[moderation/CI] Re: xsk: introduce pre-allocated memory per xsk CQ

[syzbot ci <syzbot+ci2fbf4060a9723f70@syzkaller.appspotmail.com>]

syzbot ci has tested the following series

[v2] xsk: introduce pre-allocated memory per xsk CQ
https://lore.kernel.org/all/20251216052623.2697-1-kerneljasonxing@gmail.com
* [PATCH bpf-next v2 1/2] xsk: introduce local_cq for each af_xdp socket
* [PATCH bpf-next v2 2/2] xsk: introduce a dedicated local completion queue for each xsk

and found the following issue:
WARNING in vfree

Full report is available here:
https://ci.syzbot.org/series/6719e0f5-2213-4ff5-83d4-c964705b4b0f

***

WARNING in vfree

tree:      bpf-next
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next.git
base:      759377dab35e404fc4f013e3f853d6e9450b4633
arch:      amd64
compiler:  Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config:    https://ci.syzbot.org/builds/99fbc71e-e7da-4091-b3a0-9180ab35952e/config
C repro:   https://ci.syzbot.org/findings/9588a511-f24a-4f1a-a73b-01059171d1d7/c_repro
syz repro: https://ci.syzbot.org/findings/9588a511-f24a-4f1a-a73b-01059171d1d7/syz_repro

UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
------------[ cut here ]------------
Trying to vfree() nonexistent vm area (ffffc900028f6000)
WARNING: mm/vmalloc.c:3423 at 0x0, CPU#1: syz.0.17/5994
Modules linked in:
CPU: 1 UID: 0 PID: 5994 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:vfree+0x393/0x400 mm/vmalloc.c:3422
Code: e8 42 12 ab ff 4c 89 f7 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 0c fa ff ff e8 27 12 ab ff 48 8d 3d e0 f1 6e 0d 4c 89 f6 <67> 48 0f b9 3a e9 fd fd ff ff e8 0e 12 ab ff 4c 89 e7 e8 66 00 00
RSP: 0018:ffffc900043d7c40 EFLAGS: 00010293
RAX: ffffffff82163839 RBX: 0000000000000000 RCX: ffff888112303a80
RDX: 0000000000000000 RSI: ffffc900028f6000 RDI: ffffffff8f852a20
RBP: 1ffff1102e7044bf R08: ffff88810005d863 R09: 1ffff1102000bb0c
R10: dffffc0000000000 R11: ffffed102000bb0d R12: ffff888118dc8018
R13: dffffc0000000000 R14: ffffc900028f6000 R15: ffff888173822608
FS:  0000555558e99500(0000) GS:ffff8882a9eb0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 0000000174424000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 xsk_clear_local_cq net/xdp/xsk.c:1194 [inline]
 xsk_release+0x6b3/0x880 net/xdp/xsk.c:1226
 __sock_release net/socket.c:653 [inline]
 sock_close+0xc3/0x240 net/socket.c:1446
 __fput+0x44c/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
 exit_to_user_mode_loop+0xff/0x4f0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2e3/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5338b8f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8e18db38 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000000f4d1 RCX: 00007f5338b8f7c9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000088e18de2f
R10: 0000001b2fe20000 R11: 0000000000000246 R12: 00007f5338de5fac
R13: 00007f5338de5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>
----------------
Code disassembly (best guess):
   0:	e8 42 12 ab ff       	call   0xffab1247
   5:	4c 89 f7             	mov    %r14,%rdi
   8:	48 83 c4 18          	add    $0x18,%rsp
   c:	5b                   	pop    %rbx
   d:	41 5c                	pop    %r12
   f:	41 5d                	pop    %r13
  11:	41 5e                	pop    %r14
  13:	41 5f                	pop    %r15
  15:	5d                   	pop    %rbp
  16:	e9 0c fa ff ff       	jmp    0xfffffa27
  1b:	e8 27 12 ab ff       	call   0xffab1247
  20:	48 8d 3d e0 f1 6e 0d 	lea    0xd6ef1e0(%rip),%rdi        # 0xd6ef207
  27:	4c 89 f6             	mov    %r14,%rsi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	e9 fd fd ff ff       	jmp    0xfffffe31
  34:	e8 0e 12 ab ff       	call   0xffab1247
  39:	4c 89 e7             	mov    %r12,%rdi
  3c:	e8                   	.byte 0xe8
  3d:	66 00 00             	data16 add %al,(%rax)


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.

The email will later be sent to:
[ast@kernel.org bjorn@kernel.org bpf@vger.kernel.org daniel@iogearbox.net davem@davemloft.net edumazet@google.com hawk@kernel.org john.fastabend@gmail.com jonathan.lemon@gmail.com kerneljasonxing@gmail.com kernelxing@tencent.com kuba@kernel.org maciej.fijalkowski@intel.com magnus.karlsson@intel.com netdev@vger.kernel.org pabeni@redhat.com sdf@fomichev.me]

If the report looks fine to you, reply with:
#syz upstream