syzbot

 sign-in | mailing list | source | docs
🐞 Open [956] Subsystems 🐞 Fixed [4572] 🐞 Invalid [10551] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

WARNING in btf_type_id_size

Status: fixed on 2023/02/24 13:50
Labels: bpf (incorrect?)
Reported-by: syzbot+6280ebbcdba3e0c14fde@syzkaller.appspotmail.com
Fix commit: ea68376c8bed bpf: prevent decl_tag from being referenced in func_proto
First crash: 239d, last: 164d

Cause bisection: introduced by (bisect log) :
commit b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef
Author: Yonghong Song <yhs@fb.com>
Date: Tue Sep 14 22:30:15 2021 +0000

  bpf: Support for new btf kind BTF_KIND_TAG

Crash: WARNING in btf_type_id_size (log)
Repro: C syz .config
Discussions (3)
Title Replies (including bot) Last reply
[PATCH bpf-next 1/2] selftests/bpf: Add reproducer for decl_tag in func_proto return type 6 (6) 2022/10/17 18:32
[syzbot] WARNING in btf_type_id_size 4 (5) 2022/10/17 18:30
[PATCH bpf-next] bpf: remove WARN_ON_ONCE from btf_type_id_size 3 (3) 2022/10/13 21:35
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 WARNING in btf_type_id_size origin:upstream C 2 17d 18d 0/3 upstream: reported C repro on 2023/05/21 01:39
upstream WARNING in btf_type_id_size (2) bpf C error 6 18d 14d 1/24 upstream: reported C repro on 2023/05/24 19:44

Sample crash report:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3630 at kernel/bpf/btf.c:1946 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1946
Modules linked in:
CPU: 0 PID: 3630 Comm: syz-executor189 Not tainted 6.1.0-rc6-syzkaller-00308-g644e9524388a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1946
Code: ef e8 5b 6a e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 59 6d e4 ff 44 89 fe bf 0e 00 00 00 e8 fc 69 e4 ff e8 47 6d e4 ff <0f> 0b 45 31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 32 6d e4 ff 44
RSP: 0018:ffffc90003bcfb40 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88807cde3a80 RSI: ffffffff819babd9 RDI: 0000000000000005
RBP: ffff888012f20a00 R08: 0000000000000005 R09: 000000000000000e
R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000011 R14: ffff8880204d2018 R15: 0000000000000011
FS:  0000555555aa4300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000a95258 CR3: 000000001d8f7000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 btf_func_proto_check kernel/bpf/btf.c:4500 [inline]
 btf_check_all_types kernel/bpf/btf.c:4728 [inline]
 btf_parse_type_sec kernel/bpf/btf.c:4757 [inline]
 btf_parse kernel/bpf/btf.c:5031 [inline]
 btf_new_fd+0x159a/0x1ec0 kernel/bpf/btf.c:6897
 bpf_btf_load kernel/bpf/syscall.c:4324 [inline]
 __sys_bpf+0x18f2/0x4f40 kernel/bpf/syscall.c:5010
 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]
 __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5067
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f38a84b6c59
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd7821d9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f38a84b6c59
RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000012
RBP: 00007f38a847ae00 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f38a847ae90
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Crashes (10):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2022/11/27 06:08 upstream 644e9524388a 74a66371 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root WARNING in btf_type_id_size
2022/10/24 04:35 upstream a70385240892 23bf86af .config strace log report syz C [disk image] [vmlinux] ci-upstream-kasan-gce-root WARNING in btf_type_id_size
2022/11/15 18:19 bpf 5fd2a60aecf3 97de9cfc .config strace log report syz C ci-upstream-bpf-kasan-gce WARNING in btf_type_id_size
2022/10/12 11:13 bpf 0326074ff465 16a9c9e0 .config strace log report syz C ci-upstream-bpf-kasan-gce WARNING in btf_type_id_size
2022/11/15 18:10 net-next-old f12ed9c04804 97de9cfc .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING in btf_type_id_size
2022/10/12 14:23 bpf-next d31ada3b5111 16a9c9e0 .config strace log report syz C ci-upstream-bpf-next-kasan-gce WARNING in btf_type_id_size
2022/10/12 11:48 net-next-old 0326074ff465 16a9c9e0 .config strace log report syz C ci-upstream-net-kasan-gce WARNING in btf_type_id_size
2022/11/15 19:44 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9e4ce762f0e7 97de9cfc .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 WARNING in btf_type_id_size
2022/10/12 06:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 16a9c9e0 .config console log report syz C [disk image] [vmlinux] ci-upstream-gce-arm64 WARNING in btf_type_id_size
2022/12/26 05:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a5541c0811a0 9da18ae8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 WARNING in btf_type_id_size
* Struck through repros no longer work on HEAD.