BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Edward Adam Davis" <eadavis@qq.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v3] bpf: Fix smp_processor_id() call trace for preemptible kernels
Date: Tue, 30 Jun 2026 13:22:26 +0000	[thread overview]
Message-ID: <20260630132226.C44601F000E9@smtp.kernel.org> (raw)
In-Reply-To: <tencent_4F9E5F1B854B1D1BB42574BA76BB5133BF08@qq.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Wrapping the entire batch operation in `bpf_disable_instrumentation()` elevates `bpf_prog_active` for an unbounded duration, leaking the state across preemption and blinding BPF tracing globally on the CPU.
--

commit 121a3f2517b4814c567c049b787ed0317746073a
Author: Edward Adam Davis <eadavis@qq.com>

bpf: Fix smp_processor_id() call trace for preemptible kernels

This commit addresses an smp_processor_id() warning in preemptible context by
wrapping the batch loop with bpf_disable_instrumentation() and
bpf_enable_instrumentation().

Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f

> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 9f394e1aa2e85..d3f2f8a379e86 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
>  	dst_val = values;
>  	total = 0;
>  
> +	bpf_disable_instrumentation();
>  	rcu_read_lock();

[Severity: High]
Does wrapping this batch operation in bpf_disable_instrumentation() risk
blinding BPF tracing globally on the CPU if preemption occurs?

bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter.
Because migrate_disable() and rcu_read_lock() do not disable preemption under
CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long
loop.

If preempted, bpf_prog_active would remain elevated on that CPU, which could
cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing
events (kprobes, tracepoints, perf).

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_4F9E5F1B854B1D1BB42574BA76BB5133BF08@qq.com?part=1

  reply	other threads:[~2026-06-30 13:22 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot
2026-06-30  8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis
2026-06-30  8:49   ` sashiko-bot
2026-06-30  9:11     ` [PATCH v2] " Edward Adam Davis
2026-06-30  9:48       ` sashiko-bot
2026-06-30 11:14         ` Edward Adam Davis
2026-06-30 12:25           ` Jiayuan Chen
2026-06-30 12:46             ` Edward Adam Davis
2026-06-30 13:09               ` [PATCH v3] " Edward Adam Davis
2026-06-30 13:22                 ` sashiko-bot [this message]
2026-06-30 14:11                   ` [PATCH v4] " Edward Adam Davis
2026-06-30 14:29                     ` sashiko-bot
2026-06-30 14:46                     ` bot+bpf-ci
2026-07-01  0:27                   ` [PATCH v5] " Edward Adam Davis
2026-07-01 19:57                     ` Andrii Nakryiko
2026-07-02  4:34                       ` Edward Adam Davis
2026-07-02  5:40                         ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630132226.C44601F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=eadavis@qq.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox