Hi BPF maintainers,
I'm reporting a bug I encountered in the BPF subsystem on Linux kernel version <<5.19.5>>, <<6.15.0-rc2-00577-g8066e388be48-dirty>>, <<6.15.3>>.
I wrote a BPF program that triggered a verifier rejection, but at the same time, the kernel emitted a BUG() warning at <<kernel/bpf/hashtab.c:222>>, suggesting a potential kernel-side issue rather than just verifier rejection. Later on, I discovered that constructing any ebpf Verifier rejection behavior within the specified code snippets would trigger this kernel bug.
- Miniest poc code:
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
struct mac_table_entry
{
struct bpf_timer expiration_timer;
__u32 ifindex;
__u64 last_seen_timestamp_ns;
struct in_addr border_ip;
};
struct
{
__uint(type, BPF_MAP_TYPE_HASH);
__type(key, struct mac_address);
__type(value, struct mac_table_entry);
__uint(max_entries, 4 * 1024 * 1024);
__uint(pinning, LIBBPF_PIN_BY_NAME);
} mac_table SEC(".maps");
SEC("xdp.frags")
long mac_xdp_func(struct xdp_md *ctx)
{
// Constructing any code segment that does not meet the requirements of BPF Validator
// can trigger a kernel BUG: sleeping function called from invalid context at kernel/bpf/hashtab.c:222:
while(1){
__u32 j;
}
return XDP_PASS;
}
char LICENSE[] SEC("license") = "Dual BSD/GPL";
- Kernel version: <<6.15.3...>>
- Architecture: <<x86_64>>
- dmesg excerpt: <<BUG: sleeping function called from invalid context at kernel/bpf/hashtab.c:222>>
Detailed info including reproducible BPF program and kernel logs have been filed on Bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=220278
Please let me know if you need more information or if I can help test a patch.
Thanks,
Le Chen;
tom2cat@xxxxxxxxxxx;
