 at bpf_check+0x11a77/0x1c9a0 kernel/bpf/verifier.c:26032, CPU#0: syz.5.97/11999
Modules linked in:
CPU: 0 UID: 0 PID: 11999 Comm: syz.5.97 Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)}
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:convert_ctx_accesses kernel/bpf/verifier.c:22670 [inline]
RIP: 0010:bpf_check+0x11a79/0x1c9a0 kernel/bpf/verifier.c:26032
Code: 84 a7 00 00 41 88 1e 83 7c 24 08 00 0f 84 8e 00 00 00 e8 0a 1e de ff e9 fc 40 00 00 e8 00 1e de ff 48 8d 3d f9 87 ef 0f 89 de <67> 48 0f b9 3a 48 8b bc 24 78 01 00 00 48 c7 c6 c0 7f 78 8c 89 da
RSP: 0018:ffffc9000c19f640 EFLAGS: 00010283
RAX: ffffffff81bb16f0 RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9000f4d1000 RSI: 0000000000000001 RDI: ffffffff91aa9ef0
RBP: ffffc9000c19fb30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000040 R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000002
FS: 00007f01a33266c0(0000) GS:ffff88809826b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01a5347dac CR3: 000000004a65a000 CR4: 00000000000006f0
Call Trace:
<TASK>
bpf_prog_load+0x13be/0x19e0 kernel/bpf/syscall.c:3089
__sys_bpf+0x5c8/0x8a0 kernel/bpf/syscall.c:6228
__do_sys_bpf kernel/bpf/syscall.c:6341 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6339 [inline]
__x64_sys_bpf+0x81/0x90 kernel/bpf/syscall.c:6339
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0x760 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f01a50d3b6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01a3326018 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f01a5345fa0 RCX: 00007f01a50d3b6d
RDX: 0000000000000080 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f01a5177c3e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01a5346038 R14: 00007f01a5345fa0 R15: 00007ffe12d33220
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: a7 cmpsl %es:(%rdi),%ds:(%rsi)
1: 00 00 add %al,(%rax)
3: 41 88 1e mov %bl,(%r14)
6: 83 7c 24 08 00 cmpl $0x0,0x8(%rsp)
b: 0f 84 8e 00 00 00 je 0x9f
11: e8 0a 1e de ff call 0xffde1e20
16: e9 fc 40 00 00 jmp 0x4117
1b: e8 00 1e de ff call 0xffde1e20
20: 48 8d 3d f9 87 ef 0f lea 0xfef87f9(%rip),%rdi # 0xfef8820
27: 89 de mov %ebx,%esi
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: 48 8b bc 24 78 01 00 mov 0x178(%rsp),%rdi
35: 00
36: 48 c7 c6 c0 7f 78 8c mov $0xffffffff8c787fc0,%rsi
3d: 89 da mov %ebx,%edx
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
Modules linked in:
CPU: 0 UID: 0 PID: 11999 Comm: syz.5.97 Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)}
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:bpf_check+0x11a79/0x1c9a0
Code: 84 a7 00 00 41 88 1e 83 7c 24 08 00 0f 84 8e 00 00 00 e8 0a 1e de ff e9 fc 40 00 00 e8 00 1e de ff 48 8d 3d f9 87 ef 0f 89 de <67> 48 0f b9 3a 48 8b bc 24 78 01 00 00 48 c7 c6 c0 7f 78 8c 89 da
RSP: 0018:ffffc9000c19f640 EFLAGS: 00010283
RAX: ffffffff81bb16f0 RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9000f4d1000 RSI: 0000000000000001 RDI: ffffffff91aa9ef0
RBP: ffffc9000c19fb30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000040 R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000002
FS: 00007f01a33266c0(0000) GS:ffff88809826b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01a5347dac CR3: 000000004a65a000 CR4: 00000000000006f0
Call Trace:
<TASK>
bpf_prog_load+0x13be/0x19e0
__sys_bpf+0x5c8/0x8a0
__x64_sys_bpf+0x81/0x90
do_syscall_64+0x160/0x760
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f01a50d3b6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01a3326018 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f01a5345fa0 RCX: 00007f01a50d3b6d
RDX: 0000000000000080 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f01a5177c3e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01a5346038 R14: 00007f01a5345fa0 R15: 00007ffe12d33220
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 11999 Comm: syz.5.97 Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)}
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
vpanic+0x424/0xa30
panic+0xbe/0xc0
__warn+0x31c/0x500
__report_bug+0x28d/0x500
report_bug_entry+0x19a/0x280
handle_bug+0xca/0x200
exc_invalid_op+0x1a/0x50
asm_exc_invalid_op+0x1a/0x20
RIP: 0010:bpf_check+0x11a79/0x1c9a0
Code: 84 a7 00 00 41 88 1e 83 7c 24 08 00 0f 84 8e 00 00 00 e8 0a 1e de ff e9 fc 40 00 00 e8 00 1e de ff 48 8d 3d f9 87 ef 0f 89 de <67> 48 0f b9 3a 48 8b bc 24 78 01 00 00 48 c7 c6 c0 7f 78 8c 89 da
RSP: 0018:ffffc9000c19f640 EFLAGS: 00010283
RAX: ffffffff81bb16f0 RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9000f4d1000 RSI: 0000000000000001 RDI: ffffffff91aa9ef0
RBP: ffffc9000c19fb30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000040 R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000002
bpf_prog_load+0x13be/0x19e0
__sys_bpf+0x5c8/0x8a0
__x64_sys_bpf+0x81/0x90
do_syscall_64+0x160/0x760
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f01a50d3b6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01a3326018 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f01a5345fa0 RCX: 00007f01a50d3b6d
RDX: 0000000000000080 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f01a5177c3e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01a5346038 R14: 00007f01a5345fa0 R15: 00007ffe12d33220
</TASK>
Kernel Offset: disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
Reply all
Reply to author
Forward
0 new messages