[syzbot] [bpf?] inconsistent lock state in bpf_lru_push_free
4 views
Skip to first unread message
syzbot
Dec 22, 2025, 2:02:26āÆPM12/22/25
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@fomichev.me, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: f785a31395d9 bpf: arm64: Fix sparse warnings
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1122d392580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4aa52bacc0658d1
dashboard link: https://syzkaller.appspot.com/bug?extid=c69a0a2c816716f1e0d5
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1780f584580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7e044cc52f4d/disk-f785a313.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5af05af9fe6f/vmlinux-f785a313.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e8bd1bb41f24/bzImage-f785a313.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c69a0a...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.0.17/5989 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffffe8ffffc2f8d8 (&l->lock#2){....}-{2:2}, at: bpf_lru_push_free+0x13e/0x520 kernel/bpf/bpf_lru_list.c:-1
{INITIAL USE} state was registered at:
lock_acquire+0x117/0x340 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
bpf_percpu_lru_pop_free kernel/bpf/bpf_lru_list.c:407 [inline]
bpf_lru_pop_free+0xcb/0x19b0 kernel/bpf/bpf_lru_list.c:494
prealloc_lru_pop kernel/bpf/hashtab.c:299 [inline]
htab_lru_map_update_elem+0x168/0x8a0 kernel/bpf/hashtab.c:1215
bpf_map_update_value+0x751/0x920 kernel/bpf/syscall.c:294
generic_map_update_batch+0x5a9/0x810 kernel/bpf/syscall.c:2038
bpf_map_do_batch+0x39b/0x630 kernel/bpf/syscall.c:5647
__sys_bpf+0x750/0x8a0 kernel/bpf/syscall.c:-1
__do_sys_bpf kernel/bpf/syscall.c:6320 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6318 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6318
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
irq event stamp: 19654
hardirqs last enabled at (19653): [<ffffffff8b5b413e>] syscall_enter_from_user_mode include/linux/entry-common.h:108 [inline]
hardirqs last enabled at (19653): [<ffffffff8b5b413e>] do_syscall_64+0xbe/0xf80 arch/x86/entry/syscall_64.c:90
hardirqs last disabled at (19654): [<ffffffff8b5b8058>] exc_debug_kernel+0x68/0x150 arch/x86/kernel/traps.c:1233
softirqs last enabled at (19590): [<ffffffff81d3246b>] bpf_prog_load+0x14fb/0x1a10 kernel/bpf/syscall.c:3118
softirqs last disabled at (19588): [<ffffffff81d0e0bd>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (19588): [<ffffffff81d0e0bd>] bpf_ksym_add+0x2d/0x340 kernel/bpf/core.c:640
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&l->lock#2);
<Interrupt>
lock(&l->lock#2);
*** DEADLOCK ***
no locks held by syz.0.17/5989.
stack backtrace:
CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<#DB>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_usage_bug+0x28b/0x2e0 kernel/locking/lockdep.c:4042
lock_acquire+0x1f8/0x340 kernel/locking/lockdep.c:5859
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
bpf_lru_push_free+0x13e/0x520 kernel/bpf/bpf_lru_list.c:-1
htab_lru_push_free kernel/bpf/hashtab.c:1183 [inline]
htab_lru_map_delete_elem+0x3a3/0x410 kernel/bpf/hashtab.c:1464
bpf_prog_464bc2be3fc7c272+0x43/0x4b
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_overflow_handler kernel/events/core.c:10303 [inline]
__perf_event_overflow+0x39c/0xe70 kernel/events/core.c:10402
perf_swevent_overflow kernel/events/core.c:10536 [inline]
perf_swevent_event+0x4f8/0x5e0 kernel/events/core.c:10574
perf_bp_event+0x251/0x300 kernel/events/core.c:11395
hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:556 [inline]
hw_breakpoint_exceptions_notify+0x244/0x680 arch/x86/kernel/hw_breakpoint.c:587
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
atomic_notifier_call_chain+0xda/0x180 kernel/notifier.c:223
notify_die+0x130/0x180 kernel/notifier.c:588
notify_debug+0x2e/0x50 arch/x86/kernel/traps.c:1208
exc_debug_kernel+0xbe/0x150 arch/x86/kernel/traps.c:1270
asm_exc_debug+0x1e/0x40 arch/x86/include/asm/idtentry.h:654
RIP: 0010:rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:74
Code: 48 04 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 06 48 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 db 83 f9 08 73 e8 eb c5 <f3> a4 e9 8f 48 04 00 48 8b 06 48 89 07 48 8d 47 08 48 83 e0 f8 48
RSP: 0018:ffffc90003697cf8 EFLAGS: 00050202
RAX: 00007ffffffff001 RBX: 0000000000000050 RCX: 000000000000000f
RDX: 0000000000000001 RSI: 0000200000000301 RDI: ffffc90003697da1
RBP: ffffc90003697ea8 R08: ffffc90003697daf R09: 1ffff920006d2fb5
R10: dffffc0000000000 R11: fffff520006d2fb6 R12: ffffc90003697d60
R13: 0000000000000050 R14: ffffc90003697d60 R15: 00002000000002c0
</#DB>
<TASK>
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
_inline_copy_from_user include/linux/uaccess.h:185 [inline]
_copy_from_user+0x7a/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:223 [inline]
copy_from_bpfptr_offset include/linux/bpfptr.h:53 [inline]
copy_from_bpfptr include/linux/bpfptr.h:59 [inline]
__sys_bpf+0x1f2/0x8a0 kernel/bpf/syscall.c:6180
__do_sys_bpf kernel/bpf/syscall.c:6320 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6318 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6318
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efcc198f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efcc2754038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007efcc1be5fa0 RCX: 00007efcc198f749
RDX: 0000000000000050 RSI: 00002000000002c0 RDI: 000000000000000a
RBP: 00007efcc1a13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efcc1be6038 R14: 00007efcc1be5fa0 R15: 00007ffd9db831a8
</TASK>
----------------
Code disassembly (best guess):
0: 48 04 00 rex.W add $0x0,%al
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 00 nopl (%rax)
10: 48 8b 06 mov (%rsi),%rax
13: 48 89 07 mov %rax,(%rdi)
16: 48 83 c6 08 add $0x8,%rsi
1a: 48 83 c7 08 add $0x8,%rdi
1e: 83 e9 08 sub $0x8,%ecx
21: 74 db je 0xfffffffe
23: 83 f9 08 cmp $0x8,%ecx
26: 73 e8 jae 0x10
28: eb c5 jmp 0xffffffef
* 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2c: e9 8f 48 04 00 jmp 0x448c0
31: 48 8b 06 mov (%rsi),%rax
34: 48 89 07 mov %rax,(%rdi)
37: 48 8d 47 08 lea 0x8(%rdi),%rax
3b: 48 83 e0 f8 and $0xfffffffffffffff8,%rax
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: f785a31395d9 bpf: arm64: Fix sparse warnings
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1122d392580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4aa52bacc0658d1
dashboard link: https://syzkaller.appspot.com/bug?extid=c69a0a2c816716f1e0d5
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1780f584580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7e044cc52f4d/disk-f785a313.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5af05af9fe6f/vmlinux-f785a313.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e8bd1bb41f24/bzImage-f785a313.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c69a0a...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.0.17/5989 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffffe8ffffc2f8d8 (&l->lock#2){....}-{2:2}, at: bpf_lru_push_free+0x13e/0x520 kernel/bpf/bpf_lru_list.c:-1
{INITIAL USE} state was registered at:
lock_acquire+0x117/0x340 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
bpf_percpu_lru_pop_free kernel/bpf/bpf_lru_list.c:407 [inline]
bpf_lru_pop_free+0xcb/0x19b0 kernel/bpf/bpf_lru_list.c:494
prealloc_lru_pop kernel/bpf/hashtab.c:299 [inline]
htab_lru_map_update_elem+0x168/0x8a0 kernel/bpf/hashtab.c:1215
bpf_map_update_value+0x751/0x920 kernel/bpf/syscall.c:294
generic_map_update_batch+0x5a9/0x810 kernel/bpf/syscall.c:2038
bpf_map_do_batch+0x39b/0x630 kernel/bpf/syscall.c:5647
__sys_bpf+0x750/0x8a0 kernel/bpf/syscall.c:-1
__do_sys_bpf kernel/bpf/syscall.c:6320 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6318 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6318
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
irq event stamp: 19654
hardirqs last enabled at (19653): [<ffffffff8b5b413e>] syscall_enter_from_user_mode include/linux/entry-common.h:108 [inline]
hardirqs last enabled at (19653): [<ffffffff8b5b413e>] do_syscall_64+0xbe/0xf80 arch/x86/entry/syscall_64.c:90
hardirqs last disabled at (19654): [<ffffffff8b5b8058>] exc_debug_kernel+0x68/0x150 arch/x86/kernel/traps.c:1233
softirqs last enabled at (19590): [<ffffffff81d3246b>] bpf_prog_load+0x14fb/0x1a10 kernel/bpf/syscall.c:3118
softirqs last disabled at (19588): [<ffffffff81d0e0bd>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (19588): [<ffffffff81d0e0bd>] bpf_ksym_add+0x2d/0x340 kernel/bpf/core.c:640
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&l->lock#2);
<Interrupt>
lock(&l->lock#2);
*** DEADLOCK ***
no locks held by syz.0.17/5989.
stack backtrace:
CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<#DB>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_usage_bug+0x28b/0x2e0 kernel/locking/lockdep.c:4042
lock_acquire+0x1f8/0x340 kernel/locking/lockdep.c:5859
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
bpf_lru_push_free+0x13e/0x520 kernel/bpf/bpf_lru_list.c:-1
htab_lru_push_free kernel/bpf/hashtab.c:1183 [inline]
htab_lru_map_delete_elem+0x3a3/0x410 kernel/bpf/hashtab.c:1464
bpf_prog_464bc2be3fc7c272+0x43/0x4b
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_overflow_handler kernel/events/core.c:10303 [inline]
__perf_event_overflow+0x39c/0xe70 kernel/events/core.c:10402
perf_swevent_overflow kernel/events/core.c:10536 [inline]
perf_swevent_event+0x4f8/0x5e0 kernel/events/core.c:10574
perf_bp_event+0x251/0x300 kernel/events/core.c:11395
hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:556 [inline]
hw_breakpoint_exceptions_notify+0x244/0x680 arch/x86/kernel/hw_breakpoint.c:587
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
atomic_notifier_call_chain+0xda/0x180 kernel/notifier.c:223
notify_die+0x130/0x180 kernel/notifier.c:588
notify_debug+0x2e/0x50 arch/x86/kernel/traps.c:1208
exc_debug_kernel+0xbe/0x150 arch/x86/kernel/traps.c:1270
asm_exc_debug+0x1e/0x40 arch/x86/include/asm/idtentry.h:654
RIP: 0010:rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:74
Code: 48 04 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 06 48 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 db 83 f9 08 73 e8 eb c5 <f3> a4 e9 8f 48 04 00 48 8b 06 48 89 07 48 8d 47 08 48 83 e0 f8 48
RSP: 0018:ffffc90003697cf8 EFLAGS: 00050202
RAX: 00007ffffffff001 RBX: 0000000000000050 RCX: 000000000000000f
RDX: 0000000000000001 RSI: 0000200000000301 RDI: ffffc90003697da1
RBP: ffffc90003697ea8 R08: ffffc90003697daf R09: 1ffff920006d2fb5
R10: dffffc0000000000 R11: fffff520006d2fb6 R12: ffffc90003697d60
R13: 0000000000000050 R14: ffffc90003697d60 R15: 00002000000002c0
</#DB>
<TASK>
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
_inline_copy_from_user include/linux/uaccess.h:185 [inline]
_copy_from_user+0x7a/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:223 [inline]
copy_from_bpfptr_offset include/linux/bpfptr.h:53 [inline]
copy_from_bpfptr include/linux/bpfptr.h:59 [inline]
__sys_bpf+0x1f2/0x8a0 kernel/bpf/syscall.c:6180
__do_sys_bpf kernel/bpf/syscall.c:6320 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6318 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6318
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efcc198f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efcc2754038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007efcc1be5fa0 RCX: 00007efcc198f749
RDX: 0000000000000050 RSI: 00002000000002c0 RDI: 000000000000000a
RBP: 00007efcc1a13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efcc1be6038 R14: 00007efcc1be5fa0 R15: 00007ffd9db831a8
</TASK>
----------------
Code disassembly (best guess):
0: 48 04 00 rex.W add $0x0,%al
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 00 nopl (%rax)
10: 48 8b 06 mov (%rsi),%rax
13: 48 89 07 mov %rax,(%rdi)
16: 48 83 c6 08 add $0x8,%rsi
1a: 48 83 c7 08 add $0x8,%rdi
1e: 83 e9 08 sub $0x8,%ecx
21: 74 db je 0xfffffffe
23: 83 f9 08 cmp $0x8,%ecx
26: 73 e8 jae 0x10
28: eb c5 jmp 0xffffffef
* 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2c: e9 8f 48 04 00 jmp 0x448c0
31: 48 8b 06 mov (%rsi),%rax
34: 48 89 07 mov %rax,(%rdi)
37: 48 8d 47 08 lea 0x8(%rdi),%rax
3b: 48 83 e0 f8 and $0xfffffffffffffff8,%rax
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Dec 22, 2025, 3:11:20āÆPM12/22/25
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@fomichev.me, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
syzbot has found a reproducer for the following issue on:
HEAD commit: 22cc16c04b78 riscv, bpf: Fix incorrect usage of BPF_TRAMP_..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=106c3db4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146c3db4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/43a53493cb5f/disk-22cc16c0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9726fb9e1980/vmlinux-22cc16c0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efd2bc050ab6/bzImage-22cc16c0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c69a0a...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.0.140/6455 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffffe8ffffd582d8 (&l->lock#2){....}-{2:2}, at: bpf_lru_push_free+0x13e/0x520 kernel/bpf/bpf_lru_list.c:-1
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
hardirqs last enabled at (19629): [<ffffffff8b5b313e>] syscall_enter_from_user_mode include/linux/entry-common.h:108 [inline]
hardirqs last enabled at (19629): [<ffffffff8b5b313e>] do_syscall_64+0xbe/0xf80 arch/x86/entry/syscall_64.c:90
hardirqs last disabled at (19630): [<ffffffff8b5b7058>] exc_debug_kernel+0x68/0x150 arch/x86/kernel/traps.c:1233
softirqs last enabled at (18324): [<ffffffff81858cca>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (18324): [<ffffffff81858cca>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (18324): [<ffffffff81858cca>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
softirqs last disabled at (18267): [<ffffffff81858cca>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (18267): [<ffffffff81858cca>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (18267): [<ffffffff81858cca>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&l->lock#2);
<Interrupt>
lock(&l->lock#2);
*** DEADLOCK ***
no locks held by syz.0.140/6455.
stack backtrace:
CPU: 1 UID: 0 PID: 6455 Comm: syz.0.140 Not tainted syzkaller #0 PREEMPT(full)
RSP: 0018:ffffc9000b9ffcf8 EFLAGS: 00050202
RBP: ffffc9000b9ffea8 R08: ffffc9000b9ffdaf R09: 1ffff9200173ffb5
R10: dffffc0000000000 R11: fffff5200173ffb6 R12: 1ffff9200173ffa8
R13: 0000000000000050 R14: ffffc9000b9ffd60 R15: 00002000000002c0
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
RAX: ffffffffffffffda RBX: 00007fdde0be5fa0 RCX: 00007fdde098f749
HEAD commit: 22cc16c04b78 riscv, bpf: Fix incorrect usage of BPF_TRAMP_..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=106c3db4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=c69a0a2c816716f1e0d5
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b4808a580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146c3db4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/43a53493cb5f/disk-22cc16c0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9726fb9e1980/vmlinux-22cc16c0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efd2bc050ab6/bzImage-22cc16c0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c69a0a...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
ffffe8ffffd582d8 (&l->lock#2){....}-{2:2}, at: bpf_lru_push_free+0x13e/0x520 kernel/bpf/bpf_lru_list.c:-1
{INITIAL USE} state was registered at:
lock_acquire+0x117/0x340 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
bpf_percpu_lru_pop_free kernel/bpf/bpf_lru_list.c:407 [inline]
bpf_lru_pop_free+0xcb/0x19b0 kernel/bpf/bpf_lru_list.c:494
prealloc_lru_pop kernel/bpf/hashtab.c:299 [inline]
htab_lru_map_update_elem+0x168/0x8a0 kernel/bpf/hashtab.c:1215
bpf_map_update_value+0x751/0x920 kernel/bpf/syscall.c:294
generic_map_update_batch+0x5a9/0x810 kernel/bpf/syscall.c:2038
bpf_map_do_batch+0x39b/0x630 kernel/bpf/syscall.c:5647
__sys_bpf+0x690/0x860 kernel/bpf/syscall.c:-1
lock_acquire+0x117/0x340 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
bpf_percpu_lru_pop_free kernel/bpf/bpf_lru_list.c:407 [inline]
bpf_lru_pop_free+0xcb/0x19b0 kernel/bpf/bpf_lru_list.c:494
prealloc_lru_pop kernel/bpf/hashtab.c:299 [inline]
htab_lru_map_update_elem+0x168/0x8a0 kernel/bpf/hashtab.c:1215
bpf_map_update_value+0x751/0x920 kernel/bpf/syscall.c:294
generic_map_update_batch+0x5a9/0x810 kernel/bpf/syscall.c:2038
bpf_map_do_batch+0x39b/0x630 kernel/bpf/syscall.c:5647
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
irq event stamp: 19630
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
hardirqs last enabled at (19629): [<ffffffff8b5b313e>] syscall_enter_from_user_mode include/linux/entry-common.h:108 [inline]
hardirqs last enabled at (19629): [<ffffffff8b5b313e>] do_syscall_64+0xbe/0xf80 arch/x86/entry/syscall_64.c:90
hardirqs last disabled at (19630): [<ffffffff8b5b7058>] exc_debug_kernel+0x68/0x150 arch/x86/kernel/traps.c:1233
softirqs last enabled at (18324): [<ffffffff81858cca>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (18324): [<ffffffff81858cca>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (18324): [<ffffffff81858cca>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
softirqs last disabled at (18267): [<ffffffff81858cca>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (18267): [<ffffffff81858cca>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (18267): [<ffffffff81858cca>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&l->lock#2);
<Interrupt>
lock(&l->lock#2);
*** DEADLOCK ***
stack backtrace:
CPU: 1 UID: 0 PID: 6455 Comm: syz.0.140 Not tainted syzkaller #0 PREEMPT(full)
RAX: 00007ffffffff001 RBX: 0000000000000050 RCX: 000000000000000f
RDX: 0000000000000001 RSI: 0000200000000301 RDI: ffffc9000b9ffda1
RBP: ffffc9000b9ffea8 R08: ffffc9000b9ffdaf R09: 1ffff9200173ffb5
R10: dffffc0000000000 R11: fffff5200173ffb6 R12: 1ffff9200173ffa8
R13: 0000000000000050 R14: ffffc9000b9ffd60 R15: 00002000000002c0
</#DB>
<TASK>
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
_inline_copy_from_user include/linux/uaccess.h:185 [inline]
_copy_from_user+0x7a/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:223 [inline]
copy_from_bpfptr_offset include/linux/bpfptr.h:53 [inline]
copy_from_bpfptr include/linux/bpfptr.h:59 [inline]
__sys_bpf+0x1e3/0x860 kernel/bpf/syscall.c:6137
<TASK>
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
_inline_copy_from_user include/linux/uaccess.h:185 [inline]
_copy_from_user+0x7a/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:223 [inline]
copy_from_bpfptr_offset include/linux/bpfptr.h:53 [inline]
copy_from_bpfptr include/linux/bpfptr.h:59 [inline]
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdde098f749
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdde190d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fdde0be5fa0 RCX: 00007fdde098f749
RDX: 0000000000000050 RSI: 00002000000002c0 RDI: 000000000000000a
RBP: 00007fdde0a13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fdde0be6038 R14: 00007fdde0be5fa0 R15: 00007ffde82e83d8
</TASK>
----------------
Code disassembly (best guess):
0: 48 04 00 rex.W add $0x0,%al
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 00 nopl (%rax)
10: 48 8b 06 mov (%rsi),%rax
13: 48 89 07 mov %rax,(%rdi)
16: 48 83 c6 08 add $0x8,%rsi
1a: 48 83 c7 08 add $0x8,%rdi
1e: 83 e9 08 sub $0x8,%ecx
21: 74 db je 0xfffffffe
23: 83 f9 08 cmp $0x8,%ecx
26: 73 e8 jae 0x10
28: eb c5 jmp 0xffffffef
* 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2c: e9 8f 48 04 00 jmp 0x448c0
31: 48 8b 06 mov (%rsi),%rax
34: 48 89 07 mov %rax,(%rdi)
37: 48 8d 47 08 lea 0x8(%rdi),%rax
3b: 48 83 e0 f8 and $0xfffffffffffffff8,%rax
3f: 48 rex.W
---
----------------
Code disassembly (best guess):
0: 48 04 00 rex.W add $0x0,%al
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 00 nopl (%rax)
10: 48 8b 06 mov (%rsi),%rax
13: 48 89 07 mov %rax,(%rdi)
16: 48 83 c6 08 add $0x8,%rsi
1a: 48 83 c7 08 add $0x8,%rdi
1e: 83 e9 08 sub $0x8,%ecx
21: 74 db je 0xfffffffe
23: 83 f9 08 cmp $0x8,%ecx
26: 73 e8 jae 0x10
28: eb c5 jmp 0xffffffef
* 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2c: e9 8f 48 04 00 jmp 0x448c0
31: 48 8b 06 mov (%rsi),%rax
34: 48 89 07 mov %rax,(%rdi)
37: 48 8d 47 08 lea 0x8(%rdi),%rax
3b: 48 83 e0 f8 and $0xfffffffffffffff8,%rax
3f: 48 rex.W
---
syzbot
11:52āÆAMĀ (9 hours ago)Ā 11:52āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: test: bpf lru nmi deadlock fix
Author: noorai...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
From b1add52f63c8309c3a91bcc294139134ce1c0fa5 Mon Sep 17 00:00:00 2001
From: Noorain Eqbal <noorai...@gmail.com>
Date: Sun, 15 Mar 2026 21:02:42 +0530
Subject: [PATCH] bpf: Fix NMI deadlocks in LRU map operations
LRU maps can deadlock when accessed from NMI context (e.g., when
attached to perf events with hardware breakpoints). The issue occurs
because raw_spin_lock_irqsave() cannot prevent NMI interruption on
the same CPU.
This is the same issue that was fixed for queue and stack maps in
commit a34a9f1a19af ("bpf: Avoid deadlock when using queue and stack
maps from NMI"). The queue/stack map fix was later updated to use
resilient spinlocks which provide built in NMI deadlock detection.
Apply the same fix to LRU maps by replacing raw_spin_lock_irqsave()
with raw_res_spin_lock_irqsave() in all LRU pop/push operations:
- bpf_common_lru_pop_free()
- bpf_percpu_lru_pop_free()
- bpf_common_lru_push_free()
- bpf_percpu_lru_push_free()
The resilient spinlock will return -EDEADLK when it detects a deadlock
scenario (NMI trying to acquire a lock already held), allowing the
operation to fail safely instead of deadlocking.
Reproducer and lockdep splat:
https://syzkaller.appspot.com/bug?id=c4d6f5f7d392471722983a2e85ae391360ca7ae8
Related discussion:
https://lore.kernel.org/bpf/CAPPBnEYO4R+m+SpVc2gNj_x3...@mail.gmail.com/
Fixes: 3a08c2fd7634 ("bpf: LRU List")
Reported-by: syzbot+c69a0a...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c69a0a2c816716f1e0d5
Signed-off-by: Noorain Eqbal <noorai...@gmail.com>
---
kernel/bpf/bpf_lru_list.c | 46 +++++++++++++++++++++++----------------
kernel/bpf/bpf_lru_list.h | 5 +++--
2 files changed, 30 insertions(+), 21 deletions(-)
diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
index e7a2fc60523f..0cd1d5c511fa 100644
--- a/kernel/bpf/bpf_lru_list.c
+++ b/kernel/bpf/bpf_lru_list.c
@@ -4,6 +4,7 @@
#include <linux/cpumask.h>
#include <linux/spinlock.h>
#include <linux/percpu.h>
+#include <asm/rqspinlock.h>
#include "bpf_lru_list.h"
@@ -307,9 +308,10 @@ static void bpf_lru_list_push_free(struct bpf_lru_list *l,
if (WARN_ON_ONCE(IS_LOCAL_LIST_TYPE(node->type)))
return;
- raw_spin_lock_irqsave(&l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&l->lock, flags))
+ return;
__bpf_lru_node_move(l, node, BPF_LRU_LIST_T_FREE);
- raw_spin_unlock_irqrestore(&l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&l->lock, flags);
}
static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru,
@@ -319,7 +321,7 @@ static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru,
struct bpf_lru_node *node, *tmp_node;
unsigned int nfree = 0;
- raw_spin_lock(&l->lock);
+ raw_res_spin_lock(&l->lock);
__local_list_flush(l, loc_l);
@@ -338,7 +340,7 @@ static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru,
local_free_list(loc_l),
BPF_LRU_LOCAL_LIST_T_FREE);
- raw_spin_unlock(&l->lock);
+ raw_res_spin_unlock(&l->lock);
}
static void __local_list_add_pending(struct bpf_lru *lru,
@@ -404,7 +406,8 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru,
l = per_cpu_ptr(lru->percpu_lru, cpu);
- raw_spin_lock_irqsave(&l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&l->lock, flags))
+ return NULL;
__bpf_lru_list_rotate(lru, l);
@@ -420,7 +423,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru,
__bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE);
}
- raw_spin_unlock_irqrestore(&l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&l->lock, flags);
return node;
}
@@ -437,7 +440,8 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
loc_l = per_cpu_ptr(clru->local_list, cpu);
- raw_spin_lock_irqsave(&loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&loc_l->lock, flags))
+ return NULL;
node = __local_list_pop_free(loc_l);
if (!node) {
@@ -448,7 +452,7 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
if (node)
__local_list_add_pending(lru, loc_l, cpu, node, hash);
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
if (node)
return node;
@@ -466,13 +470,14 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
do {
steal_loc_l = per_cpu_ptr(clru->local_list, steal);
- raw_spin_lock_irqsave(&steal_loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&steal_loc_l->lock, flags))
+ return NULL;
node = __local_list_pop_free(steal_loc_l);
if (!node)
node = __local_list_pop_pending(lru, steal_loc_l);
- raw_spin_unlock_irqrestore(&steal_loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&steal_loc_l->lock, flags);
steal = cpumask_next_wrap(steal, cpu_possible_mask);
} while (!node && steal != first_steal);
@@ -480,9 +485,10 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
loc_l->next_steal = steal;
if (node) {
- raw_spin_lock_irqsave(&loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&loc_l->lock, flags))
+ return NULL;
__local_list_add_pending(lru, loc_l, cpu, node, hash);
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
}
return node;
@@ -511,10 +517,11 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru,
loc_l = per_cpu_ptr(lru->common_lru.local_list, node->cpu);
- raw_spin_lock_irqsave(&loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&loc_l->lock, flags))
+ return;
if (unlikely(node->type != BPF_LRU_LOCAL_LIST_T_PENDING)) {
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
goto check_lru_list;
}
@@ -522,7 +529,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru,
bpf_lru_node_clear_ref(node);
list_move(&node->list, local_free_list(loc_l));
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
return;
}
@@ -538,11 +545,12 @@ static void bpf_percpu_lru_push_free(struct bpf_lru *lru,
l = per_cpu_ptr(lru->percpu_lru, node->cpu);
- raw_spin_lock_irqsave(&l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&l->lock, flags))
+ return;
__bpf_lru_node_move(l, node, BPF_LRU_LIST_T_FREE);
- raw_spin_unlock_irqrestore(&l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&l->lock, flags);
}
void bpf_lru_push_free(struct bpf_lru *lru, struct bpf_lru_node *node)
@@ -625,7 +633,7 @@ static void bpf_lru_locallist_init(struct bpf_lru_locallist *loc_l, int cpu)
loc_l->next_steal = cpu;
- raw_spin_lock_init(&loc_l->lock);
+ raw_res_spin_lock_init(&loc_l->lock);
}
static void bpf_lru_list_init(struct bpf_lru_list *l)
@@ -640,7 +648,7 @@ static void bpf_lru_list_init(struct bpf_lru_list *l)
l->next_inactive_rotation = &l->lists[BPF_LRU_LIST_T_INACTIVE];
- raw_spin_lock_init(&l->lock);
+ raw_res_spin_lock_init(&l->lock);
}
int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset,
diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h
index fe2661a58ea9..ecd93c77a7ff 100644
--- a/kernel/bpf/bpf_lru_list.h
+++ b/kernel/bpf/bpf_lru_list.h
@@ -7,6 +7,7 @@
#include <linux/cache.h>
#include <linux/list.h>
#include <linux/spinlock_types.h>
+#include <asm/rqspinlock.h>
#define NR_BPF_LRU_LIST_T (3)
#define NR_BPF_LRU_LIST_COUNT (2)
@@ -34,13 +35,13 @@ struct bpf_lru_list {
/* The next inactive list rotation starts from here */
struct list_head *next_inactive_rotation;
- raw_spinlock_t lock ____cacheline_aligned_in_smp;
+ rqspinlock_t lock ____cacheline_aligned_in_smp;
};
struct bpf_lru_locallist {
struct list_head lists[NR_BPF_LRU_LOCAL_LIST_T];
u16 next_steal;
- raw_spinlock_t lock;
+ rqspinlock_t lock;
};
struct bpf_common_lru {
--
2.53.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: test: bpf lru nmi deadlock fix
Author: noorai...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
From b1add52f63c8309c3a91bcc294139134ce1c0fa5 Mon Sep 17 00:00:00 2001
From: Noorain Eqbal <noorai...@gmail.com>
Date: Sun, 15 Mar 2026 21:02:42 +0530
Subject: [PATCH] bpf: Fix NMI deadlocks in LRU map operations
LRU maps can deadlock when accessed from NMI context (e.g., when
attached to perf events with hardware breakpoints). The issue occurs
because raw_spin_lock_irqsave() cannot prevent NMI interruption on
the same CPU.
This is the same issue that was fixed for queue and stack maps in
commit a34a9f1a19af ("bpf: Avoid deadlock when using queue and stack
maps from NMI"). The queue/stack map fix was later updated to use
resilient spinlocks which provide built in NMI deadlock detection.
Apply the same fix to LRU maps by replacing raw_spin_lock_irqsave()
with raw_res_spin_lock_irqsave() in all LRU pop/push operations:
- bpf_common_lru_pop_free()
- bpf_percpu_lru_pop_free()
- bpf_common_lru_push_free()
- bpf_percpu_lru_push_free()
The resilient spinlock will return -EDEADLK when it detects a deadlock
scenario (NMI trying to acquire a lock already held), allowing the
operation to fail safely instead of deadlocking.
Reproducer and lockdep splat:
https://syzkaller.appspot.com/bug?id=c4d6f5f7d392471722983a2e85ae391360ca7ae8
Related discussion:
https://lore.kernel.org/bpf/CAPPBnEYO4R+m+SpVc2gNj_x3...@mail.gmail.com/
Fixes: 3a08c2fd7634 ("bpf: LRU List")
Reported-by: syzbot+c69a0a...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c69a0a2c816716f1e0d5
Signed-off-by: Noorain Eqbal <noorai...@gmail.com>
---
kernel/bpf/bpf_lru_list.c | 46 +++++++++++++++++++++++----------------
kernel/bpf/bpf_lru_list.h | 5 +++--
2 files changed, 30 insertions(+), 21 deletions(-)
diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
index e7a2fc60523f..0cd1d5c511fa 100644
--- a/kernel/bpf/bpf_lru_list.c
+++ b/kernel/bpf/bpf_lru_list.c
@@ -4,6 +4,7 @@
#include <linux/cpumask.h>
#include <linux/spinlock.h>
#include <linux/percpu.h>
+#include <asm/rqspinlock.h>
#include "bpf_lru_list.h"
@@ -307,9 +308,10 @@ static void bpf_lru_list_push_free(struct bpf_lru_list *l,
if (WARN_ON_ONCE(IS_LOCAL_LIST_TYPE(node->type)))
return;
- raw_spin_lock_irqsave(&l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&l->lock, flags))
+ return;
__bpf_lru_node_move(l, node, BPF_LRU_LIST_T_FREE);
- raw_spin_unlock_irqrestore(&l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&l->lock, flags);
}
static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru,
@@ -319,7 +321,7 @@ static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru,
struct bpf_lru_node *node, *tmp_node;
unsigned int nfree = 0;
- raw_spin_lock(&l->lock);
+ raw_res_spin_lock(&l->lock);
__local_list_flush(l, loc_l);
@@ -338,7 +340,7 @@ static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru,
local_free_list(loc_l),
BPF_LRU_LOCAL_LIST_T_FREE);
- raw_spin_unlock(&l->lock);
+ raw_res_spin_unlock(&l->lock);
}
static void __local_list_add_pending(struct bpf_lru *lru,
@@ -404,7 +406,8 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru,
l = per_cpu_ptr(lru->percpu_lru, cpu);
- raw_spin_lock_irqsave(&l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&l->lock, flags))
+ return NULL;
__bpf_lru_list_rotate(lru, l);
@@ -420,7 +423,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru,
__bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE);
}
- raw_spin_unlock_irqrestore(&l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&l->lock, flags);
return node;
}
@@ -437,7 +440,8 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
loc_l = per_cpu_ptr(clru->local_list, cpu);
- raw_spin_lock_irqsave(&loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&loc_l->lock, flags))
+ return NULL;
node = __local_list_pop_free(loc_l);
if (!node) {
@@ -448,7 +452,7 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
if (node)
__local_list_add_pending(lru, loc_l, cpu, node, hash);
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
if (node)
return node;
@@ -466,13 +470,14 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
do {
steal_loc_l = per_cpu_ptr(clru->local_list, steal);
- raw_spin_lock_irqsave(&steal_loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&steal_loc_l->lock, flags))
+ return NULL;
node = __local_list_pop_free(steal_loc_l);
if (!node)
node = __local_list_pop_pending(lru, steal_loc_l);
- raw_spin_unlock_irqrestore(&steal_loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&steal_loc_l->lock, flags);
steal = cpumask_next_wrap(steal, cpu_possible_mask);
} while (!node && steal != first_steal);
@@ -480,9 +485,10 @@ static struct bpf_lru_node *bpf_common_lru_pop_free(struct bpf_lru *lru,
loc_l->next_steal = steal;
if (node) {
- raw_spin_lock_irqsave(&loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&loc_l->lock, flags))
+ return NULL;
__local_list_add_pending(lru, loc_l, cpu, node, hash);
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
}
return node;
@@ -511,10 +517,11 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru,
loc_l = per_cpu_ptr(lru->common_lru.local_list, node->cpu);
- raw_spin_lock_irqsave(&loc_l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&loc_l->lock, flags))
+ return;
if (unlikely(node->type != BPF_LRU_LOCAL_LIST_T_PENDING)) {
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
goto check_lru_list;
}
@@ -522,7 +529,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru,
bpf_lru_node_clear_ref(node);
list_move(&node->list, local_free_list(loc_l));
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&loc_l->lock, flags);
return;
}
@@ -538,11 +545,12 @@ static void bpf_percpu_lru_push_free(struct bpf_lru *lru,
l = per_cpu_ptr(lru->percpu_lru, node->cpu);
- raw_spin_lock_irqsave(&l->lock, flags);
+ if (raw_res_spin_lock_irqsave(&l->lock, flags))
+ return;
__bpf_lru_node_move(l, node, BPF_LRU_LIST_T_FREE);
- raw_spin_unlock_irqrestore(&l->lock, flags);
+ raw_res_spin_unlock_irqrestore(&l->lock, flags);
}
void bpf_lru_push_free(struct bpf_lru *lru, struct bpf_lru_node *node)
@@ -625,7 +633,7 @@ static void bpf_lru_locallist_init(struct bpf_lru_locallist *loc_l, int cpu)
loc_l->next_steal = cpu;
- raw_spin_lock_init(&loc_l->lock);
+ raw_res_spin_lock_init(&loc_l->lock);
}
static void bpf_lru_list_init(struct bpf_lru_list *l)
@@ -640,7 +648,7 @@ static void bpf_lru_list_init(struct bpf_lru_list *l)
l->next_inactive_rotation = &l->lists[BPF_LRU_LIST_T_INACTIVE];
- raw_spin_lock_init(&l->lock);
+ raw_res_spin_lock_init(&l->lock);
}
int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset,
diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h
index fe2661a58ea9..ecd93c77a7ff 100644
--- a/kernel/bpf/bpf_lru_list.h
+++ b/kernel/bpf/bpf_lru_list.h
@@ -7,6 +7,7 @@
#include <linux/cache.h>
#include <linux/list.h>
#include <linux/spinlock_types.h>
+#include <asm/rqspinlock.h>
#define NR_BPF_LRU_LIST_T (3)
#define NR_BPF_LRU_LIST_COUNT (2)
@@ -34,13 +35,13 @@ struct bpf_lru_list {
/* The next inactive list rotation starts from here */
struct list_head *next_inactive_rotation;
- raw_spinlock_t lock ____cacheline_aligned_in_smp;
+ rqspinlock_t lock ____cacheline_aligned_in_smp;
};
struct bpf_lru_locallist {
struct list_head lists[NR_BPF_LRU_LOCAL_LIST_T];
u16 next_steal;
- raw_spinlock_t lock;
+ rqspinlock_t lock;
};
struct bpf_common_lru {
--
2.53.0
Reply all
Reply to author
Forward
0 new messages