BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Edward Adam Davis" <eadavis@qq.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels
Date: Tue, 30 Jun 2026 09:48:23 +0000	[thread overview]
Message-ID: <20260630094823.897BD1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <tencent_45066D89AD6EF9AED34CA567FA46CA52C606@qq.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The patch addresses the syzbot warning at the wrong layer by adding `get_cpu()`/`put_cpu()` inside the BPF memory allocator. This masks the caller's missing migration protection while leaving sibling allocator APIs vulnerable to the exact same crash.
--

commit 231004c76441ce47022b6f1dabd04453961dcac4
Author: Edward Adam Davis <eadavis@qq.com>

bpf: Fix smp_processor_id() call trace for preemptible kernels

This patch wraps unit_free_rcu() with get_cpu() and put_cpu() in
bpf_mem_cache_free_rcu() to avoid a preemption warning.

Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f

> diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c
> index e9662db7198fe..8f91f2b3848ff 100644
> --- a/kernel/bpf/memalloc.c
> +++ b/kernel/bpf/memalloc.c
> @@ -951,7 +951,9 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
>  	if (!ptr)
>  		return;
>  

[Severity: High]
Does this fix the issue at the right layer? By adding the preemption
protection here, it masks the fact that the caller is running with migration
enabled, which leaves sibling APIs vulnerable.

For example, in __rhtab_map_lookup_and_delete_batch() in
kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem()
without disabling migration.

If the map elements contain special fields (like BPF_KPTR),
rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which
eventually calls bpf_mem_free().

Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection:

kernel/bpf/memalloc.c:bpf_mem_free() {
    ...
    unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
    ...
}

Will this result in the exact same BUG being triggered on that path? Should
the missing migration protection be added to
__rhtab_map_lookup_and_delete_batch() instead of modifying the allocator
here?

> +	get_cpu();
>  	unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
> +	put_cpu();
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_45066D89AD6EF9AED34CA567FA46CA52C606@qq.com?part=1

  reply	other threads:[~2026-06-30  9:48 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot
2026-06-30  8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis
2026-06-30  8:49   ` sashiko-bot
2026-06-30  9:11     ` [PATCH v2] " Edward Adam Davis
2026-06-30  9:48       ` sashiko-bot [this message]
2026-06-30 11:14         ` Edward Adam Davis
2026-06-30 12:25           ` Jiayuan Chen
2026-06-30 12:46             ` Edward Adam Davis
2026-06-30 13:09               ` [PATCH v3] " Edward Adam Davis
2026-06-30 13:22                 ` sashiko-bot
2026-06-30 14:11                   ` [PATCH v4] " Edward Adam Davis
2026-06-30 14:29                     ` sashiko-bot
2026-06-30 14:46                     ` bot+bpf-ci
2026-07-01  0:27                   ` [PATCH v5] " Edward Adam Davis
2026-07-01 19:57                     ` Andrii Nakryiko
2026-07-02  4:34                       ` Edward Adam Davis
2026-07-02  5:40                         ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630094823.897BD1F00A3D@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=eadavis@qq.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox