ubuntu-kernel-tests

bpf_get_stack from test_verifier in ubuntu_bpf failed on Bionic 5.0

Bug #1881263 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
New
Undecided
Unassigned
linux (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Issue found on 5.0.0-49.53~18.04.1-generic in proposed, but passed with 5.0.0-48.52~18.04.1-generic

 #724/p bpf_get_stack return R0 within range FAIL
 Failed to load prog 'Success'!
 0: (bf) r6 = r1
 1: (7a) *(u64 *)(r10 -8) = 0
 2: (bf) r2 = r10
 3: (07) r2 += -8
 4: (18) r1 = 0xffffa0ca73b8d400
 6: (85) call bpf_map_lookup_elem#1
 7: (15) if r0 == 0x0 goto pc+28
 R0=map_value(id=0,off=0,ks=8,vs=48,imm=0) R6=ctx(id=0,off=0,imm=0) R10=fp0,call_-1 fp-8=mmmmmmmm
 8: (bf) r7 = r0
 9: (b7) r9 = 48
 10: (bf) r1 = r6
 11: (bf) r2 = r7
 12: (b7) r3 = 48
 13: (b7) r4 = 256
 14: (85) call bpf_get_stack#67
 R0=map_value(id=0,off=0,ks=8,vs=48,imm=0) R1_w=ctx(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=8,vs=48,imm=0) R3_w=inv48 R4_w=inv256 R6=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=8,vs=48,imm=0) R9_w=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 15: (b7) r1 = 0
 16: (bf) r8 = r0
 17: (67) r8 <<= 32
 18: (c7) r8 s>>= 32
 19: (cd) if r1 s< r8 goto pc+16
 R0=inv(id=0,umax_value=48,var_off=(0x0; 0x3f)) R1=inv0 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=48,imm=0) R8=inv0 R9=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 20: (1f) r9 -= r8
 21: (bf) r2 = r7
 22: (0f) r2 += r8
 23: (bf) r1 = r9
 24: (67) r1 <<= 32
 25: (c7) r1 s>>= 32
 26: (bf) r3 = r2
 27: (0f) r3 += r1
 28: (bf) r1 = r7
 29: (b7) r5 = 48
 30: (0f) r1 += r5
 31: (3d) if r3 >= r1 goto pc+4
 R0=inv(id=0,umax_value=48,var_off=(0x0; 0x3f)) R1=map_value(id=0,off=48,ks=8,vs=48,imm=0) R2=map_value(id=0,off=0,ks=8,vs=48,imm=0) R3=map_value(id=0,off=48,ks=8,vs=48,imm=0) R5=inv48 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=48,imm=0) R8=inv0 R9=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 32: (bf) r1 = r6
 33: (bf) r3 = r9
 34: (b7) r4 = 0
 35: (85) call bpf_get_stack#67
 R0=inv(id=0,umax_value=48,var_off=(0x0; 0x3f)) R1_w=ctx(id=0,off=0,imm=0) R2=map_value(id=0,off=0,ks=8,vs=48,imm=0) R3_w=inv48 R4_w=inv0 R5=inv48 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=48,imm=0) R8=inv0 R9=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 36: (95) exit

 from 35 to 36: R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=48,imm=0) R8=inv0 R9=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 36: (95) exit

 from 31 to 36: safe

 from 19 to 36: safe

 from 14 to 15: R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=48,imm=0) R9=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 15: (b7) r1 = 0
 16: (bf) r8 = r0
 17: (67) r8 <<= 32
 18: (c7) r8 s>>= 32
 19: (cd) if r1 s< r8 goto pc+16
 R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R1=inv0 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=48,imm=0) R8=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R9=inv48 R10=fp0,call_-1 fp-8=mmmmmmmm
 20: (1f) r9 -= r8
 21: (bf) r2 = r7
 22: (0f) r2 += r8
 value -2147483648 makes map_value pointer be out of bounds

With 5.0.0-48.52~18.04.1-generic the test will pass:
    #724/p bpf_get_stack return R0 within range OK

Po-Hsu Lin (cypressyew)
tags: added: 5.0 kqa-blocker sru-20200518 ubuntu-bpf
summary: - bpf_get_stack from test_verifier in ubuntu_bpf failed on 5.0
+ bpf_get_stack from test_verifier in ubuntu_bpf failed on Bionic 5.0
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1881263

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: bionic
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

A quick check shows it's also affecting GKE 5.0

Passed on 5.0.0-1037.38.
Failed on 5.0.0-1038.39 with the same failure.

tags: added: gke
removed: bionic
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

The test passed after reverting the following commit:

commit 6a57c5920a738e7b2061d7926c5e73121e6081ac
Author: Daniel Borkmann <email address hidden>
Date: Tue Apr 21 14:58:22 2020 +0200

    bpf: fix buggy r0 retval refinement for tracing helpers

    BugLink: https://bugs.launchpad.net/bugs/1876956

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

This failure can be found on B-OEM-OSP1 5.0 as well.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-hwe-5.0/5.0.0-57.61~18.04.1)

All autopkgtests for the newly accepted linux-hwe-5.0 (5.0.0-57.61~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-hwe-5.0/5.0.0-57.61~18.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-hwe-5.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.