[v6.6] KASAN: slab-out-of-bounds Write in __bpf_get_stackid
1 view
Skip to first unread message
syzbot
Aug 11, 2025, 4:18:31 PM8/11/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3a8ababb8b6a Linux 6.6.101
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=131c85a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2bd95b6de4839b7
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c4e05f4bac3bcb453e
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ae2055ece513/disk-3a8ababb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/72f91e4de841/vmlinux-3a8ababb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3dae292c190e/bzImage-3a8ababb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c4e0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
Write of size 32 at addr ffff88807634d890 by task syz.0.943/8380
CPU: 0 PID: 8380 Comm: syz.0.943 Not tainted 6.6.101-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x220 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
__bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1892 [inline]
bpf_get_stackid_raw_tp+0x196/0x200 kernel/trace/bpf_trace.c:1881
bpf_prog_e95a4a16f042d2d7+0x29/0x2d
bpf_dispatcher_nop_func include/linux/bpf.h:1213 [inline]
__bpf_prog_run include/linux/filter.h:605 [inline]
bpf_prog_run include/linux/filter.h:619 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2322 [inline]
bpf_trace_run10+0x3a2/0x450 kernel/trace/bpf_trace.c:2369
__bpf_trace_percpu_alloc_percpu+0x365/0x3f0 include/trace/events/percpu.h:11
trace_percpu_alloc_percpu include/trace/events/percpu.h:11 [inline]
pcpu_alloc+0x1747/0x18d0 mm/percpu.c:1880
bpf_map_alloc_percpu+0xb9/0x1a0 kernel/bpf/syscall.c:466
bpf_map_init_elem_count include/linux/bpf.h:2159 [inline]
htab_map_alloc+0x342/0xe50 kernel/bpf/hashtab.c:524
map_create+0x877/0x1110 kernel/bpf/syscall.c:1245
__sys_bpf+0x5f0/0x800 kernel/bpf/syscall.c:5449
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f55cf38ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f55d026c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f55cf5b5fa0 RCX: 00007f55cf38ebe9
RDX: 0000000000000048 RSI: 0000200000000840 RDI: 0000000000000000
RBP: 00007f55cf411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f55cf5b6038 R14: 00007f55cf5b5fa0 R15: 00007ffe040d0f28
</TASK>
Allocated by task 8380:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:301 [inline]
bpf_map_area_alloc+0x5e/0x110 kernel/bpf/syscall.c:314
prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33a/0x4c0 kernel/bpf/stackmap.c:114
map_create+0x877/0x1110 kernel/bpf/syscall.c:1245
__sys_bpf+0x5f0/0x800 kernel/bpf/syscall.c:5449
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88807634d880
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located 16 bytes inside of
allocated 24-byte region [ffff88807634d880, ffff88807634d898)
The buggy address belongs to the physical page:
page:ffffea0001d8d340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7634d
memcg:ffff8880242a5801
anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff88801784d8c0 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080400040 00000001ffffffff ffff8880242a5801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5764, tgid 5764 (rm), ts 75264524624, free_ts 30217707901
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
alloc_slab_page+0x5d/0x170 mm/slub.c:1876
allocate_slab mm/slub.c:2023 [inline]
new_slab+0x87/0x2e0 mm/slub.c:2076
___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
__slab_alloc mm/slub.c:3329 [inline]
__slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc_node mm/slub.c:3475 [inline]
__kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
single_open+0x5a/0x240 fs/seq_file.c:575
proc_reg_open+0x25a/0x550 fs/proc/inode.c:532
do_dentry_open+0x8c6/0x1500 fs/open.c:929
do_open fs/namei.c:3632 [inline]
path_openat+0x274b/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1154 [inline]
free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
free_contig_range+0xa1/0x160 mm/page_alloc.c:6369
destroy_args+0x87/0x770 mm/debug_vm_pgtable.c:1015
debug_vm_pgtable+0x3cc/0x410 mm/debug_vm_pgtable.c:1395
do_one_initcall+0x1fd/0x750 init/main.c:1238
do_initcall_level+0x137/0x1f0 init/main.c:1300
do_initcalls+0x69/0xd0 init/main.c:1316
kernel_init_freeable+0x3d2/0x570 init/main.c:1553
kernel_init+0x1d/0x1c0 init/main.c:1443
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
Memory state around the buggy address:
ffff88807634d780: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88807634d800: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88807634d880: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff88807634d900: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff88807634d980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3a8ababb8b6a Linux 6.6.101
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=131c85a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2bd95b6de4839b7
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c4e05f4bac3bcb453e
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ae2055ece513/disk-3a8ababb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/72f91e4de841/vmlinux-3a8ababb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3dae292c190e/bzImage-3a8ababb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c4e0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
Write of size 32 at addr ffff88807634d890 by task syz.0.943/8380
CPU: 0 PID: 8380 Comm: syz.0.943 Not tainted 6.6.101-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x220 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
__bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1892 [inline]
bpf_get_stackid_raw_tp+0x196/0x200 kernel/trace/bpf_trace.c:1881
bpf_prog_e95a4a16f042d2d7+0x29/0x2d
bpf_dispatcher_nop_func include/linux/bpf.h:1213 [inline]
__bpf_prog_run include/linux/filter.h:605 [inline]
bpf_prog_run include/linux/filter.h:619 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2322 [inline]
bpf_trace_run10+0x3a2/0x450 kernel/trace/bpf_trace.c:2369
__bpf_trace_percpu_alloc_percpu+0x365/0x3f0 include/trace/events/percpu.h:11
trace_percpu_alloc_percpu include/trace/events/percpu.h:11 [inline]
pcpu_alloc+0x1747/0x18d0 mm/percpu.c:1880
bpf_map_alloc_percpu+0xb9/0x1a0 kernel/bpf/syscall.c:466
bpf_map_init_elem_count include/linux/bpf.h:2159 [inline]
htab_map_alloc+0x342/0xe50 kernel/bpf/hashtab.c:524
map_create+0x877/0x1110 kernel/bpf/syscall.c:1245
__sys_bpf+0x5f0/0x800 kernel/bpf/syscall.c:5449
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f55cf38ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f55d026c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f55cf5b5fa0 RCX: 00007f55cf38ebe9
RDX: 0000000000000048 RSI: 0000200000000840 RDI: 0000000000000000
RBP: 00007f55cf411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f55cf5b6038 R14: 00007f55cf5b5fa0 R15: 00007ffe040d0f28
</TASK>
Allocated by task 8380:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:301 [inline]
bpf_map_area_alloc+0x5e/0x110 kernel/bpf/syscall.c:314
prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33a/0x4c0 kernel/bpf/stackmap.c:114
map_create+0x877/0x1110 kernel/bpf/syscall.c:1245
__sys_bpf+0x5f0/0x800 kernel/bpf/syscall.c:5449
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88807634d880
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located 16 bytes inside of
allocated 24-byte region [ffff88807634d880, ffff88807634d898)
The buggy address belongs to the physical page:
page:ffffea0001d8d340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7634d
memcg:ffff8880242a5801
anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff88801784d8c0 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080400040 00000001ffffffff ffff8880242a5801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5764, tgid 5764 (rm), ts 75264524624, free_ts 30217707901
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
alloc_slab_page+0x5d/0x170 mm/slub.c:1876
allocate_slab mm/slub.c:2023 [inline]
new_slab+0x87/0x2e0 mm/slub.c:2076
___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
__slab_alloc mm/slub.c:3329 [inline]
__slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc_node mm/slub.c:3475 [inline]
__kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
single_open+0x5a/0x240 fs/seq_file.c:575
proc_reg_open+0x25a/0x550 fs/proc/inode.c:532
do_dentry_open+0x8c6/0x1500 fs/open.c:929
do_open fs/namei.c:3632 [inline]
path_openat+0x274b/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1154 [inline]
free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
free_contig_range+0xa1/0x160 mm/page_alloc.c:6369
destroy_args+0x87/0x770 mm/debug_vm_pgtable.c:1015
debug_vm_pgtable+0x3cc/0x410 mm/debug_vm_pgtable.c:1395
do_one_initcall+0x1fd/0x750 init/main.c:1238
do_initcall_level+0x137/0x1f0 init/main.c:1300
do_initcalls+0x69/0xd0 init/main.c:1316
kernel_init_freeable+0x3d2/0x570 init/main.c:1553
kernel_init+0x1d/0x1c0 init/main.c:1443
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
Memory state around the buggy address:
ffff88807634d780: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88807634d800: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88807634d880: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff88807634d900: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff88807634d980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Aug 11, 2025, 11:12:31 PM8/11/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3a8ababb8b6a Linux 6.6.101
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=131a2842580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ae2055ece513/disk-3a8ababb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/72f91e4de841/vmlinux-3a8ababb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3dae292c190e/bzImage-3a8ababb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c4e0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
Write of size 32 at addr ffff88801d275850 by task syz.3.992/7013
CPU: 0 PID: 7013 Comm: syz.3.992 Not tainted 6.6.101-syzkaller #0
bpf_prog_alloc+0x3d/0x1b0 kernel/bpf/core.c:136
bpf_prog_load+0x6b8/0x16d0 kernel/bpf/syscall.c:2675
__sys_bpf+0x55a/0x800 kernel/bpf/syscall.c:5467
RAX: ffffffffffffffda RBX: 00007fa4c21b5fa0 RCX: 00007fa4c1f8ebe9
RDX: 0000000000000094 RSI: 0000200000000680 RDI: 0000000000000005
RBP: 00007fa4c2011e19 R08: 0000000000000000 R09: 0000000000000000
</TASK>
Allocated by task 7014:
The buggy address belongs to the physical page:
page:ffffea0000749d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d275
memcg:ffff88805eb25801
raw: 0000000000000000 0000000080400040 00000001ffffffff ffff88805eb25801
legacy_init_fs_context+0x51/0xc0 fs/fs_context.c:704
alloc_fs_context+0x64b/0x7c0 fs/fs_context.c:318
do_new_mount+0x10f/0xa40 fs/namespace.c:3350
init_mount+0xd2/0x120 fs/init.c:25
devtmpfs_setup+0x74/0xd0 drivers/base/devtmpfs.c:419
devtmpfsd+0x15/0x50 drivers/base/devtmpfs.c:436
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
page_owner free stack trace missing
Memory state around the buggy address:
ffff88801d275700: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88801d275780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88801d275800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
^
ffff88801d275880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88801d275900: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 3a8ababb8b6a Linux 6.6.101
git tree: linux-6.6.y
kernel config: https://syzkaller.appspot.com/x/.config?x=a2bd95b6de4839b7
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c4e05f4bac3bcb453e
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ba45a2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c4e05f4bac3bcb453e
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ae2055ece513/disk-3a8ababb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/72f91e4de841/vmlinux-3a8ababb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3dae292c190e/bzImage-3a8ababb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c4e0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
CPU: 0 PID: 7013 Comm: syz.3.992 Not tainted 6.6.101-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x220 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
__bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1892 [inline]
bpf_get_stackid_raw_tp+0x196/0x200 kernel/trace/bpf_trace.c:1881
bpf_prog_e95a4a16f042d2d7+0x29/0x2d
bpf_dispatcher_nop_func include/linux/bpf.h:1213 [inline]
__bpf_prog_run include/linux/filter.h:605 [inline]
bpf_prog_run include/linux/filter.h:619 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2322 [inline]
bpf_trace_run10+0x3a2/0x450 kernel/trace/bpf_trace.c:2369
__bpf_trace_percpu_alloc_percpu+0x365/0x3f0 include/trace/events/percpu.h:11
trace_percpu_alloc_percpu include/trace/events/percpu.h:11 [inline]
pcpu_alloc+0x1747/0x18d0 mm/percpu.c:1880
bpf_prog_alloc_no_stats+0x109/0x440 kernel/bpf/core.c:107
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x220 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
__bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1892 [inline]
bpf_get_stackid_raw_tp+0x196/0x200 kernel/trace/bpf_trace.c:1881
bpf_prog_e95a4a16f042d2d7+0x29/0x2d
bpf_dispatcher_nop_func include/linux/bpf.h:1213 [inline]
__bpf_prog_run include/linux/filter.h:605 [inline]
bpf_prog_run include/linux/filter.h:619 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2322 [inline]
bpf_trace_run10+0x3a2/0x450 kernel/trace/bpf_trace.c:2369
__bpf_trace_percpu_alloc_percpu+0x365/0x3f0 include/trace/events/percpu.h:11
trace_percpu_alloc_percpu include/trace/events/percpu.h:11 [inline]
pcpu_alloc+0x1747/0x18d0 mm/percpu.c:1880
bpf_prog_alloc+0x3d/0x1b0 kernel/bpf/core.c:136
bpf_prog_load+0x6b8/0x16d0 kernel/bpf/syscall.c:2675
__sys_bpf+0x55a/0x800 kernel/bpf/syscall.c:5467
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fa4c1f8ebe9
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc9a336538 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fa4c21b5fa0 RCX: 00007fa4c1f8ebe9
RDX: 0000000000000094 RSI: 0000200000000680 RDI: 0000000000000005
RBP: 00007fa4c2011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa4c21b5fa0 R14: 00007fa4c21b5fa0 R15: 0000000000000003
</TASK>
Allocated by task 7014:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:301 [inline]
bpf_map_area_alloc+0x5e/0x110 kernel/bpf/syscall.c:314
prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33a/0x4c0 kernel/bpf/stackmap.c:114
map_create+0x877/0x1110 kernel/bpf/syscall.c:1245
__sys_bpf+0x5f0/0x800 kernel/bpf/syscall.c:5449
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88801d275840
kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:301 [inline]
bpf_map_area_alloc+0x5e/0x110 kernel/bpf/syscall.c:314
prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33a/0x4c0 kernel/bpf/stackmap.c:114
map_create+0x877/0x1110 kernel/bpf/syscall.c:1245
__sys_bpf+0x5f0/0x800 kernel/bpf/syscall.c:5449
__do_sys_bpf kernel/bpf/syscall.c:5571 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5569 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5569
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located 16 bytes inside of
allocated 24-byte region [ffff88801d275840, ffff88801d275858)
The buggy address is located 16 bytes inside of
The buggy address belongs to the physical page:
memcg:ffff88805eb25801
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff88801784d8c0 ffffea000069a900 0000000000000004
page_type: 0xffffffff()
raw: 0000000000000000 0000000080400040 00000001ffffffff ffff88805eb25801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 25, tgid 25 (kdevtmpfs), ts 2331276322, free_ts 0
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
alloc_slab_page+0x5d/0x170 mm/slub.c:1876
allocate_slab mm/slub.c:2023 [inline]
new_slab+0x87/0x2e0 mm/slub.c:2076
___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
__slab_alloc mm/slub.c:3329 [inline]
__slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc_node mm/slub.c:3475 [inline]
__kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
alloc_slab_page+0x5d/0x170 mm/slub.c:1876
allocate_slab mm/slub.c:2023 [inline]
new_slab+0x87/0x2e0 mm/slub.c:2076
___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
__slab_alloc mm/slub.c:3329 [inline]
__slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc_node mm/slub.c:3475 [inline]
__kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
legacy_init_fs_context+0x51/0xc0 fs/fs_context.c:704
alloc_fs_context+0x64b/0x7c0 fs/fs_context.c:318
do_new_mount+0x10f/0xa40 fs/namespace.c:3350
init_mount+0xd2/0x120 fs/init.c:25
devtmpfs_setup+0x74/0xd0 drivers/base/devtmpfs.c:419
devtmpfsd+0x15/0x50 drivers/base/devtmpfs.c:436
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
page_owner free stack trace missing
Memory state around the buggy address:
ffff88801d275780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88801d275800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
^
ffff88801d275880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88801d275900: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Feb 8, 2026, 1:00:35 AMFeb 8
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c56aaf1a85ae Linux 6.6.123
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17226b22580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a950bf7c0bff9f9
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c4e05f4bac3bcb453e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15be2a52580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d6065a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d1f39421ae86/disk-c56aaf1a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9cd2888600b3/vmlinux-c56aaf1a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aaed2615bc69/bzImage-c56aaf1a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c4e0...@syzkaller.appspotmail.com
hrtimer: interrupt took 57274 ns
CPU: 0 PID: 5930 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:468
bpf_get_stackid_pe+0x343/0x410 kernel/bpf/stackmap.c:331
bpf_prog_fa73c8c086b491e8+0x29/0x39
bpf_dispatcher_nop_func include/linux/bpf.h:1224 [inline]
__bpf_prog_run include/linux/filter.h:616 [inline]
bpf_prog_run include/linux/filter.h:623 [inline]
bpf_overflow_handler+0x1fc/0x510 kernel/events/core.c:10547
__perf_event_overflow+0x447/0x630 kernel/events/core.c:9718
perf_swevent_hrtimer+0x4aa/0x570 kernel/events/core.c:11188
__run_hrtimer kernel/time/hrtimer.c:1750 [inline]
__hrtimer_run_queues+0x4eb/0xc40 kernel/time/hrtimer.c:1814
hrtimer_interrupt+0x3c9/0x9c0 kernel/time/hrtimer.c:1876
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1077 [inline]
__sysvec_apic_timer_interrupt+0xfb/0x3b0 arch/x86/kernel/apic/apic.c:1094
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0x9f/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:perf_ioctl+0x2183/0x24a0 kernel/events/core.c:-1
Code: 39 de 0f 84 cb 00 00 00 e8 ba 8b d5 ff eb cb e8 b3 8b d5 ff 49 c7 c7 ea ff ff ff 4c 8b 74 24 10 41 c6 46 16 f8 41 c6 46 1a f8 <48> 8b 9c 24 98 00 00 00 48 89 df 48 83 c7 40 e8 29 58 db 08 48 89
RSP: 0018:ffffc90003347c00 EFLAGS: 00010246
RAX: ffffffff81b176cc RBX: 0000000000000000 RCX: ffff88802b541e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003347ed8 R08: ffff88802dafc007 R09: 1ffff11005b5f800
R10: dffffc0000000000 R11: ffffed1005b5f801 R12: 0000000040042408
R13: dffffc0000000000 R14: fffff52000668f94 R15: 0000000000000000
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fb24c59aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffda6c3e948 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb24c815fa0 RCX: 00007fb24c59aeb9
RDX: 0000000000000004 RSI: 0000000040042408 RDI: 0000000000000005
RBP: 00007fb24c608c1f R08: 0000000000000000 R09: 0000000000000000
</TASK>
Allocated by task 5930:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:384
bpf_map_area_alloc+0x5e/0x110 kernel/bpf/syscall.c:316
__sys_bpf+0x651/0x890 kernel/bpf/syscall.c:5458
__do_sys_bpf kernel/bpf/syscall.c:5580 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5578 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5578
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88807600f700
which belongs to the cache kmalloc-cg-64 of size 64
The buggy address belongs to the physical page:
page:ffffea0001d803c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7600f
memcg:ffff8880760f1801
raw: 0000000000000000 0000000080200020 00000001ffffffff ffff8880760f1801
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1c1/0x200 mm/page_alloc.c:1581
prep_new_page mm/page_alloc.c:1588 [inline]
get_page_from_freelist+0x1951/0x19e0 mm/page_alloc.c:3220
__alloc_pages+0x1f0/0x460 mm/page_alloc.c:4486
alloc_slab_page+0x5d/0x160 mm/slub.c:1881
allocate_slab mm/slub.c:2028 [inline]
new_slab+0x87/0x2d0 mm/slub.c:2081
___slab_alloc+0xc5d/0x12f0 mm/slub.c:3253
__slab_alloc mm/slub.c:3339 [inline]
__slab_alloc_node mm/slub.c:3392 [inline]
slab_alloc_node mm/slub.c:3485 [inline]
__kmem_cache_alloc_node+0x19e/0x250 mm/slub.c:3534
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node+0xa4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
kvmalloc_node+0x70/0x180 mm/util.c:617
kvmalloc include/linux/slab.h:738 [inline]
kvzalloc include/linux/slab.h:746 [inline]
allocate_hook_entries_size net/netfilter/core.c:61 [inline]
nf_hook_entries_grow+0x27d/0x6d0 net/netfilter/core.c:140
__nf_register_net_hook+0x2c9/0x910 net/netfilter/core.c:435
nf_register_net_hook+0xb2/0x190 net/netfilter/core.c:578
nf_register_net_hooks+0x44/0x1b0 net/netfilter/core.c:594
arpt_register_table+0x5f4/0x720 net/ipv4/netfilter/arp_tables.c:1561
arptable_filter_table_init+0x41/0x60 net/ipv4/netfilter/arptable_filter.c:39
xt_find_table_lock+0x306/0x3e0 net/netfilter/x_tables.c:1259
free_unref_page_prepare+0x7b2/0x8c0 mm/page_alloc.c:2365
free_unref_page+0x32/0x2e0 mm/page_alloc.c:2458
__slab_free+0x35a/0x400 mm/slub.c:3736
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xd0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:306
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6e/0x4b0 mm/slab.h:767
slab_alloc_node mm/slub.c:3495 [inline]
__kmem_cache_alloc_node+0x13a/0x250 mm/slub.c:3534
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0xa4/0x230 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
kzalloc include/linux/slab.h:721 [inline]
tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
tomoyo_encode+0x28b/0x540 security/tomoyo/realpath.c:80
tomoyo_mount_acl security/tomoyo/mount.c:150 [inline]
tomoyo_mount_permission+0x4bf/0x9c0 security/tomoyo/mount.c:237
security_sb_mount+0x87/0xc0 security/security.c:1375
path_mount+0xbc/0xff0 fs/namespace.c:3655
do_mount fs/namespace.c:3726 [inline]
__do_sys_mount fs/namespace.c:3935 [inline]
__se_sys_mount+0x2e7/0x3d0 fs/namespace.c:3912
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88807600f600: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff88807600f680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff88807600f700: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807600f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807600f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 39 de cmp %ebx,%esi
2: 0f 84 cb 00 00 00 je 0xd3
8: e8 ba 8b d5 ff call 0xffd58bc7
d: eb cb jmp 0xffffffda
f: e8 b3 8b d5 ff call 0xffd58bc7
14: 49 c7 c7 ea ff ff ff mov $0xffffffffffffffea,%r15
1b: 4c 8b 74 24 10 mov 0x10(%rsp),%r14
20: 41 c6 46 16 f8 movb $0xf8,0x16(%r14)
25: 41 c6 46 1a f8 movb $0xf8,0x1a(%r14)
* 2a: 48 8b 9c 24 98 00 00 mov 0x98(%rsp),%rbx <-- trapping instruction
31: 00
32: 48 89 df mov %rbx,%rdi
35: 48 83 c7 40 add $0x40,%rdi
39: e8 29 58 db 08 call 0x8db5867
3e: 48 rex.W
3f: 89 .byte 0x89
HEAD commit: c56aaf1a85ae Linux 6.6.123
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17226b22580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a950bf7c0bff9f9
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c4e05f4bac3bcb453e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15be2a52580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d6065a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d1f39421ae86/disk-c56aaf1a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9cd2888600b3/vmlinux-c56aaf1a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aaed2615bc69/bzImage-c56aaf1a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c4e0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
Write of size 40 at addr ffff88807600f710 by task syz.0.17/5930
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
CPU: 0 PID: 5930 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x241/0x290 mm/kasan/generic.c:187
check_region_inline mm/kasan/generic.c:-1 [inline]
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
__bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
____bpf_get_stackid_pe kernel/bpf/stackmap.c:362 [inline]
__bpf_get_stackid+0x6bf/0x900 kernel/bpf/stackmap.c:271
bpf_get_stackid_pe+0x343/0x410 kernel/bpf/stackmap.c:331
bpf_prog_fa73c8c086b491e8+0x29/0x39
bpf_dispatcher_nop_func include/linux/bpf.h:1224 [inline]
__bpf_prog_run include/linux/filter.h:616 [inline]
bpf_prog_run include/linux/filter.h:623 [inline]
bpf_overflow_handler+0x1fc/0x510 kernel/events/core.c:10547
__perf_event_overflow+0x447/0x630 kernel/events/core.c:9718
perf_swevent_hrtimer+0x4aa/0x570 kernel/events/core.c:11188
__run_hrtimer kernel/time/hrtimer.c:1750 [inline]
__hrtimer_run_queues+0x4eb/0xc40 kernel/time/hrtimer.c:1814
hrtimer_interrupt+0x3c9/0x9c0 kernel/time/hrtimer.c:1876
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1077 [inline]
__sysvec_apic_timer_interrupt+0xfb/0x3b0 arch/x86/kernel/apic/apic.c:1094
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0x9f/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:perf_ioctl+0x2183/0x24a0 kernel/events/core.c:-1
Code: 39 de 0f 84 cb 00 00 00 e8 ba 8b d5 ff eb cb e8 b3 8b d5 ff 49 c7 c7 ea ff ff ff 4c 8b 74 24 10 41 c6 46 16 f8 41 c6 46 1a f8 <48> 8b 9c 24 98 00 00 00 48 89 df 48 83 c7 40 e8 29 58 db 08 48 89
RSP: 0018:ffffc90003347c00 EFLAGS: 00010246
RAX: ffffffff81b176cc RBX: 0000000000000000 RCX: ffff88802b541e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003347ed8 R08: ffff88802dafc007 R09: 1ffff11005b5f800
R10: dffffc0000000000 R11: ffffed1005b5f801 R12: 0000000040042408
R13: dffffc0000000000 R14: fffff52000668f94 R15: 0000000000000000
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fb24c59aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffda6c3e948 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb24c815fa0 RCX: 00007fb24c59aeb9
RDX: 0000000000000004 RSI: 0000000040042408 RDI: 0000000000000005
RBP: 00007fb24c608c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb24c815fac R14: 00007fb24c815fa0 R15: 00007fb24c815fa0
</TASK>
Allocated by task 5930:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:303 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
bpf_map_area_alloc+0x5e/0x110 kernel/bpf/syscall.c:316
prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33a/0x4c0 kernel/bpf/stackmap.c:114
map_create+0x877/0x12f0 kernel/bpf/syscall.c:1247
stack_map_alloc+0x33a/0x4c0 kernel/bpf/stackmap.c:114
__sys_bpf+0x651/0x890 kernel/bpf/syscall.c:5458
__do_sys_bpf kernel/bpf/syscall.c:5580 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5578 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5578
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88807600f700
which belongs to the cache kmalloc-cg-64 of size 64
The buggy address is located 16 bytes inside of
allocated 40-byte region [ffff88807600f700, ffff88807600f728)
The buggy address belongs to the physical page:
memcg:ffff8880760f1801
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888017c4da00 dead000000000122 0000000000000000
page_type: 0xffffffff()
raw: 0000000000000000 0000000080200020 00000001ffffffff ffff8880760f1801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 5884, tgid 5884 (syz-executor), ts 102651226628, free_ts 102646597102
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1c1/0x200 mm/page_alloc.c:1581
prep_new_page mm/page_alloc.c:1588 [inline]
get_page_from_freelist+0x1951/0x19e0 mm/page_alloc.c:3220
__alloc_pages+0x1f0/0x460 mm/page_alloc.c:4486
alloc_slab_page+0x5d/0x160 mm/slub.c:1881
allocate_slab mm/slub.c:2028 [inline]
new_slab+0x87/0x2d0 mm/slub.c:2081
___slab_alloc+0xc5d/0x12f0 mm/slub.c:3253
__slab_alloc mm/slub.c:3339 [inline]
__slab_alloc_node mm/slub.c:3392 [inline]
slab_alloc_node mm/slub.c:3485 [inline]
__kmem_cache_alloc_node+0x19e/0x250 mm/slub.c:3534
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node+0xa4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
kvmalloc_node+0x70/0x180 mm/util.c:617
kvmalloc include/linux/slab.h:738 [inline]
kvzalloc include/linux/slab.h:746 [inline]
allocate_hook_entries_size net/netfilter/core.c:61 [inline]
nf_hook_entries_grow+0x27d/0x6d0 net/netfilter/core.c:140
__nf_register_net_hook+0x2c9/0x910 net/netfilter/core.c:435
nf_register_net_hook+0xb2/0x190 net/netfilter/core.c:578
nf_register_net_hooks+0x44/0x1b0 net/netfilter/core.c:594
arpt_register_table+0x5f4/0x720 net/ipv4/netfilter/arp_tables.c:1561
arptable_filter_table_init+0x41/0x60 net/ipv4/netfilter/arptable_filter.c:39
xt_find_table_lock+0x306/0x3e0 net/netfilter/x_tables.c:1259
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1181 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_unref_page_prepare+0x7b2/0x8c0 mm/page_alloc.c:2365
free_unref_page+0x32/0x2e0 mm/page_alloc.c:2458
__slab_free+0x35a/0x400 mm/slub.c:3736
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xd0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:306
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6e/0x4b0 mm/slab.h:767
slab_alloc_node mm/slub.c:3495 [inline]
__kmem_cache_alloc_node+0x13a/0x250 mm/slub.c:3534
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0xa4/0x230 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
kzalloc include/linux/slab.h:721 [inline]
tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
tomoyo_encode+0x28b/0x540 security/tomoyo/realpath.c:80
tomoyo_mount_acl security/tomoyo/mount.c:150 [inline]
tomoyo_mount_permission+0x4bf/0x9c0 security/tomoyo/mount.c:237
security_sb_mount+0x87/0xc0 security/security.c:1375
path_mount+0xbc/0xff0 fs/namespace.c:3655
do_mount fs/namespace.c:3726 [inline]
__do_sys_mount fs/namespace.c:3935 [inline]
__se_sys_mount+0x2e7/0x3d0 fs/namespace.c:3912
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88807600f680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff88807600f700: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807600f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807600f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 39 de cmp %ebx,%esi
2: 0f 84 cb 00 00 00 je 0xd3
8: e8 ba 8b d5 ff call 0xffd58bc7
d: eb cb jmp 0xffffffda
f: e8 b3 8b d5 ff call 0xffd58bc7
14: 49 c7 c7 ea ff ff ff mov $0xffffffffffffffea,%r15
1b: 4c 8b 74 24 10 mov 0x10(%rsp),%r14
20: 41 c6 46 16 f8 movb $0xf8,0x16(%r14)
25: 41 c6 46 1a f8 movb $0xf8,0x1a(%r14)
* 2a: 48 8b 9c 24 98 00 00 mov 0x98(%rsp),%rbx <-- trapping instruction
31: 00
32: 48 89 df mov %rbx,%rdi
35: 48 83 c7 40 add $0x40,%rdi
39: e8 29 58 db 08 call 0x8db5867
3e: 48 rex.W
3f: 89 .byte 0x89
Reply all
Reply to author
Forward
0 new messages