[syzbot] [bpf?] KASAN: slab-out-of-bounds Write in __bpf_get_stackid
17 views
Skip to first unread message
syzbot
Jul 28, 2025, 4:55:41 PMJul 28
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@fomichev.me, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: 5345e64760d3 bpf: Simplify bounds refinement from s32
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1052e782580000
kernel config: https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/533f77de596b/disk-5345e647.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/771fbeaf8fb5/vmlinux-5345e647.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6bb4eec6d31b/bzImage-5345e647.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724...@syzkaller.appspotmail.com
hrtimer: interrupt took 66349 ns
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
Write of size 8 at addr ffff888143fd0a58 by task syz.1.2/5975
CPU: 1 UID: 0 PID: 5975 Comm: syz.1.2 Not tainted 6.16.0-rc6-syzkaller-g5345e64760d3 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
__bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
bpf_prog_b724608cae728045+0x27/0x2f
bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x284/0x4b0 kernel/trace/bpf_trace.c:2298
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x3a0/0x440 mm/slub.c:4829
slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4680
rcu_do_batch kernel/rcu/tree.c:2576 [inline]
rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x9f/0x2c0 mm/kasan/generic.c:189
Code: 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83 fc 10 7f 29 4d 85 e4 0f 84 41 01 00 00 4c 89 cb 48 f7 d3 4c 01 fb 41 80 3b 00 <0f> 85 de 01 00 00 49 ff c3 48 ff c3 75 ee e9 21 01 00 00 44 89 dd
RSP: 0018:ffffc900044dee68 EFLAGS: 00000246
RAX: 0000000000000001 RBX: ffffffffffffffff RCX: ffffffff8215d67f
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffea0000c7f634
RBP: 0000000000000000 R08: ffffea0000c7f637 R09: 1ffffd400018fec6
R10: dffffc0000000000 R11: fffff9400018fec6 R12: 0000000000000001
R13: 0000000000000000 R14: fffff9400018fec7 R15: 1ffffd400018fec6
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
set_page_refcounted+0x4f/0x160 mm/internal.h:491
__alloc_pages_noprof mm/page_alloc.c:4995 [inline]
alloc_pages_bulk_noprof+0x570/0x710 mm/page_alloc.c:4913
___alloc_pages_bulk mm/kasan/shadow.c:344 [inline]
__kasan_populate_vmalloc mm/kasan/shadow.c:368 [inline]
kasan_populate_vmalloc+0xba/0x1a0 mm/kasan/shadow.c:417
alloc_vmap_area+0xd51/0x1490 mm/vmalloc.c:2092
__get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3187
__vmalloc_node_range_noprof+0x301/0x12f0 mm/vmalloc.c:3853
__vmalloc_node_noprof mm/vmalloc.c:3956 [inline]
vmalloc_noprof+0xb2/0xf0 mm/vmalloc.c:3989
bpf_prog_calc_tag+0xb9/0x620 kernel/bpf/core.c:307
resolve_pseudo_ldimm64+0xbc/0xc50 kernel/bpf/verifier.c:20479
bpf_check+0x1c58/0x1d2e0 kernel/bpf/verifier.c:24614
bpf_prog_load+0x1318/0x1930 kernel/bpf/syscall.c:2972
__sys_bpf+0x528/0x870 kernel/bpf/syscall.c:6022
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1cabb8e9a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1cac9f6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f1cabdb5fa0 RCX: 00007f1cabb8e9a9
RDX: 0000000000000094 RSI: 0000200000000640 RDI: 0000000000000005
RBP: 00007f1cabc10d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1cabdb5fa0 R15: 00007ffee0b40348
</TASK>
Allocated by task 5979:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4328 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888143fd0800
which belongs to the cache kmalloc-cg-1k of size 1024
The buggy address is located 24 bytes to the right of
allocated 576-byte region [ffff888143fd0800, ffff888143fd0a40)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143fd0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88814cb20d01
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801a44b280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 ffff88814cb20d01
head: 057ff00000000040 ffff88801a44b280 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 ffff88814cb20d01
head: 057ff00000000003 ffffea00050ff401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5854, tgid 5854 (syz-executor), ts 88680071975, free_ts 62656261060
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_slab_page mm/slub.c:2453 [inline]
allocate_slab+0x65/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__kmalloc_cache_node_noprof+0x29a/0x3d0 mm/slub.c:4367
kmalloc_node_noprof include/linux/slab.h:928 [inline]
alloc_mem_cgroup_per_node_info mm/memcontrol.c:3665 [inline]
mem_cgroup_alloc mm/memcontrol.c:3747 [inline]
mem_cgroup_css_alloc+0x4b2/0x1f20 mm/memcontrol.c:3789
css_create kernel/cgroup/cgroup.c:5669 [inline]
cgroup_apply_control_enable+0x3d1/0xa80 kernel/cgroup/cgroup.c:3289
cgroup_mkdir+0xc40/0xe60 kernel/cgroup/cgroup.c:5893
kernfs_iop_mkdir+0x211/0x350 fs/kernfs/dir.c:1268
vfs_mkdir+0x306/0x510 fs/namei.c:4375
do_mkdirat+0x247/0x590 fs/namei.c:4408
__do_sys_mkdirat fs/namei.c:4425 [inline]
__se_sys_mkdirat fs/namei.c:4423 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4423
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5696 tgid 5696 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3186
put_cpu_partial+0x17c/0x250 mm/slub.c:3261
__slab_free+0x2f7/0x400 mm/slub.c:4513
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
ptlock_alloc+0x20/0x70 mm/memory.c:7174
ptlock_init include/linux/mm.h:2939 [inline]
pagetable_pte_ctor include/linux/mm.h:2988 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:78 [inline]
pte_alloc_one+0x7d/0x170 arch/x86/mm/pgtable.c:18
do_fault_around mm/memory.c:5542 [inline]
do_read_fault mm/memory.c:5581 [inline]
do_fault mm/memory.c:5724 [inline]
do_pte_missing mm/memory.c:4251 [inline]
handle_pte_fault mm/memory.c:6069 [inline]
__handle_mm_fault+0x294d/0x5620 mm/memory.c:6212
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6381
do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
Memory state around the buggy address:
ffff888143fd0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888143fd0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888143fd0a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff888143fd0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888143fd0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
0: df 4d 8d fisttps -0x73(%rbp)
3: 34 19 xor $0x19,%al
5: 4d 89 f4 mov %r14,%r12
8: 4d 29 dc sub %r11,%r12
b: 49 83 fc 10 cmp $0x10,%r12
f: 7f 29 jg 0x3a
11: 4d 85 e4 test %r12,%r12
14: 0f 84 41 01 00 00 je 0x15b
1a: 4c 89 cb mov %r9,%rbx
1d: 48 f7 d3 not %rbx
20: 4c 01 fb add %r15,%rbx
23: 41 80 3b 00 cmpb $0x0,(%r11)
* 27: 0f 85 de 01 00 00 jne 0x20b <-- trapping instruction
2d: 49 ff c3 inc %r11
30: 48 ff c3 inc %rbx
33: 75 ee jne 0x23
35: e9 21 01 00 00 jmp 0x15b
3a: 44 89 dd mov %r11d,%ebp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5345e64760d3 bpf: Simplify bounds refinement from s32
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1052e782580000
kernel config: https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/533f77de596b/disk-5345e647.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/771fbeaf8fb5/vmlinux-5345e647.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6bb4eec6d31b/bzImage-5345e647.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724...@syzkaller.appspotmail.com
hrtimer: interrupt took 66349 ns
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
Write of size 8 at addr ffff888143fd0a58 by task syz.1.2/5975
CPU: 1 UID: 0 PID: 5975 Comm: syz.1.2 Not tainted 6.16.0-rc6-syzkaller-g5345e64760d3 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
__bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
bpf_prog_b724608cae728045+0x27/0x2f
bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x284/0x4b0 kernel/trace/bpf_trace.c:2298
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x3a0/0x440 mm/slub.c:4829
slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4680
rcu_do_batch kernel/rcu/tree.c:2576 [inline]
rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x9f/0x2c0 mm/kasan/generic.c:189
Code: 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83 fc 10 7f 29 4d 85 e4 0f 84 41 01 00 00 4c 89 cb 48 f7 d3 4c 01 fb 41 80 3b 00 <0f> 85 de 01 00 00 49 ff c3 48 ff c3 75 ee e9 21 01 00 00 44 89 dd
RSP: 0018:ffffc900044dee68 EFLAGS: 00000246
RAX: 0000000000000001 RBX: ffffffffffffffff RCX: ffffffff8215d67f
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffea0000c7f634
RBP: 0000000000000000 R08: ffffea0000c7f637 R09: 1ffffd400018fec6
R10: dffffc0000000000 R11: fffff9400018fec6 R12: 0000000000000001
R13: 0000000000000000 R14: fffff9400018fec7 R15: 1ffffd400018fec6
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
set_page_refcounted+0x4f/0x160 mm/internal.h:491
__alloc_pages_noprof mm/page_alloc.c:4995 [inline]
alloc_pages_bulk_noprof+0x570/0x710 mm/page_alloc.c:4913
___alloc_pages_bulk mm/kasan/shadow.c:344 [inline]
__kasan_populate_vmalloc mm/kasan/shadow.c:368 [inline]
kasan_populate_vmalloc+0xba/0x1a0 mm/kasan/shadow.c:417
alloc_vmap_area+0xd51/0x1490 mm/vmalloc.c:2092
__get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3187
__vmalloc_node_range_noprof+0x301/0x12f0 mm/vmalloc.c:3853
__vmalloc_node_noprof mm/vmalloc.c:3956 [inline]
vmalloc_noprof+0xb2/0xf0 mm/vmalloc.c:3989
bpf_prog_calc_tag+0xb9/0x620 kernel/bpf/core.c:307
resolve_pseudo_ldimm64+0xbc/0xc50 kernel/bpf/verifier.c:20479
bpf_check+0x1c58/0x1d2e0 kernel/bpf/verifier.c:24614
bpf_prog_load+0x1318/0x1930 kernel/bpf/syscall.c:2972
__sys_bpf+0x528/0x870 kernel/bpf/syscall.c:6022
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1cabb8e9a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1cac9f6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f1cabdb5fa0 RCX: 00007f1cabb8e9a9
RDX: 0000000000000094 RSI: 0000200000000640 RDI: 0000000000000005
RBP: 00007f1cabc10d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1cabdb5fa0 R15: 00007ffee0b40348
</TASK>
Allocated by task 5979:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4328 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888143fd0800
which belongs to the cache kmalloc-cg-1k of size 1024
The buggy address is located 24 bytes to the right of
allocated 576-byte region [ffff888143fd0800, ffff888143fd0a40)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143fd0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88814cb20d01
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801a44b280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 ffff88814cb20d01
head: 057ff00000000040 ffff88801a44b280 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 ffff88814cb20d01
head: 057ff00000000003 ffffea00050ff401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5854, tgid 5854 (syz-executor), ts 88680071975, free_ts 62656261060
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_slab_page mm/slub.c:2453 [inline]
allocate_slab+0x65/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__kmalloc_cache_node_noprof+0x29a/0x3d0 mm/slub.c:4367
kmalloc_node_noprof include/linux/slab.h:928 [inline]
alloc_mem_cgroup_per_node_info mm/memcontrol.c:3665 [inline]
mem_cgroup_alloc mm/memcontrol.c:3747 [inline]
mem_cgroup_css_alloc+0x4b2/0x1f20 mm/memcontrol.c:3789
css_create kernel/cgroup/cgroup.c:5669 [inline]
cgroup_apply_control_enable+0x3d1/0xa80 kernel/cgroup/cgroup.c:3289
cgroup_mkdir+0xc40/0xe60 kernel/cgroup/cgroup.c:5893
kernfs_iop_mkdir+0x211/0x350 fs/kernfs/dir.c:1268
vfs_mkdir+0x306/0x510 fs/namei.c:4375
do_mkdirat+0x247/0x590 fs/namei.c:4408
__do_sys_mkdirat fs/namei.c:4425 [inline]
__se_sys_mkdirat fs/namei.c:4423 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4423
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5696 tgid 5696 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3186
put_cpu_partial+0x17c/0x250 mm/slub.c:3261
__slab_free+0x2f7/0x400 mm/slub.c:4513
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
ptlock_alloc+0x20/0x70 mm/memory.c:7174
ptlock_init include/linux/mm.h:2939 [inline]
pagetable_pte_ctor include/linux/mm.h:2988 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:78 [inline]
pte_alloc_one+0x7d/0x170 arch/x86/mm/pgtable.c:18
do_fault_around mm/memory.c:5542 [inline]
do_read_fault mm/memory.c:5581 [inline]
do_fault mm/memory.c:5724 [inline]
do_pte_missing mm/memory.c:4251 [inline]
handle_pte_fault mm/memory.c:6069 [inline]
__handle_mm_fault+0x294d/0x5620 mm/memory.c:6212
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6381
do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
Memory state around the buggy address:
ffff888143fd0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888143fd0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888143fd0a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff888143fd0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888143fd0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
0: df 4d 8d fisttps -0x73(%rbp)
3: 34 19 xor $0x19,%al
5: 4d 89 f4 mov %r14,%r12
8: 4d 29 dc sub %r11,%r12
b: 49 83 fc 10 cmp $0x10,%r12
f: 7f 29 jg 0x3a
11: 4d 85 e4 test %r12,%r12
14: 0f 84 41 01 00 00 je 0x15b
1a: 4c 89 cb mov %r9,%rbx
1d: 48 f7 d3 not %rbx
20: 4c 01 fb add %r15,%rbx
23: 41 80 3b 00 cmpb $0x0,(%r11)
* 27: 0f 85 de 01 00 00 jne 0x20b <-- trapping instruction
2d: 49 ff c3 inc %r11
30: 48 ff c3 inc %rbx
33: 75 ee jne 0x23
35: e9 21 01 00 00 jmp 0x15b
3a: 44 89 dd mov %r11d,%ebp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 28, 2025, 7:37:39 PMJul 28
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@fomichev.me, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
syzbot has found a reproducer for the following issue on:
HEAD commit: 5b4c54ac49af bpf: Fix various typos in verifier.c comments
git tree: bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17441782580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14349034580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5a5cfac28d08/disk-5b4c54ac.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb5b9f9f1b33/vmlinux-5b4c54ac.xz
kernel image: https://storage.googleapis.com/syzbot-assets/14b928da2760/bzImage-5b4c54ac.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724...@syzkaller.appspotmail.com
CPU: 1 UID: 0 PID: 6114 Comm: syz-executor265 Not tainted 6.16.0-rc6-syzkaller-g5b4c54ac49af #0 PREEMPT(full)
RIP: 0010:xas_load+0xd9/0x5b0 lib/xarray.c:244
Code: 42 0f b6 04 28 84 c0 0f 85 3a 04 00 00 49 8d 5e fe 48 8b 44 24 08 0f b6 28 48 89 d8 48 c1 e8 03 48 89 44 24 20 42 0f b6 04 28 <84> c0 0f 85 34 04 00 00 44 0f b6 23 44 0f b6 fd 44 89 ff 44 89 e6
RSP: 0000:ffffc9000459f898 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffff888025438840 RCX: ffff88807c050000
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffff88807c050000 R09: 0000000000000002
R10: 0000000000000003 R11: 0000000000000000 R12: ffffc9000459fb32
R13: dffffc0000000000 R14: ffff888025438842 R15: 0000000000000002
xas_find+0x157/0x990 lib/xarray.c:1406
next_uptodate_folio+0x32/0x5d0 mm/filemap.c:3562
filemap_map_pages+0x21f/0x1740 mm/filemap.c:3714
do_fault_around mm/memory.c:5548 [inline]
Code: Unable to access opcode bytes at 0x7f3d52e2940e.
RSP: 002b:00007fff46c399c8 EFLAGS: 00010206
RAX: 00007f3d52e59ad8 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 00007f3d52e5ad00 RSI: 0000000000000000 RDI: 00007f3d52e59ad8
RBP: 00007f3d52e58118 R08: 00007fff46c39a3c R09: 00007fff46c39a3c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3d52e5ace8
R13: 0000000000000000 R14: 00007f3d52e5ad00 R15: 00007f3d52db0290
</TASK>
Allocated by task 6114:
which belongs to the cache kmalloc-1k of size 1024
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x439a8
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00010e6a01 00000000ffffffff 00000000ffffffff
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
load_elf_phdrs fs/binfmt_elf.c:525 [inline]
load_elf_binary+0x2cd/0x2790 fs/binfmt_elf.c:854
search_binary_handler fs/exec.c:1670 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve+0x999/0x1450 fs/exec.c:1754
do_execveat_common+0x510/0x6a0 fs/exec.c:1860
do_execve fs/exec.c:1934 [inline]
__do_sys_execve fs/exec.c:2010 [inline]
__se_sys_execve fs/exec.c:2005 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2005
__kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
tomoyo_add_entry security/tomoyo/common.c:2132 [inline]
tomoyo_supervisor+0xbd5/0x1480 security/tomoyo/common.c:2204
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15cf/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:1302
search_binary_handler fs/exec.c:1660 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve+0x8ee/0x1450 fs/exec.c:1754
do_execveat_common+0x510/0x6a0 fs/exec.c:1860
do_execve fs/exec.c:1934 [inline]
__do_sys_execve fs/exec.c:2010 [inline]
__se_sys_execve fs/exec.c:2005 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2005
Memory state around the buggy address:
ffff8880439aa100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880439aa180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880439aa200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880439aa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880439aa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax
5: 84 c0 test %al,%al
7: 0f 85 3a 04 00 00 jne 0x447
d: 49 8d 5e fe lea -0x2(%r14),%rbx
11: 48 8b 44 24 08 mov 0x8(%rsp),%rax
16: 0f b6 28 movzbl (%rax),%ebp
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 89 44 24 20 mov %rax,0x20(%rsp)
25: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax
* 2a: 84 c0 test %al,%al <-- trapping instruction
2c: 0f 85 34 04 00 00 jne 0x466
32: 44 0f b6 23 movzbl (%rbx),%r12d
36: 44 0f b6 fd movzbl %bpl,%r15d
3a: 44 89 ff mov %r15d,%edi
3d: 44 89 e6 mov %r12d,%esi
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 5b4c54ac49af bpf: Fix various typos in verifier.c comments
git tree: bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17441782580000
kernel config: https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f294a2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14349034580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5a5cfac28d08/disk-5b4c54ac.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb5b9f9f1b33/vmlinux-5b4c54ac.xz
kernel image: https://storage.googleapis.com/syzbot-assets/14b928da2760/bzImage-5b4c54ac.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
Write of size 8 at addr ffff8880439aa258 by task syz-executor265/6114
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
CPU: 1 UID: 0 PID: 6114 Comm: syz-executor265 Not tainted 6.16.0-rc6-syzkaller-g5b4c54ac49af #0 PREEMPT(full)
Code: 42 0f b6 04 28 84 c0 0f 85 3a 04 00 00 49 8d 5e fe 48 8b 44 24 08 0f b6 28 48 89 d8 48 c1 e8 03 48 89 44 24 20 42 0f b6 04 28 <84> c0 0f 85 34 04 00 00 44 0f b6 23 44 0f b6 fd 44 89 ff 44 89 e6
RSP: 0000:ffffc9000459f898 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffff888025438840 RCX: ffff88807c050000
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffff88807c050000 R09: 0000000000000002
R10: 0000000000000003 R11: 0000000000000000 R12: ffffc9000459fb32
R13: dffffc0000000000 R14: ffff888025438842 R15: 0000000000000002
xas_find+0x157/0x990 lib/xarray.c:1406
next_uptodate_folio+0x32/0x5d0 mm/filemap.c:3562
filemap_map_pages+0x21f/0x1740 mm/filemap.c:3714
do_fault_around mm/memory.c:5548 [inline]
do_read_fault mm/memory.c:5581 [inline]
do_fault mm/memory.c:5724 [inline]
do_pte_missing mm/memory.c:4251 [inline]
handle_pte_fault mm/memory.c:6069 [inline]
__handle_mm_fault+0x3687/0x5620 mm/memory.c:6212
do_fault mm/memory.c:5724 [inline]
do_pte_missing mm/memory.c:4251 [inline]
handle_pte_fault mm/memory.c:6069 [inline]
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6381
do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f3d52e29438
do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
Code: Unable to access opcode bytes at 0x7f3d52e2940e.
RSP: 002b:00007fff46c399c8 EFLAGS: 00010206
RAX: 00007f3d52e59ad8 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 00007f3d52e5ad00 RSI: 0000000000000000 RDI: 00007f3d52e59ad8
RBP: 00007f3d52e58118 R08: 00007fff46c39a3c R09: 00007fff46c39a3c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3d52e5ace8
R13: 0000000000000000 R14: 00007f3d52e5ad00 R15: 00007f3d52db0290
</TASK>
Allocated by task 6114:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4328 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880439aa000
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4328 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes to the right of
allocated 576-byte region [ffff8880439aa000, ffff8880439aa240)
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00010e6a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5514, tgid 5514 (dhcpcd), ts 48384102667, free_ts 48383277611
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
load_elf_phdrs fs/binfmt_elf.c:525 [inline]
load_elf_binary+0x2cd/0x2790 fs/binfmt_elf.c:854
search_binary_handler fs/exec.c:1670 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve+0x999/0x1450 fs/exec.c:1754
do_execveat_common+0x510/0x6a0 fs/exec.c:1860
do_execve fs/exec.c:1934 [inline]
__do_sys_execve fs/exec.c:2010 [inline]
__se_sys_execve fs/exec.c:2005 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2005
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5514 tgid 5514 stack trace:
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3186
put_cpu_partial+0x17c/0x250 mm/slub.c:3261
__slab_free+0x2f7/0x400 mm/slub.c:4513
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3186
put_cpu_partial+0x17c/0x250 mm/slub.c:3261
__slab_free+0x2f7/0x400 mm/slub.c:4513
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
tomoyo_add_entry security/tomoyo/common.c:2132 [inline]
tomoyo_supervisor+0xbd5/0x1480 security/tomoyo/common.c:2204
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15cf/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:1302
search_binary_handler fs/exec.c:1660 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve+0x8ee/0x1450 fs/exec.c:1754
do_execveat_common+0x510/0x6a0 fs/exec.c:1860
do_execve fs/exec.c:1934 [inline]
__do_sys_execve fs/exec.c:2010 [inline]
__se_sys_execve fs/exec.c:2005 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2005
Memory state around the buggy address:
ffff8880439aa180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880439aa200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880439aa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880439aa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax
5: 84 c0 test %al,%al
7: 0f 85 3a 04 00 00 jne 0x447
d: 49 8d 5e fe lea -0x2(%r14),%rbx
11: 48 8b 44 24 08 mov 0x8(%rsp),%rax
16: 0f b6 28 movzbl (%rax),%ebp
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 89 44 24 20 mov %rax,0x20(%rsp)
25: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax
* 2a: 84 c0 test %al,%al <-- trapping instruction
2c: 0f 85 34 04 00 00 jne 0x466
32: 44 0f b6 23 movzbl (%rbx),%r12d
36: 44 0f b6 fd movzbl %bpl,%r15d
3a: 44 89 ff mov %r15d,%edi
3d: 44 89 e6 mov %r12d,%esi
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Arnaud Lecomte
Jul 29, 2025, 3:22:45 AMJul 29
to syzbot+c9b724...@syzkaller.appspotmail.com, b...@vger.kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
- u32 hash, id, trace_nr, trace_len, i;
+ u32 hash, id, trace_nr, trace_len, i, max_depth;
bool user = flags & BPF_F_USER_STACK;
u64 *ips;
bool hash_matches;
@@ -241,6 +241,19 @@ static long __bpf_get_stackid(struct bpf_map *map,
trace_nr = trace->nr - skip;
trace_len = trace_nr * sizeof(u64);
+
+ /* Clamp the trace to max allowed depth */
+ if (stack_map_use_build_id(map))
+ max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id);
+ else
+ max_depth = smap->map.value_size / sizeof(u64);
+
+ if (trace_nr > max_depth)
+ trace_nr = max_depth;
+
+ ips = trace->ip + skip;
+
+
ips = trace->ip + skip;
hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
id = hash & (smap->n_buckets - 1);
--
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
- u32 hash, id, trace_nr, trace_len, i;
+ u32 hash, id, trace_nr, trace_len, i, max_depth;
bool user = flags & BPF_F_USER_STACK;
u64 *ips;
bool hash_matches;
@@ -241,6 +241,19 @@ static long __bpf_get_stackid(struct bpf_map *map,
trace_nr = trace->nr - skip;
trace_len = trace_nr * sizeof(u64);
+
+ /* Clamp the trace to max allowed depth */
+ if (stack_map_use_build_id(map))
+ max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id);
+ else
+ max_depth = smap->map.value_size / sizeof(u64);
+
+ if (trace_nr > max_depth)
+ trace_nr = max_depth;
+
+ ips = trace->ip + skip;
+
+
ips = trace->ip + skip;
hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
id = hash & (smap->n_buckets - 1);
--
syzbot
Jul 29, 2025, 4:56:04 AMJul 29
to b...@vger.kernel.org, con...@arnaud-lcm.com, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+c9b724...@syzkaller.appspotmail.com
Tested-by: syzbot+c9b724...@syzkaller.appspotmail.com
Tested on:
commit: cd7c97f4 Merge branch 'bpf-show-precise-rejected-funct..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fe44a2580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+c9b724...@syzkaller.appspotmail.com
Tested-by: syzbot+c9b724...@syzkaller.appspotmail.com
Tested on:
commit: cd7c97f4 Merge branch 'bpf-show-precise-rejected-funct..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fe44a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=11bbb4a2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Note: testing is done by a robot and is best-effort only.
Arnaud Lecomte
Sep 4, 2025, 6:17:11 AMSep 4
to syzbot+c9b724...@syzkaller.appspotmail.com, b...@vger.kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..29e05c9ff1bd 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
sizeof(struct bpf_stack_build_id) : sizeof(u64);
}
+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size: Size of the buffer/map value in bytes
+ * @elem_size: Size of each stack trace element
+ * @flags: BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+ u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 max_depth;
+ u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+ max_depth = size / elem_size;
+ max_depth += skip;
+ if (max_depth > curr_sysctl_max_stack)
+ return curr_sysctl_max_stack;
+
+ return max_depth;
+}
+
static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
{
u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -300,20 +322,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
u64, flags)
{
- u32 max_depth = map->value_size / stack_map_data_size(map);
- u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 elem_size = stack_map_data_size(map);
bool kernel = !user;
+ u32 max_depth;
if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
return -EINVAL;
- max_depth += skip;
- if (max_depth > sysctl_perf_event_max_stack)
- max_depth = sysctl_perf_event_max_stack;
-
+ max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
false, false);
@@ -350,6 +369,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
{
struct perf_event *event = ctx->event;
struct perf_callchain_entry *trace;
+ u32 elem_size, max_depth;
bool kernel, user;
__u64 nr_kernel;
int ret;
@@ -371,11 +391,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
return -EFAULT;
nr_kernel = count_kernel_ip(trace);
+ elem_size = stack_map_data_size(map);
if (kernel) {
__u64 nr = trace->nr;
trace->nr = nr_kernel;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, nr_kernel, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
/* restore nr */
@@ -388,6 +412,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
return -EFAULT;
flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, trace->nr, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
}
return ret;
@@ -406,8 +433,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
struct perf_callchain_entry *trace_in,
void *buf, u32 size, u64 flags, bool may_fault)
{
- u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+ u32 trace_nr, copy_len, elem_size, max_depth;
bool crosstask = task && task != current;
goto clear;
}
- num_elem = size / elem_size;
- max_depth = num_elem + skip;
- if (sysctl_perf_event_max_stack < max_depth)
- max_depth = sysctl_perf_event_max_stack;
+ max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
if (may_fault)
rcu_read_lock(); /* need RCU for perf's callchain below */
- if (trace_in)
+ if (trace_in) {
trace = trace_in;
- else if (kernel && task)
+ trace->nr = min_t(u32, trace->nr, max_depth);
+ } else if (kernel && task) {
trace = get_callchain_entry_for_task(task, max_depth);
- else
+ } else {
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
crosstask, false);
+ }
if (unlikely(!trace) || trace->nr < skip) {
if (may_fault)
@@ -461,7 +487,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
copy_len = trace_nr * elem_size;
ips = trace->ip + skip;
--
2.47.3
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..29e05c9ff1bd 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
sizeof(struct bpf_stack_build_id) : sizeof(u64);
}
+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size: Size of the buffer/map value in bytes
+ * @elem_size: Size of each stack trace element
+ * @flags: BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+ u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 max_depth;
+ u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+ max_depth = size / elem_size;
+ max_depth += skip;
+ if (max_depth > curr_sysctl_max_stack)
+ return curr_sysctl_max_stack;
+
+ return max_depth;
+}
+
static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
{
u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -300,20 +322,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
u64, flags)
{
- u32 max_depth = map->value_size / stack_map_data_size(map);
- u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 elem_size = stack_map_data_size(map);
bool user = flags & BPF_F_USER_STACK;
struct perf_callchain_entry *trace;
bool kernel = !user;
+ u32 max_depth;
if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
return -EINVAL;
- max_depth += skip;
- if (max_depth > sysctl_perf_event_max_stack)
- max_depth = sysctl_perf_event_max_stack;
-
+ max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
false, false);
@@ -350,6 +369,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
{
struct perf_event *event = ctx->event;
struct perf_callchain_entry *trace;
+ u32 elem_size, max_depth;
bool kernel, user;
__u64 nr_kernel;
int ret;
@@ -371,11 +391,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
return -EFAULT;
nr_kernel = count_kernel_ip(trace);
+ elem_size = stack_map_data_size(map);
if (kernel) {
__u64 nr = trace->nr;
trace->nr = nr_kernel;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, nr_kernel, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
/* restore nr */
@@ -388,6 +412,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
return -EFAULT;
flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, trace->nr, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
}
return ret;
@@ -406,8 +433,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
struct perf_callchain_entry *trace_in,
void *buf, u32 size, u64 flags, bool may_fault)
{
- u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+ u32 trace_nr, copy_len, elem_size, max_depth;
bool crosstask = task && task != current;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
bool user = flags & BPF_F_USER_STACK;
@@ -438,21 +465,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
goto clear;
}
- num_elem = size / elem_size;
- max_depth = num_elem + skip;
- if (sysctl_perf_event_max_stack < max_depth)
- max_depth = sysctl_perf_event_max_stack;
+ max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
if (may_fault)
rcu_read_lock(); /* need RCU for perf's callchain below */
- if (trace_in)
+ if (trace_in) {
trace = trace_in;
- else if (kernel && task)
+ trace->nr = min_t(u32, trace->nr, max_depth);
+ } else if (kernel && task) {
trace = get_callchain_entry_for_task(task, max_depth);
- else
+ } else {
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
crosstask, false);
+ }
if (unlikely(!trace) || trace->nr < skip) {
if (may_fault)
@@ -461,7 +487,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
}
trace_nr = trace->nr - skip;
- trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
trace_nr = trace->nr - skip;
copy_len = trace_nr * elem_size;
ips = trace->ip + skip;
2.47.3
syzbot
Sep 4, 2025, 7:54:05 AMSep 4
to b...@vger.kernel.org, con...@arnaud-lcm.com, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in __bpf_get_stackid
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
Write of size 8 at addr ffff88807a2d9258 by task syz.1.290/7428
CPU: 1 UID: 0 PID: 7428 Comm: syz.1.290 Not tainted syzkaller #0 PREEMPT(full)
kasan_report+0x118/0x150 mm/kasan/report.c:595
__bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
__traceiter_kfree+0x2e/0x50 include/trace/events/kmem.h:94
slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4717
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
RIP: 0010:rcu_is_watching+0x3a/0xb0 kernel/rcu/tree.c:751
Code: e8 eb f2 d2 09 89 c3 83 f8 08 73 65 49 bf 00 00 00 00 00 fc ff df 4c 8d 34 dd 10 ed bd 8d 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 <74> 08 4c 89 f7 e8 dc b8 7c 00 48 c7 c3 98 6f a1 92 49 03 1e 48 89
RSP: 0018:ffffc9000b4d7ad8 EFLAGS: 00000246
RAX: 1ffffffff1b7bda3 RBX: 0000000000000001 RCX: 0f1baf102ea8c100
RDX: 0000000000000000 RSI: ffffffff8be33260 RDI: ffffffff8be33220
RBP: ffffffff81b2dcc0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc9000b4d7c40 R11: fffff5200169af8b R12: 0000000000000002
R13: ffffffff8e139ea0 R14: ffffffff8dbded18 R15: dffffc0000000000
trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0x5f/0x360 kernel/locking/lockdep.c:5831
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:841 [inline]
class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
futex_hash+0x5d/0x2d0 kernel/futex/core.c:308
class_hb_constructor kernel/futex/futex.h:240 [inline]
futex_wake+0x161/0x560 kernel/futex/waitwake.c:172
do_futex+0x395/0x420 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex+0x36f/0x400 kernel/futex/syscalls.c:160
RAX: ffffffffffffffda RBX: 00007f132c1b5fa8 RCX: 00007f132bf8ebe9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f132c1b5fac
RBP: 00007f132c1b5fa0 R08: 7fffffffffffffff R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f132c1b6038 R14: 00007ffd03290180 R15: 00007ffd03290268
</TASK>
Allocated by task 7428:
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4371
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:393 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:406
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:73
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:136
map_create+0xaa3/0x14d0 kernel/bpf/syscall.c:1480
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6011
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6137
which belongs to the cache kmalloc-cg-1k of size 1024
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a2d8
raw: 0000000000000000 0000000080100010 00000000f5000000 ffff888054d19001
head: 00fff00000000040 ffff88801a44b280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080100010 00000000f5000000 ffff888054d19001
head: 00fff00000000003 ffffea0001e8b601 00000000ffffffff 00000000ffffffff
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
kmalloc_array_noprof include/linux/slab.h:948 [inline]
alloc_pipe_info+0x1fd/0x4d0 fs/pipe.c:815
get_pipe_inode fs/pipe.c:894 [inline]
create_pipe_files+0x8a/0x7e0 fs/pipe.c:926
__do_pipe_flags+0x46/0x1f0 fs/pipe.c:988
do_pipe2+0x9c/0x170 fs/pipe.c:1036
__do_sys_pipe2 fs/pipe.c:1054 [inline]
__se_sys_pipe2 fs/pipe.c:1052 [inline]
__x64_sys_pipe2+0x5a/0x70 fs/pipe.c:1052
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x156/0x1a0 mm/slub.c:3218
put_cpu_partial+0x17c/0x250 mm/slub.c:3293
__slab_free+0x2d5/0x3c0 mm/slub.c:4550
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
getname_flags+0xb8/0x540 fs/namei.c:146
do_readlinkat+0xbc/0x500 fs/stat.c:575
__do_sys_readlink fs/stat.c:613 [inline]
__se_sys_readlink fs/stat.c:610 [inline]
__x64_sys_readlink+0x7f/0x90 fs/stat.c:610
ffff88807a2d9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807a2d9200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88807a2d9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807a2d9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
5: 89 c3 mov %eax,%ebx
7: 83 f8 08 cmp $0x8,%eax
a: 73 65 jae 0x71
c: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
13: fc ff df
16: 4c 8d 34 dd 10 ed bd lea -0x724212f0(,%rbx,8),%r14
1d: 8d
1e: 4c 89 f0 mov %r14,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
* 2a: 74 08 je 0x34 <-- trapping instruction
2c: 4c 89 f7 mov %r14,%rdi
2f: e8 dc b8 7c 00 call 0x7cb910
34: 48 c7 c3 98 6f a1 92 mov $0xffffffff92a16f98,%rbx
3b: 49 03 1e add (%r14),%rbx
3e: 48 rex.W
3f: 89 .byte 0x89
Tested on:
commit: 71ca59e2 Merge branch 'fix-bpf_strnstr-len-error'
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=143c1162580000
kernel config: https://syzkaller.appspot.com/x/.config?x=807fffde4ddbe9ec
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=158e0134580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in __bpf_get_stackid
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
Write of size 8 at addr ffff88807a2d9258 by task syz.1.290/7428
CPU: 1 UID: 0 PID: 7428 Comm: syz.1.290 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
kasan_report+0x118/0x150 mm/kasan/report.c:595
__bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
bpf_prog_b724608cae728045+0x27/0x2f
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
bpf_prog_b724608cae728045+0x27/0x2f
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x281/0x4b0 kernel/trace/bpf_trace.c:2298
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
__traceiter_kfree+0x2e/0x50 include/trace/events/kmem.h:94
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x3a0/0x440 mm/slub.c:4866
trace_kfree include/trace/events/kmem.h:94 [inline]
slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4717
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:rcu_is_watching+0x3a/0xb0 kernel/rcu/tree.c:751
Code: e8 eb f2 d2 09 89 c3 83 f8 08 73 65 49 bf 00 00 00 00 00 fc ff df 4c 8d 34 dd 10 ed bd 8d 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 <74> 08 4c 89 f7 e8 dc b8 7c 00 48 c7 c3 98 6f a1 92 49 03 1e 48 89
RSP: 0018:ffffc9000b4d7ad8 EFLAGS: 00000246
RAX: 1ffffffff1b7bda3 RBX: 0000000000000001 RCX: 0f1baf102ea8c100
RDX: 0000000000000000 RSI: ffffffff8be33260 RDI: ffffffff8be33220
RBP: ffffffff81b2dcc0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc9000b4d7c40 R11: fffff5200169af8b R12: 0000000000000002
R13: ffffffff8e139ea0 R14: ffffffff8dbded18 R15: dffffc0000000000
trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0x5f/0x360 kernel/locking/lockdep.c:5831
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:841 [inline]
class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
futex_hash+0x5d/0x2d0 kernel/futex/core.c:308
class_hb_constructor kernel/futex/futex.h:240 [inline]
futex_wake+0x161/0x560 kernel/futex/waitwake.c:172
do_futex+0x395/0x420 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex+0x36f/0x400 kernel/futex/syscalls.c:160
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f132bf8ebe9
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f132cd870e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f132c1b5fa8 RCX: 00007f132bf8ebe9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f132c1b5fac
RBP: 00007f132c1b5fa0 R08: 7fffffffffffffff R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f132c1b6038 R14: 00007ffd03290180 R15: 00007ffd03290268
</TASK>
Allocated by task 7428:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4371
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:393 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:406
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:73
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:136
map_create+0xaa3/0x14d0 kernel/bpf/syscall.c:1480
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6011
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6137
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807a2d9000
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache kmalloc-cg-1k of size 1024
The buggy address is located 24 bytes to the right of
allocated 576-byte region [ffff88807a2d9000, ffff88807a2d9240)
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888054d19001
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a44b280 dead000000000100 dead000000000122
page_type: f5(slab)
raw: 0000000000000000 0000000080100010 00000000f5000000 ffff888054d19001
head: 00fff00000000040 ffff88801a44b280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080100010 00000000f5000000 ffff888054d19001
head: 00fff00000000003 ffffea0001e8b601 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5237, tgid 5237 (udevd), ts 36597748986, free_ts 36397116210
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
kmalloc_array_noprof include/linux/slab.h:948 [inline]
alloc_pipe_info+0x1fd/0x4d0 fs/pipe.c:815
get_pipe_inode fs/pipe.c:894 [inline]
create_pipe_files+0x8a/0x7e0 fs/pipe.c:926
__do_pipe_flags+0x46/0x1f0 fs/pipe.c:988
do_pipe2+0x9c/0x170 fs/pipe.c:1036
__do_sys_pipe2 fs/pipe.c:1054 [inline]
__se_sys_pipe2 fs/pipe.c:1052 [inline]
__x64_sys_pipe2+0x5a/0x70 fs/pipe.c:1052
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5244 tgid 5244 stack trace:
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x156/0x1a0 mm/slub.c:3218
put_cpu_partial+0x17c/0x250 mm/slub.c:3293
__slab_free+0x2d5/0x3c0 mm/slub.c:4550
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
getname_flags+0xb8/0x540 fs/namei.c:146
do_readlinkat+0xbc/0x500 fs/stat.c:575
__do_sys_readlink fs/stat.c:613 [inline]
__se_sys_readlink fs/stat.c:610 [inline]
__x64_sys_readlink+0x7f/0x90 fs/stat.c:610
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807a2d9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807a2d9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807a2d9200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88807a2d9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807a2d9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: e8 eb f2 d2 09 call 0x9d2f2f0
----------------
Code disassembly (best guess):
5: 89 c3 mov %eax,%ebx
7: 83 f8 08 cmp $0x8,%eax
a: 73 65 jae 0x71
c: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
13: fc ff df
16: 4c 8d 34 dd 10 ed bd lea -0x724212f0(,%rbx,8),%r14
1d: 8d
1e: 4c 89 f0 mov %r14,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
* 2a: 74 08 je 0x34 <-- trapping instruction
2c: 4c 89 f7 mov %r14,%rdi
2f: e8 dc b8 7c 00 call 0x7cb910
34: 48 c7 c3 98 6f a1 92 mov $0xffffffff92a16f98,%rbx
3b: 49 03 1e add (%r14),%rbx
3e: 48 rex.W
3f: 89 .byte 0x89
Tested on:
commit: 71ca59e2 Merge branch 'fix-bpf_strnstr-len-error'
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=143c1162580000
kernel config: https://syzkaller.appspot.com/x/.config?x=807fffde4ddbe9ec
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=158e0134580000
Arnaud Lecomte
Sep 4, 2025, 10:11:22 AMSep 4
to syzbot+c9b724...@syzkaller.appspotmail.com, b...@vger.kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..1389712bc1df 100644
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
u64, flags)
{
- u32 max_depth = map->value_size / stack_map_data_size(map);
- u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 elem_size = stack_map_data_size(map);
bool user = flags & BPF_F_USER_STACK;
struct perf_callchain_entry *trace;
bool kernel = !user;
+ u32 max_depth;
if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
return -EINVAL;
- max_depth += skip;
- if (max_depth > sysctl_perf_event_max_stack)
- max_depth = sysctl_perf_event_max_stack;
-
+ max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
false, false);
u64, flags)
{
- u32 max_depth = map->value_size / stack_map_data_size(map);
- u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 elem_size = stack_map_data_size(map);
bool user = flags & BPF_F_USER_STACK;
struct perf_callchain_entry *trace;
bool kernel = !user;
+ u32 max_depth;
if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
return -EINVAL;
- max_depth += skip;
- if (max_depth > sysctl_perf_event_max_stack)
- max_depth = sysctl_perf_event_max_stack;
-
+ max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
false, false);
+ trace->nr = min_t(u32, trace->nr, max_depth);
if (unlikely(!trace))
/* couldn't fetch the stack trace */
@@ -350,6 +370,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
{
struct perf_event *event = ctx->event;
struct perf_callchain_entry *trace;
+ u32 elem_size, max_depth;
bool kernel, user;
__u64 nr_kernel;
int ret;
@@ -371,11 +392,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
struct perf_event *event = ctx->event;
struct perf_callchain_entry *trace;
+ u32 elem_size, max_depth;
bool kernel, user;
__u64 nr_kernel;
int ret;
return -EFAULT;
nr_kernel = count_kernel_ip(trace);
+ elem_size = stack_map_data_size(map);
if (kernel) {
__u64 nr = trace->nr;
trace->nr = nr_kernel;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, nr_kernel, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
/* restore nr */
@@ -388,6 +413,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
nr_kernel = count_kernel_ip(trace);
+ elem_size = stack_map_data_size(map);
if (kernel) {
__u64 nr = trace->nr;
trace->nr = nr_kernel;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, nr_kernel, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
/* restore nr */
return -EFAULT;
flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, trace->nr, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
}
return ret;
@@ -406,8 +434,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+ max_depth =
+ stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, trace->nr, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
}
return ret;
struct perf_callchain_entry *trace_in,
void *buf, u32 size, u64 flags, bool may_fault)
{
- u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+ u32 trace_nr, copy_len, elem_size, max_depth;
bool crosstask = task && task != current;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
bool user = flags & BPF_F_USER_STACK;
@@ -438,21 +466,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
void *buf, u32 size, u64 flags, bool may_fault)
{
- u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+ u32 trace_nr, copy_len, elem_size, max_depth;
bool crosstask = task && task != current;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
bool user = flags & BPF_F_USER_STACK;
goto clear;
}
- num_elem = size / elem_size;
- max_depth = num_elem + skip;
- if (sysctl_perf_event_max_stack < max_depth)
- max_depth = sysctl_perf_event_max_stack;
+ max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
if (may_fault)
rcu_read_lock(); /* need RCU for perf's callchain below */
- if (trace_in)
+ if (trace_in) {
trace = trace_in;
- else if (kernel && task)
+ trace->nr = min_t(u32, trace->nr, max_depth);
+ } else if (kernel && task) {
trace = get_callchain_entry_for_task(task, max_depth);
- else
+ } else {
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
crosstask, false);
+ }
if (unlikely(!trace) || trace->nr < skip) {
if (may_fault)
@@ -461,7 +488,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
}
- num_elem = size / elem_size;
- max_depth = num_elem + skip;
- if (sysctl_perf_event_max_stack < max_depth)
- max_depth = sysctl_perf_event_max_stack;
+ max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
if (may_fault)
rcu_read_lock(); /* need RCU for perf's callchain below */
- if (trace_in)
+ if (trace_in) {
trace = trace_in;
- else if (kernel && task)
+ trace->nr = min_t(u32, trace->nr, max_depth);
+ } else if (kernel && task) {
trace = get_callchain_entry_for_task(task, max_depth);
- else
+ } else {
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
crosstask, false);
+ }
if (unlikely(!trace) || trace->nr < skip) {
if (may_fault)
syzbot
Sep 4, 2025, 10:32:06 AMSep 4
to b...@vger.kernel.org, con...@arnaud-lcm.com, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in __bpf_get_stackid
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
Write of size 8 at addr ffff88802fd43258 by task syz.3.65/6980
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in __bpf_get_stackid
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
CPU: 1 UID: 0 PID: 6980 Comm: syz.3.65 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
bpf_prog_b724608cae728045+0x27/0x2f
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x281/0x4b0 kernel/trace/bpf_trace.c:2298
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:287
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
bpf_prog_b724608cae728045+0x27/0x2f
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x281/0x4b0 kernel/trace/bpf_trace.c:2298
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x3a0/0x440 mm/slub.c:4866
slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4717
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x3a0/0x440 mm/slub.c:4866
slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4717
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 4b 87 4b f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 93 2e 14 f6 65 8b 05 6c 71 24 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc90003f6fc60 EFLAGS: 00000206
RAX: 237d7f7a06c71d00 RBX: 0000000000000a06 RCX: 237d7f7a06c71d00
RDX: 0000000000000006 RSI: ffffffff8d9b68b0 RDI: 0000000000000001
RBP: ffffc90003f6fcf0 R08: ffffffff8fa37e37 R09: 1ffffffff1f46fc6
R10: dffffc0000000000 R11: fffffbfff1f46fc7 R12: dffffc0000000000
R13: ffff8880641d6a40 R14: ffff888057cc1000 R15: 1ffff920007edf8c
__do_sys_perf_event_open kernel/events/core.c:13712 [inline]
__se_sys_perf_event_open+0x1942/0x1d70 kernel/events/core.c:13353
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd9da58ebe9
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd9db415038 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007fd9da7b5fa0 RCX: 00007fd9da58ebe9
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 00002000000003c0
RBP: 00007fd9da611e19 R08: 0000000000000003 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd9da7b6038 R14: 00007fd9da7b5fa0 R15: 00007ffee6a22f78
</TASK>
Allocated by task 6980:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4371
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:393 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:406
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:73
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:136
map_create+0xaa3/0x14d0 kernel/bpf/syscall.c:1480
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6011
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6137
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88802fd43000
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4371
kmalloc_node_noprof include/linux/slab.h:932 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:393 [inline]
bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:406
prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:73
stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:136
map_create+0xaa3/0x14d0 kernel/bpf/syscall.c:1480
__sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6011
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6137
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache kmalloc-cg-1k of size 1024
The buggy address is located 24 bytes to the right of
allocated 576-byte region [ffff88802fd43000, ffff88802fd43240)
The buggy address is located 24 bytes to the right of
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88806f32bf01
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a44b280 ffffea0001e83e00 dead000000000003
raw: 0000000000000000 0000000080100010 00000000f5000000 ffff88806f32bf01
head: 00fff00000000040 ffff88801a44b280 ffffea0001e83e00 dead000000000003
head: 0000000000000000 0000000080100010 00000000f5000000 ffff88806f32bf01
head: 00fff00000000003 ffffea0000bf5001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5882, tgid 5882 (syz-executor), ts 81348212299, free_ts 80466086651
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
__register_sysctl_table+0x72/0x1340 fs/proc/proc_sysctl.c:1379
neigh_sysctl_register+0x9a2/0xa80 net/core/neighbour.c:3887
devinet_sysctl_register+0xad/0x200 net/ipv4/devinet.c:2715
inetdev_init+0x2b4/0x500 net/ipv4/devinet.c:291
inetdev_event+0x301/0x15b0 net/ipv4/devinet.c:1591
notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
__ip_tunnel_create+0x3e7/0x560 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x2ba/0x800 net/ipv4/ip_tunnel.c:1161
page last free pid 5526 tgid 5526 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x156/0x1a0 mm/slub.c:3218
put_cpu_partial+0x17c/0x250 mm/slub.c:3293
__slab_free+0x2d5/0x3c0 mm/slub.c:4550
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4281
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x156/0x1a0 mm/slub.c:3218
put_cpu_partial+0x17c/0x250 mm/slub.c:3293
__slab_free+0x2d5/0x3c0 mm/slub.c:4550
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
__alloc_skb+0x112/0x2d0 net/core/skbuff.c:659
alloc_skb include/linux/skbuff.h:1336 [inline]
alloc_skb_with_frags+0xca/0x890 net/core/skbuff.c:6665
sock_alloc_send_pskb+0x857/0x990 net/core/sock.c:2980
unix_dgram_sendmsg+0x461/0x1850 net/unix/af_unix.c:2153
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1179
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c6/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
Memory state around the buggy address:
ffff88802fd43180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802fd43200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88802fd43280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802fd43300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 74 05 je 0x7
----------------
Code disassembly (best guess):
2: e8 4b 87 4b f6 call 0xf64b8752
7: 48 c7 44 24 20 00 00 movq $0x0,0x20(%rsp)
e: 00 00
10: 9c pushf
11: 8f 44 24 20 pop 0x20(%rsp)
15: f6 44 24 21 02 testb $0x2,0x21(%rsp)
1a: 75 4f jne 0x6b
1c: f7 c3 00 02 00 00 test $0x200,%ebx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 93 2e 14 f6 call 0xf6142ec2 <-- trapping instruction
2f: 65 8b 05 6c 71 24 07 mov %gs:0x724716c(%rip),%eax # 0x72471a2
36: 85 c0 test %eax,%eax
38: 74 40 je 0x7a
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
Tested on:
commit: 71ca59e2 Merge branch 'fix-bpf_strnstr-len-error'
git tree: bpf
kernel config: https://syzkaller.appspot.com/x/.config?x=807fffde4ddbe9ec
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1381fe62580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Jakub Kicinski
Sep 4, 2025, 10:47:56 AMSep 4
to Arnaud Lecomte, syzbot+c9b724...@syzkaller.appspotmail.com, b...@vger.kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 4 Sep 2025 16:11:13 +0200 Arnaud Lecomte wrote:
> #syz test
You are hereby encouraged to not CC the vger MLs on your attempts
to get your patches tested by syzbot. It's not necessary.
> #syz test
You are hereby encouraged to not CC the vger MLs on your attempts
to get your patches tested by syzbot. It's not necessary.
Lecomte, Arnaud
Sep 4, 2025, 10:53:25 AMSep 4
to Jakub Kicinski, syzbot+c9b724...@syzkaller.appspotmail.com, b...@vger.kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Will be removed.
Reply all
Reply to author
Forward
0 new messages