Comment 2 for bug 1763454

I'm taking a guess at the cause of this kernel panic:

commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 was backported from upstream kernel into the Ubuntu kernel.

But this part was not backported:

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4213,6 +4216,8 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
        memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
        memcpy(new_data + off + cnt - 1, old_data + off,
               sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+ for (i = off; i < off + cnt - 1; i++)
+ new_data[i].seen = true;
        env->insn_aux_data = new_data;
        vfree(old_data);
        return 0;

The likely reason for omission is that the Ubuntu kernel does not have this function in kernel/bpf/verifier.c, so there was no place to apply the patch snippet above. In upstream kernel, adjust_insn_aux_data() is called from fixup_bpf_calls() and that function was not in kernel/bpf/verifier.c yet in Ubuntu kernel.

However, semantically, the patch should have been applied in kernel/bpf/syscall.c, which is the file where fixup_bpf_calls() was located before it got refactored by commit e245c5c6a5656.

As a result, the BPF_CALL instruction is mistakenly considered not seen by the verifier so the BPF instructions for array_map_lookup_elem() are not emitted.