Re: BUG: unable to handle kernel paging request in bpf_dispatcher_xdp

From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Jiri Olsa <olsajiri@gmail.com>
Cc: Hao Sun <sunhao.th@gmail.com>,
	Peter Zijlstra <peterz@infradead.org>, bpf <bpf@vger.kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	David Miller <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Jesper Dangaard Brouer <hawk@kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	netdev <netdev@vger.kernel.org>,
	Thorsten Leemhuis <regressions@leemhuis.info>
Subject: Re: BUG: unable to handle kernel paging request in bpf_dispatcher_xdp
Date: Thu, 8 Dec 2022 09:48:52 -0800	[thread overview]
Message-ID: <CAADnVQJ+9oiPEJaSgoXOmZwUEq9FnyLR3Kp38E_vuQo2PmDsbg@mail.gmail.com> (raw)
In-Reply-To: <CAADnVQ+w-xtH=oWPYszG-TqxcHmbrKJK10C=P-o2Ouicx-9OUA@mail.gmail.com>

On Wed, Dec 7, 2022 at 11:57 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Tue, Dec 6, 2022 at 7:18 AM Jiri Olsa <olsajiri@gmail.com> wrote:
> >
> > On Tue, Dec 06, 2022 at 02:46:43PM +0800, Hao Sun wrote:
> > > Hao Sun <sunhao.th@gmail.com> 于2022年12月6日周二 11:28写道：
> > > >
> > > > Hi,
> > > >
> > > > The following crash can be triggered with the BPF prog provided.
> > > > It seems the verifier passed some invalid progs. I will try to simplify
> > > > the C reproducer, for now, the following can reproduce this:
> > > >
> > > > HEAD commit: ab0350c743d5 selftests/bpf: Fix conflicts with built-in
> > > > functions in bpf_iter_ksym
> > > > git tree: bpf-next
> > > > console log: https://pastebin.com/raw/87RCSnCs
> > > > kernel config: https://pastebin.com/raw/rZdWLcgK
> > > > Syz reproducer: https://pastebin.com/raw/4kbwhdEv
> > > > C reproducer: https://pastebin.com/raw/GFfDn2Gk
> > > >
> > >
> > > Simplified C reproducer: https://pastebin.com/raw/aZgLcPvW
> > >
> > > Only two syscalls are required to reproduce this, seems it's an issue
> > > in XDP test run. Essentially, the reproducer just loads a very simple
> > > prog and tests run repeatedly and concurrently:
> > >
> > > r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000640)=@base={0x6, 0xb,
> > > &(0x7f0000000500)}, 0x80)
> > > bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000140)={r0, 0x0, 0x0, 0x0, 0x0,
> > > 0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x48)
> > >
> > > Loaded prog:
> > >    0: (18) r0 = 0x0
> > >    2: (18) r6 = 0x0
> > >    4: (18) r7 = 0x0
> > >    6: (18) r8 = 0x0
> > >    8: (18) r9 = 0x0
> > >   10: (95) exit
> >
> > hi,
> > I can reproduce with your config.. it seems related to the
> > recent static call change:
> >   c86df29d11df bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)
> >
> > I can't reproduce when I revert that commit.. Peter, any idea?
>
> Jiri,
>
> I see your tested-by tag on Peter's commit c86df29d11df.
> I assume you're actually tested it, but
> this syzbot oops shows that even empty bpf prog crashes,
> so there is something wrong with that commit.
>
> What is the difference between this new kconfig and old one that
> you've tested?
>
> I'm trying to understand the severity of the issues and
> whether we need to revert that commit asap since the merge window
> is about to start.

Jiri, Peter,

ping.

cc-ing Thorsten, since he's tracking it now.

The config has CONFIG_X86_KERNEL_IBT=y.
Is it related?