[syzbot] [xfs?] KMSAN: uninit-value in xfs_dialloc_ag_inobt

[syzbot] [xfs?] KMSAN: uninit-value in xfs_dialloc_ag_inobt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8560697b23dc Merge tag '6.15-rc2-smb3-client-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11d3dfe4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a27b81e0cf56c60b
dashboard link: https://syzkaller.appspot.com/bug?extid=b4a84825ea149bb99bfc
compiler:       Debian clang version 15.0.6, Debian LLD 15.0.6

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/03806cf4a3af/disk-8560697b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d86507d5b30/vmlinux-8560697b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f5f2020007a8/bzImage-8560697b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4a84825ea149bb99bfc@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in xfs_dialloc_ag_inobt+0x99b/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1173
 xfs_dialloc_ag_inobt+0x99b/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1173
 xfs_dialloc_ag fs/xfs/libxfs/xfs_ialloc.c:1585 [inline]
 xfs_dialloc_try_ag fs/xfs/libxfs/xfs_ialloc.c:1835 [inline]
 xfs_dialloc+0x14c4/0x3470 fs/xfs/libxfs/xfs_ialloc.c:1945
 xfs_create_tmpfile+0x496/0x12c0 fs/xfs/xfs_inode.c:827
 xfs_generic_create+0x65c/0x1610 fs/xfs/xfs_iops.c:227
 xfs_vn_tmpfile+0x6b/0x140 fs/xfs/xfs_iops.c:1194
 vfs_tmpfile+0x5e4/0xe40 fs/namei.c:3896
 do_tmpfile+0x19d/0x460 fs/namei.c:3961
 path_openat+0x4837/0x6280 fs/namei.c:3995
 do_filp_open+0x26b/0x610 fs/namei.c:4031
 io_openat2+0x5d5/0xa50 io_uring/openclose.c:140
 io_openat+0x35/0x40 io_uring/openclose.c:177
 __io_issue_sqe io_uring/io_uring.c:1734 [inline]
 io_issue_sqe+0x394/0x1de0 io_uring/io_uring.c:1753
 io_wq_submit_work+0xaf8/0xde0 io_uring/io_uring.c:1868
 io_worker_handle_work+0xc4d/0x2090 io_uring/io-wq.c:615
 io_wq_worker+0x403/0x1470 io_uring/io-wq.c:669
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was stored to memory at:
 xfs_dialloc_ag_inobt+0x1cc1/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1227
 xfs_dialloc_ag fs/xfs/libxfs/xfs_ialloc.c:1585 [inline]
 xfs_dialloc_try_ag fs/xfs/libxfs/xfs_ialloc.c:1835 [inline]
 xfs_dialloc+0x14c4/0x3470 fs/xfs/libxfs/xfs_ialloc.c:1945
 xfs_create_tmpfile+0x496/0x12c0 fs/xfs/xfs_inode.c:827
 xfs_generic_create+0x65c/0x1610 fs/xfs/xfs_iops.c:227
 xfs_vn_tmpfile+0x6b/0x140 fs/xfs/xfs_iops.c:1194
 vfs_tmpfile+0x5e4/0xe40 fs/namei.c:3896
 do_tmpfile+0x19d/0x460 fs/namei.c:3961
 path_openat+0x4837/0x6280 fs/namei.c:3995
 do_filp_open+0x26b/0x610 fs/namei.c:4031
 io_openat2+0x5d5/0xa50 io_uring/openclose.c:140
 io_openat+0x35/0x40 io_uring/openclose.c:177
 __io_issue_sqe io_uring/io_uring.c:1734 [inline]
 io_issue_sqe+0x394/0x1de0 io_uring/io_uring.c:1753
 io_wq_submit_work+0xaf8/0xde0 io_uring/io_uring.c:1868
 io_worker_handle_work+0xc4d/0x2090 io_uring/io-wq.c:615
 io_wq_worker+0x403/0x1470 io_uring/io-wq.c:669
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Local variable trec created at:
 xfs_dialloc_ag_inobt+0x139/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1101
 xfs_dialloc_ag fs/xfs/libxfs/xfs_ialloc.c:1585 [inline]
 xfs_dialloc_try_ag fs/xfs/libxfs/xfs_ialloc.c:1835 [inline]
 xfs_dialloc+0x14c4/0x3470 fs/xfs/libxfs/xfs_ialloc.c:1945

CPU: 1 UID: 0 PID: 7854 Comm: iou-wrk-7829 Not tainted 6.15.0-rc2-syzkaller-00404-g8560697b23dc #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -1182,6 +1182,8 @@ xfs_dialloc_ag_inobt(
                        if (error)
                                goto error1;
                } else {
+                       pag->pagl_leftrec = NULLAGINO;
+                       pag->pagl_rightrec = NULLAGINO;
                        /* search left with tcur, back up 1 record */
                        error = xfs_ialloc_next_rec(tcur, &trec, &doneleft, 1);
                        if (error)

Re: syztest

[syzbot]

> #syz test

This crash does not have a reproducer. I cannot test it.

>
> --- a/fs/xfs/libxfs/xfs_ialloc.c
> +++ b/fs/xfs/libxfs/xfs_ialloc.c
> @@ -1182,6 +1182,8 @@ xfs_dialloc_ag_inobt(
>                         if (error)
>                                 goto error1;
>                 } else {
> +                       pag->pagl_leftrec = NULLAGINO;
> +                       pag->pagl_rightrec = NULLAGINO;
>                         /* search left with tcur, back up 1 record */
>                         error = xfs_ialloc_next_rec(tcur, &trec, &doneleft, 1);
>                         if (error)
>

syztest

[Arnaud Lecomte]

#syz test

--- a/block/bio.c
+++ b/block/bio.c
@@ -691,6 +691,9 @@ static void bio_truncate(struct bio *bio, unsigned new_size)
  */
 void guard_bio_eod(struct bio *bio)
 {
+	if (unlikely(!bio->bi_bdev)
+		return;
+
 	sector_t maxsector = bdev_nr_sectors(bio->bi_bdev);
 
 	if (!maxsector)
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/block/bio.c
+++ b/block/bio.c
@@ -691,6 +691,9 @@ static void bio_truncate(struct bio *bio, unsigned new_size)
  */
 void guard_bio_eod(struct bio *bio)
 {
+	if (unlikely(!bio->bi_bdev))
+		return;
+
 	sector_t maxsector = bdev_nr_sectors(bio->bi_bdev);
 
 	if (!maxsector)
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/bcachefs/fsck.c
+++ b/fs/bcachefs/fsck.c
@@ -976,7 +976,24 @@ int bch2_fsck_update_backpointers(struct btree_trans *trans,
 	int ret = 0;
 
 	if (d->v.d_type == DT_SUBVOL) {
-		BUG();
+		struct bch_subvolume subvol;
+
+		ret = bch2_subvolume_get(trans, le32_to_cpu(d->v.d_child_subvol),
+					     false, &subvol);
+		if (ret && !bch2_err_matches(ret, ENOENT))
+			goto err;
+
+		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(subvol.inode));
+		if (ret)
+			goto err;
+
+		if (target.inodes.nr) {
+			target.inodes.data[0].inode.bi_dir_offset = d->k.p.offset;
+			ret = __bch2_fsck_write_inode(trans, &target.inodes.data[0].inode);
+			if (ret)
+				goto err;
+		}
+
 	} else {
 		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(d->v.d_inum));
 		if (ret)
-- 
2.43.0

Re: syztest

[Kent Overstreet]

On Mon, Apr 28, 2025 at 06:09:03PM +0200, Arnaud Lecomte wrote:
> #syz test

Don't rely on syzbot for testing, you really need to be running the
tests yourself and looking at all the output.

It's not enough to know that we're not crashing anymore, we want the
filesystem to repair and mount successfully.

> --- a/fs/bcachefs/fsck.c
> +++ b/fs/bcachefs/fsck.c
> @@ -976,7 +976,24 @@ int bch2_fsck_update_backpointers(struct btree_trans *trans,
>  	int ret = 0;
>  
>  	if (d->v.d_type == DT_SUBVOL) {
> -		BUG();
> +		struct bch_subvolume subvol;
> +
> +		ret = bch2_subvolume_get(trans, le32_to_cpu(d->v.d_child_subvol),
> +					     false, &subvol);
> +		if (ret && !bch2_err_matches(ret, ENOENT))
> +			goto err;
> +
> +		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(subvol.inode));
> +		if (ret)
> +			goto err;
> +
> +		if (target.inodes.nr) {
> +			target.inodes.data[0].inode.bi_dir_offset = d->k.p.offset;
> +			ret = __bch2_fsck_write_inode(trans, &target.inodes.data[0].inode);
> +			if (ret)
> +				goto err;
> +		}
> +
>  	} else {
>  		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(d->v.d_inum));
>  		if (ret)
> -- 
> 2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 					  struct request_sock *req_unhash,
 					  bool *own_req)
 {
+        read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
 	struct smc_sock *smc;
 	struct sock *child;
-
 	smc = smc_clcsock_user_data(sk);
 
+	if (!smc)
+		goto drop;
+
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
 		goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
 			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
 	}
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	return child;
 
 drop:
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	dst_release(dst);
 	tcp_listendrop(sk);
 	return NULL;
@@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
 	int rc;
 
 	smc = smc_sk(sk);
-	lock_sock(sk);
+	lock_sock(sock->sk);
 
 	rc = -EINVAL;
 	if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -126,8 +126,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 	struct smc_sock *smc;
 	struct sock *child;
 
+	lockdep_assert_held_read(&sk->sk_callback_lock);
 	smc = smc_clcsock_user_data(sk);
 
+	if (!smc)
+		goto drop;
+
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
 		goto drop;
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -125,9 +125,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 {
 	struct smc_sock *smc;
 	struct sock *child;
-
+	read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
 	smc = smc_clcsock_user_data(sk);
 
+	if (!smc)
+		goto drop;
+
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
 		goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
 			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
 	}
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	return child;
 
 drop:
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	dst_release(dst);
 	tcp_listendrop(sk);
 	return NULL;
-- 
2.43.0

Re: syztest

[Paolo Abeni]

On 6/29/25 3:29 PM, Arnaud Lecomte wrote:
> #syz test
> 
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
>  					  struct request_sock *req_unhash,
>  					  bool *own_req)
>  {
> +        read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
>  	struct smc_sock *smc;
>  	struct sock *child;
> -
>  	smc = smc_clcsock_user_data(sk);
>  
> +	if (!smc)
> +		goto drop;
> +
>  	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
>  				sk->sk_max_ack_backlog)
>  		goto drop;
> @@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
>  		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
>  			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
>  	}
> +	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
>  	return child;
>  
>  drop:
> +	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
>  	dst_release(dst);
>  	tcp_listendrop(sk);
>  	return NULL;
> @@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
>  	int rc;
>  
>  	smc = smc_sk(sk);
> -	lock_sock(sk);
> +	lock_sock(sock->sk);
>  
>  	rc = -EINVAL;
>  	if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||

Please stop cc-ing netdev and other kernel ML with this tests. You
should keep just the syzkaller related MLs and a very restricted list of
individuals (i.e. no maintainers).

Thanks,

Paolo

syztest

[Arnaud Lecomte]

#syz test

--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
 			}
 			if (data[2] == MCP2221_I2C_READ_COMPL ||
 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
+				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+					mcp->status = -EINVAL;
+					break;
+				}	
 				buf = mcp->rxbuf;
 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
-- 

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -124,6 +124,12 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 		data_rec_off += 2;
 	} while (data_rec_off < idx_rec_off);
 
+	if (end_off < data_off) {
+		hfs_dbg(BNODE_MOD, "corrupted node: end_off %u < data_off %u\n", end_off, data_off);
+		if (new_node)
+			hfs_bnode_put(new_node);
+		return -EIO;
+	}
 	/* move data away */
 	hfs_bnode_move(node, data_off + size, data_off,
 		       end_off - data_off);
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
 	struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 	struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
-	u32 hash, id, trace_nr, trace_len, i;
+	u32 hash, id, trace_nr, trace_len, i, max_depth;
 	bool user = flags & BPF_F_USER_STACK;
 	u64 *ips;
 	bool hash_matches;
@@ -241,6 +241,19 @@ static long __bpf_get_stackid(struct bpf_map *map,
 
 	trace_nr = trace->nr - skip;
 	trace_len = trace_nr * sizeof(u64);
+
+	/* Clamp the trace to max allowed depth */
+	if (stack_map_use_build_id(map))
+		max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id);
+	else
+		max_depth = smap->map.value_size / sizeof(u64);
+
+	if (trace_nr > max_depth)
+		trace_nr = max_depth;
+
+ 	ips = trace->ip + skip;
+
+
 	ips = trace->ip + skip;
 	hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
 	id = hash & (smap->n_buckets - 1);
-- 

syztest

[Arnaud Lecomte]

#syz test

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
 
 	disk->events |= DISK_EVENT_MEDIA_CHANGE;
 	mddev->gendisk = disk;
-	error = add_disk(disk);
-	if (error)
-		goto out_put_disk;
-
 	kobject_init(&mddev->kobj, &md_ktype);
 	error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");
 	if (error) {
@@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
 	kobject_uevent(&mddev->kobj, KOBJ_ADD);
 	mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, "array_state");
 	mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, "level");
+	error = add_disk(disk);
+	if (error)
+		goto out_put_disk;
 	mutex_unlock(&disks_mutex);
 	return mddev;
 
-- 
2.43.0

Re: syztest

[Yu Kuai]

Hi,

在 2025/07/30 13:51, Arnaud Lecomte 写道:
> #syz test
> 
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
>   
>   	disk->events |= DISK_EVENT_MEDIA_CHANGE;
>   	mddev->gendisk = disk;
> -	error = add_disk(disk);
> -	if (error)
> -		goto out_put_disk;
> -
>   	kobject_init(&mddev->kobj, &md_ktype);
>   	error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");

This is wrong, you can't add mddev >kobj under the disk without
kobject_add for the disk kobj.

Thanks,
Kuai

>   	if (error) {
> @@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
>   	kobject_uevent(&mddev->kobj, KOBJ_ADD);
>   	mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, "array_state");
>   	mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, "level");
> +	error = add_disk(disk);
> +	if (error)
> +		goto out_put_disk;
>   	mutex_unlock(&disks_mutex);
>   	return mddev;
>   
> 

Re: syztest

[Arnaud Lecomte]

On 30/07/2025 07:09, Yu Kuai wrote:
> Hi,
>
> 在 2025/07/30 13:51, Arnaud Lecomte 写道:
>> #syz test
>>
>> --- a/drivers/md/md.c
>> +++ b/drivers/md/md.c
>> @@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
>>         disk->events |= DISK_EVENT_MEDIA_CHANGE;
>>       mddev->gendisk = disk;
>> -    error = add_disk(disk);
>> -    if (error)
>> -        goto out_put_disk;
>> -
>>       kobject_init(&mddev->kobj, &md_ktype);
>>       error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, 
>> "%s", "md");
>
> This is wrong, you can't add mddev >kobj under the disk without
> kobject_add for the disk kobj.
>
Will dive a bit more into that after work,
Thanks

> Thanks,
> Kuai
>
>>       if (error) {
>> @@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
>>       kobject_uevent(&mddev->kobj, KOBJ_ADD);
>>       mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, 
>> "array_state");
>>       mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, 
>> "level");
>> +    error = add_disk(disk);
>> +    if (error)
>> +        goto out_put_disk;
>>       mutex_unlock(&disks_mutex);
>>       return mddev;
>>
>

syztest

[Chenzhi Yang]

From: Yang Chenzhi <yang.chenzhi@vivo.com>

#syz test

--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -522,6 +522,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
 		tree->node_hash[hash] = node;
 		tree->node_hash_cnt++;
 	} else {
+		hfs_bnode_get(node2);
 		spin_unlock(&tree->hash_lock);
 		kfree(node);
 		wait_event(node2->lock_wq,
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..29e05c9ff1bd 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
 		sizeof(struct bpf_stack_build_id) : sizeof(u64);
 }
 
+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size:  Size of the buffer/map value in bytes
+ * @elem_size:  Size of each stack trace element
+ * @flags:  BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 max_depth;
+	u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+	max_depth = size / elem_size;
+	max_depth += skip;
+	if (max_depth > curr_sysctl_max_stack)
+		return curr_sysctl_max_stack;
+
+	return max_depth;
+}
+
 static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
 {
 	u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -300,20 +322,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
 BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
 	   u64, flags)
 {
-	u32 max_depth = map->value_size / stack_map_data_size(map);
-	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 elem_size = stack_map_data_size(map);
 	bool user = flags & BPF_F_USER_STACK;
 	struct perf_callchain_entry *trace;
 	bool kernel = !user;
+	u32 max_depth;
 
 	if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
 			       BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
 		return -EINVAL;
 
-	max_depth += skip;
-	if (max_depth > sysctl_perf_event_max_stack)
-		max_depth = sysctl_perf_event_max_stack;
-
+	max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
 	trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 				   false, false);
 
@@ -350,6 +369,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 {
 	struct perf_event *event = ctx->event;
 	struct perf_callchain_entry *trace;
+	u32 elem_size, max_depth;
 	bool kernel, user;
 	__u64 nr_kernel;
 	int ret;
@@ -371,11 +391,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 		return -EFAULT;
 
 	nr_kernel = count_kernel_ip(trace);
+	elem_size = stack_map_data_size(map);
 
 	if (kernel) {
 		__u64 nr = trace->nr;
 
 		trace->nr = nr_kernel;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, nr_kernel, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 
 		/* restore nr */
@@ -388,6 +412,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 			return -EFAULT;
 
 		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, trace->nr, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 	}
 	return ret;
@@ -406,8 +433,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 			    struct perf_callchain_entry *trace_in,
 			    void *buf, u32 size, u64 flags, bool may_fault)
 {
-	u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
 	bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+	u32 trace_nr, copy_len, elem_size, max_depth;
 	bool crosstask = task && task != current;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
 	bool user = flags & BPF_F_USER_STACK;
@@ -438,21 +465,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 		goto clear;
 	}
 
-	num_elem = size / elem_size;
-	max_depth = num_elem + skip;
-	if (sysctl_perf_event_max_stack < max_depth)
-		max_depth = sysctl_perf_event_max_stack;
+	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
 	if (may_fault)
 		rcu_read_lock(); /* need RCU for perf's callchain below */
 
-	if (trace_in)
+	if (trace_in) {
 		trace = trace_in;
-	else if (kernel && task)
+		trace->nr = min_t(u32, trace->nr, max_depth);
+	} else if (kernel && task) {
 		trace = get_callchain_entry_for_task(task, max_depth);
-	else
+	} else {
 		trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 					   crosstask, false);
+	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
 		if (may_fault)
@@ -461,7 +487,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	trace_nr = trace->nr - skip;
-	trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
 	copy_len = trace_nr * elem_size;
 
 	ips = trace->ip + skip;
-- 
2.47.3

syztest

[Arnaud Lecomte]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..1389712bc1df 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
 		sizeof(struct bpf_stack_build_id) : sizeof(u64);
 }
 
+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size:  Size of the buffer/map value in bytes
+ * @elem_size:  Size of each stack trace element
+ * @flags:  BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 max_depth;
+	u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+	max_depth = size / elem_size;
+	max_depth += skip;
+	if (max_depth > curr_sysctl_max_stack)
+		return curr_sysctl_max_stack;
+
+	return max_depth;
+}
+
 static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
 {
 	u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -300,22 +322,20 @@ static long __bpf_get_stackid(struct bpf_map *map,
 BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
 	   u64, flags)
 {
-	u32 max_depth = map->value_size / stack_map_data_size(map);
-	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 elem_size = stack_map_data_size(map);
 	bool user = flags & BPF_F_USER_STACK;
 	struct perf_callchain_entry *trace;
 	bool kernel = !user;
+	u32 max_depth;
 
 	if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
 			       BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
 		return -EINVAL;
 
-	max_depth += skip;
-	if (max_depth > sysctl_perf_event_max_stack)
-		max_depth = sysctl_perf_event_max_stack;
-
+	max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
 	trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 				   false, false);
+	trace->nr = min_t(u32, trace->nr, max_depth);
 
 	if (unlikely(!trace))
 		/* couldn't fetch the stack trace */
@@ -350,6 +370,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 {
 	struct perf_event *event = ctx->event;
 	struct perf_callchain_entry *trace;
+	u32 elem_size, max_depth;
 	bool kernel, user;
 	__u64 nr_kernel;
 	int ret;
@@ -371,11 +392,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 		return -EFAULT;
 
 	nr_kernel = count_kernel_ip(trace);
+	elem_size = stack_map_data_size(map);
 
 	if (kernel) {
 		__u64 nr = trace->nr;
 
 		trace->nr = nr_kernel;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, nr_kernel, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 
 		/* restore nr */
@@ -388,6 +413,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 			return -EFAULT;
 
 		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, trace->nr, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 	}
 	return ret;
@@ -406,8 +434,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 			    struct perf_callchain_entry *trace_in,
 			    void *buf, u32 size, u64 flags, bool may_fault)
 {
-	u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
 	bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+	u32 trace_nr, copy_len, elem_size, max_depth;
 	bool crosstask = task && task != current;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
 	bool user = flags & BPF_F_USER_STACK;
@@ -438,21 +466,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 		goto clear;
 	}
 
-	num_elem = size / elem_size;
-	max_depth = num_elem + skip;
-	if (sysctl_perf_event_max_stack < max_depth)
-		max_depth = sysctl_perf_event_max_stack;
+	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
 	if (may_fault)
 		rcu_read_lock(); /* need RCU for perf's callchain below */
 
-	if (trace_in)
+	if (trace_in) {
 		trace = trace_in;
-	else if (kernel && task)
+		trace->nr = min_t(u32, trace->nr, max_depth);
+	} else if (kernel && task) {
 		trace = get_callchain_entry_for_task(task, max_depth);
-	else
+	} else {
 		trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 					   crosstask, false);
+	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
 		if (may_fault)
@@ -461,7 +488,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	trace_nr = trace->nr - skip;
-	trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
 	copy_len = trace_nr * elem_size;
 
 	ips = trace->ip + skip;
-- 
2.47.3

Re: syztest

[Jakub Kicinski]

On Thu,  4 Sep 2025 16:11:13 +0200 Arnaud Lecomte wrote:
> #syz test

You are hereby encouraged to not CC the vger MLs on your attempts 
to get your patches tested by syzbot. It's not necessary.

Re: syztest

[Lecomte, Arnaud]

On 04/09/2025 16:47, Jakub Kicinski wrote:
> On Thu,  4 Sep 2025 16:11:13 +0200 Arnaud Lecomte wrote:
>> #syz test
> You are hereby encouraged to not CC the vger MLs on your attempts
> to get your patches tested by syzbot. It's not necessary.
>
Hey, sorry for the inconvenience.
Will be removed.