BPF: general protection fault in xsk_map_update_elem

0 views
Skip to first unread message

梅开彦

unread,
Feb 1, 2026, 9:59:41 PM (6 days ago) Feb 1
to b...@vger.kernel.org, hust-os-ker...@googlegroups.com, ddd...@hust.edu.cn, dz...@hust.edu.cn
Our fuzzer discovered a gpf vulnerability in the BPF subsystem. The crash can be trigger on bpf-next(93ce3bee311d6f885bffb4a83843bddbe6b126be). We have not yet been able to develop a stable PoC to reproduce this vulnerability, but we will continue to analyze it further and testing whether it can be triggered on the latest bpf-next branch.

Reported-by: Kaiyan Mei <M2024...@hust.edu.cn>
Reported-by: Yinhao Hu <ddd...@hust.edu.cn>
Reviewed-by: Dongliang Mu <dz...@hust.edu.cn>

# Crash Report
```
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 UID: 0 PID: 13844 Comm: syz.6.334 Not tainted 6.18.0-rc4-g93ce3bee311d #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:xsk_map_update_elem+0x18a/0x830 net/xdp/xskmap.c:181
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c1 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 75 18 49 8d 7e 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 01 0f 8e 50 05 00 00 45 0f b7 7e 10 bf
RSP: 0018:ffa000002a7179f8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ff11000132c4c000 RCX: ffa0000016b57000
RDX: 0000000000000002 RSI: ffffffff8b27f412 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000483ee5c
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ff1100006ed52e00 R14: 0000000000000000 R15: 1ff40000054e2f65
FS: 00007f3f3aee8640(0000) GS:ff1100010ccd0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c31218d CR3: 000000001cfa1000 CR4: 0000000000753ef0
PKRU: 80000000
Call Trace:
<TASK>
bpf_map_update_value+0x755/0x1050 kernel/bpf/syscall.c:294
map_update_elem+0x5a8/0x900 kernel/bpf/syscall.c:1822
__sys_bpf+0x27c2/0x5390 kernel/bpf/syscall.c:6159
__do_sys_bpf kernel/bpf/syscall.c:6281 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6279 [inline]
__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:6279
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3f39fadead
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3f3aee7f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f3f3a1e5fa0 RCX: 00007f3f39fadead
RDX: 0000000000000020 RSI: 0000200000000240 RDI: 0000000000000002
RBP: 00007f3f3a047d9f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3f3a1e5fa0 R15: 00007f3f3aec8000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:xsk_map_update_elem+0x18a/0x830 net/xdp/xskmap.c:181
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c1 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 75 18 49 8d 7e 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 01 0f 8e 50 05 00 00 45 0f b7 7e 10 bf
RSP: 0018:ffa000002a7179f8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ff11000132c4c000 RCX: ffa0000016b57000
RDX: 0000000000000002 RSI: ffffffff8b27f412 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000483ee5c
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ff1100006ed52e00 R14: 0000000000000000 R15: 1ff40000054e2f65
FS: 00007f3f3aee8640(0000) GS:ff1100010ccd0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe69a5d9760 CR3: 000000001cfa1000 CR4: 0000000000753ef0
PKRU: 80000000
----------------
Code disassembly (best guess):
0: 48 89 fa mov %rdi,%rdx
3: 48 c1 ea 03 shr $0x3,%rdx
7: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
b: 0f 85 c1 05 00 00 jne 0x5d2
11: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
18: fc ff df
1b: 4d 8b 75 18 mov 0x18(%r13),%r14
1f: 49 8d 7e 10 lea 0x10(%r14),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 01 cmp $0x1,%al
34: 0f 8e 50 05 00 00 jle 0x58a
3a: 45 0f b7 7e 10 movzwl 0x10(%r14),%r15d
3f: bf .byte 0xbf

```

## Kernel Configuration Requirements for Reproduction

The vulnerability can be triggered with the kernel config in the attachment. Additionally, we provide the execution logs in Syzkaller format and the reproduction logs to facilitate further verification.

repro0
log0
config-next

Alexei Starovoitov

unread,
Feb 1, 2026, 10:44:39 PM (6 days ago) Feb 1
to 梅开彦, bpf, hust-os-ker...@googlegroups.com, Yinhao Hu, Dongliang Mu
On Sun, Feb 1, 2026 at 6:59 PM 梅开彦 <kai...@hust.edu.cn> wrote:
>
> Our fuzzer discovered a gpf vulnerability in the BPF subsystem. The crash can be trigger on bpf-next(93ce3bee311d6f885bffb4a83843bddbe6b126be).

...

> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
> CPU: 0 UID: 0 PID: 13844 Comm: syz.6.334 Not tainted 6.18.0-rc4-g93ce3bee311d #3 PREEMPT(full)

Same bogus report. Not worth anyone's time.
Reply all
Reply to author
Forward
0 new messages