* [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu
@ 2026-06-30 6:20 syzbot
2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis
0 siblings, 1 reply; 17+ messages in thread
From: syzbot @ 2026-06-30 6:20 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel,
martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song
Hello,
syzbot found the following issue on:
HEAD commit: e771677c937d Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=144f8aae580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1ce9592ed82f8125
dashboard link: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=124c12ae580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b89986580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5c69b301ec25/disk-e771677c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8267811b5065/vmlinux-e771677c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bcc54586e6c4/bzImage-e771677c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
CPU: 1 UID: 0 PID: 5820 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
__rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
__sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
__do_sys_bpf kernel/bpf/syscall.c:6537 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6534 [inline]
__x64_sys_bpf+0xba/0xd0 kernel/bpf/syscall.c:6534
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fce2819ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcea2ad4b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fce28415fa0 RCX: 00007fce2819ce59
RDX: 0000000000000038 RSI: 00002000000018c0 RDI: 0000000000000019
RBP: 00007fce28232d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fce28415fac R14: 00007fce28415fa0 R15: 00007fce28415fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot
@ 2026-06-30 8:41 ` Edward Adam Davis
2026-06-30 8:49 ` sashiko-bot
0 siblings, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-06-30 8:41 UTC (permalink / raw)
To: syzbot+fd7e415d891073b83e1f
Cc: andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel,
martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song
bpf_mem_cache_free_rcu() maybe called in preemptible context, this
will trigger the below warning message:
BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
Call Trace:
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
__rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
__sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
this_cpu_ptr() calls smp_processor_id() in a preemptible context.
Fix by using per_cpu_ptr() with raw_smp_processor_id() instead.
Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
kernel/bpf/memalloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c
index bd45dda9dc35..151d9c8183bc 100644
--- a/kernel/bpf/memalloc.c
+++ b/kernel/bpf/memalloc.c
@@ -957,7 +957,7 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
if (!ptr)
return;
- unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
+ unit_free_rcu(per_cpu_ptr(ma->cache, raw_smp_processor_id()), ptr);
}
/* Directly does a kfree() without putting 'ptr' back to the free_llist
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis
@ 2026-06-30 8:49 ` sashiko-bot
2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis
0 siblings, 1 reply; 17+ messages in thread
From: sashiko-bot @ 2026-06-30 8:49 UTC (permalink / raw)
To: Edward Adam Davis; +Cc: bpf
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Silencing a preemption warning with `raw_smp_processor_id()` leaves a severe cross-CPU task migration hazard intact, leading to lockless list corruption in the BPF memory allocator.
--
commit b3d3adf96792401d9a691908ba210c6315bac1bb
Author: Edward Adam Davis <eadavis@qq.com>
bpf: Fix smp_processor_id() call trace for preemptible kernels
This patch attempts to resolve a preemption warning in
bpf_mem_cache_free_rcu() by replacing this_cpu_ptr() with per_cpu_ptr()
and raw_smp_processor_id().
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c
> index e9662db7198fe..f2b7828e6ac7c 100644
> --- a/kernel/bpf/memalloc.c
> +++ b/kernel/bpf/memalloc.c
> @@ -951,7 +951,7 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
> if (!ptr)
> return;
>
> - unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
> + unit_free_rcu(per_cpu_ptr(ma->cache, raw_smp_processor_id()), ptr);
[Severity: High]
This is a pre-existing issue with bpf_mem_cache_free_rcu() being called in a
preemptible context, but does silencing the warning with
raw_smp_processor_id() leave the underlying cross-CPU task migration hazard
intact?
If a task evaluates raw_smp_processor_id(), gets preempted, and then migrates
to another CPU, unit_free_rcu() will execute on the new CPU while still
operating on the original CPU's cache.
Since unit_free_rcu() only disables local interrupts for the current CPU,
the original CPU can concurrently modify its own cache. This could lead to
data races on the local_t active counter and concurrent execution of the
non-atomic __llist_add() operation, as seen here:
kernel/bpf/memalloc.c:unit_free_rcu() {
...
local_irq_save(flags);
if (local_inc_return(&c->active) == 1) {
if (__llist_add(llnode, &c->free_by_rcu))
...
}
Could this concurrent access corrupt the lockless lists?
> }
>
> /* Directly does a kfree() without putting 'ptr' back to the free_llist
--
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_C4C3064909A16EDCAEDB0C8767D886D01206@qq.com?part=1
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 8:49 ` sashiko-bot
@ 2026-06-30 9:11 ` Edward Adam Davis
2026-06-30 9:48 ` sashiko-bot
0 siblings, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-06-30 9:11 UTC (permalink / raw)
To: sashiko-bot
Cc: andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel,
martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song
bpf_mem_cache_free_rcu() maybe called in preemptible context, this
will trigger the below warning message:
BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
Call Trace:
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
__rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
__sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
this_cpu_ptr() access needs to be guarded against preemption.
Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
v1 -> v2: using guard against preemption
kernel/bpf/memalloc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c
index bd45dda9dc35..1d7ddfc1c9d1 100644
--- a/kernel/bpf/memalloc.c
+++ b/kernel/bpf/memalloc.c
@@ -957,7 +957,9 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
if (!ptr)
return;
+ get_cpu();
unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
+ put_cpu();
}
/* Directly does a kfree() without putting 'ptr' back to the free_llist
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis
@ 2026-06-30 9:48 ` sashiko-bot
2026-06-30 11:14 ` Edward Adam Davis
0 siblings, 1 reply; 17+ messages in thread
From: sashiko-bot @ 2026-06-30 9:48 UTC (permalink / raw)
To: Edward Adam Davis; +Cc: bpf
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The patch addresses the syzbot warning at the wrong layer by adding `get_cpu()`/`put_cpu()` inside the BPF memory allocator. This masks the caller's missing migration protection while leaving sibling allocator APIs vulnerable to the exact same crash.
--
commit 231004c76441ce47022b6f1dabd04453961dcac4
Author: Edward Adam Davis <eadavis@qq.com>
bpf: Fix smp_processor_id() call trace for preemptible kernels
This patch wraps unit_free_rcu() with get_cpu() and put_cpu() in
bpf_mem_cache_free_rcu() to avoid a preemption warning.
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c
> index e9662db7198fe..8f91f2b3848ff 100644
> --- a/kernel/bpf/memalloc.c
> +++ b/kernel/bpf/memalloc.c
> @@ -951,7 +951,9 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
> if (!ptr)
> return;
>
[Severity: High]
Does this fix the issue at the right layer? By adding the preemption
protection here, it masks the fact that the caller is running with migration
enabled, which leaves sibling APIs vulnerable.
For example, in __rhtab_map_lookup_and_delete_batch() in
kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem()
without disabling migration.
If the map elements contain special fields (like BPF_KPTR),
rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which
eventually calls bpf_mem_free().
Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection:
kernel/bpf/memalloc.c:bpf_mem_free() {
...
unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
...
}
Will this result in the exact same BUG being triggered on that path? Should
the missing migration protection be added to
__rhtab_map_lookup_and_delete_batch() instead of modifying the allocator
here?
> + get_cpu();
> unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
> + put_cpu();
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_45066D89AD6EF9AED34CA567FA46CA52C606@qq.com?part=1
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 9:48 ` sashiko-bot
@ 2026-06-30 11:14 ` Edward Adam Davis
2026-06-30 12:25 ` Jiayuan Chen
0 siblings, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-06-30 11:14 UTC (permalink / raw)
To: sashiko-bot; +Cc: bpf, eadavis, sashiko-reviews
On Tue, 30 Jun 2026 09:48:23 +0000, Sashiko wrote:
> [Severity: High]
> Does this fix the issue at the right layer? By adding the preemption
> protection here, it masks the fact that the caller is running with migration
> enabled, which leaves sibling APIs vulnerable.
>
> For example, in __rhtab_map_lookup_and_delete_batch() in
> kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem()
> without disabling migration.
>
> If the map elements contain special fields (like BPF_KPTR),
> rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which
> eventually calls bpf_mem_free().
>
> Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection:
>
> kernel/bpf/memalloc.c:bpf_mem_free() {
> ...
> unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
> ...
> }
>
> Will this result in the exact same BUG being triggered on that path? Should
> the missing migration protection be added to
> __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator
> here?
Like this?
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 9f394e1aa2e8..7b98c2eea685 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
}
if (do_delete) {
+ get_cpu();
for (i = 0; i < total; i++)
rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
+ put_cpu();
}
rcu_read_unlock();
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 11:14 ` Edward Adam Davis
@ 2026-06-30 12:25 ` Jiayuan Chen
2026-06-30 12:46 ` Edward Adam Davis
0 siblings, 1 reply; 17+ messages in thread
From: Jiayuan Chen @ 2026-06-30 12:25 UTC (permalink / raw)
To: Edward Adam Davis, sashiko-bot; +Cc: bpf, sashiko-reviews
On 6/30/26 7:14 PM, Edward Adam Davis wrote:
> On Tue, 30 Jun 2026 09:48:23 +0000, Sashiko wrote:
>> [Severity: High]
>> Does this fix the issue at the right layer? By adding the preemption
>> protection here, it masks the fact that the caller is running with migration
>> enabled, which leaves sibling APIs vulnerable.
>>
>> For example, in __rhtab_map_lookup_and_delete_batch() in
>> kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem()
>> without disabling migration.
>>
>> If the map elements contain special fields (like BPF_KPTR),
>> rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which
>> eventually calls bpf_mem_free().
>>
>> Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection:
>>
>> kernel/bpf/memalloc.c:bpf_mem_free() {
>> ...
>> unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
>> ...
>> }
>>
>> Will this result in the exact same BUG being triggered on that path? Should
>> the missing migration protection be added to
>> __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator
>> here?
> Like this?
>
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 9f394e1aa2e8..7b98c2eea685 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
> }
>
> if (do_delete) {
> + get_cpu();
> for (i = 0; i < total; i++)
> rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
> + put_cpu();
> }
>
> rcu_read_unlock();
This splat is specific to rhash...
For HASH/PERCPU_HASH/..., most operations are performed under
bpf_disable_instrumentation(); see __htab_map_lookup_and_delete_batch().
But for rhash, bpf_mem_cache_free_rcu() is called outside the
bpf_disable_instrumentation() region; see
__rhtab_map_lookup_and_delete_batch().
note: map_lookup_and_delete_batch() disable cpu migration
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 12:25 ` Jiayuan Chen
@ 2026-06-30 12:46 ` Edward Adam Davis
2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis
0 siblings, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-06-30 12:46 UTC (permalink / raw)
To: jiayuan.chen; +Cc: bpf, eadavis, sashiko-bot, sashiko-reviews
On Tue, 30 Jun 2026 20:25:30 +0800, Jiayuan Chen wrote:
>On 6/30/26 7:14 PM, Edward Adam Davis wrote:
>> On Tue, 30 Jun 2026 09:48:23 +0000, Sashiko wrote:
>>> [Severity: High]
>>> Does this fix the issue at the right layer? By adding the preemption
>>> protection here, it masks the fact that the caller is running with migration
>>> enabled, which leaves sibling APIs vulnerable.
>>>
>>> For example, in __rhtab_map_lookup_and_delete_batch() in
>>> kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem()
>>> without disabling migration.
>>>
>>> If the map elements contain special fields (like BPF_KPTR),
>>> rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which
>>> eventually calls bpf_mem_free().
>>>
>>> Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection:
>>>
>>> kernel/bpf/memalloc.c:bpf_mem_free() {
>>> ...
>>> unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
>>> ...
>>> }
>>>
>>> Will this result in the exact same BUG being triggered on that path? Should
>>> the missing migration protection be added to
>>> __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator
>>> here?
>> Like this?
>>
>> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
>> index 9f394e1aa2e8..7b98c2eea685 100644
>> --- a/kernel/bpf/hashtab.c
>> +++ b/kernel/bpf/hashtab.c
>> @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
>> }
>>
>> if (do_delete) {
>> + get_cpu();
>> for (i = 0; i < total; i++)
>> rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
>> + put_cpu();
>> }
>>
>> rcu_read_unlock();
>
>
>This splat is specific to rhash...
>
>For HASH/PERCPU_HASH/..., most operations are performed under
>bpf_disable_instrumentation(); see __htab_map_lookup_and_delete_batch().
>
>But for rhash, bpf_mem_cache_free_rcu() is called outside the
>bpf_disable_instrumentation() region; see
>__rhtab_map_lookup_and_delete_batch().
Let's use bpf_disable/enable_instrumentation() consistently to protect
__rhtab_map_lookup_and_delete_batch().
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 9f394e1aa2e8..d3f2f8a379e8 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
dst_val = values;
total = 0;
+ bpf_disable_instrumentation();
rcu_read_lock();
/*
@@ -3313,6 +3314,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
elem = rhtab_lookup_elem(map, cursor);
if (!elem) {
rcu_read_unlock();
+ bpf_enable_instrumentation();
ret = -EAGAIN;
goto free;
}
@@ -3350,6 +3352,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
}
rcu_read_unlock();
+ bpf_enable_instrumentation();
if (total == 0) {
ret = -ENOENT;
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH v3] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 12:46 ` Edward Adam Davis
@ 2026-06-30 13:09 ` Edward Adam Davis
2026-06-30 13:22 ` sashiko-bot
0 siblings, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-06-30 13:09 UTC (permalink / raw)
To: eadavis
Cc: jiayuan.chen, sashiko-bot, sashiko-reviews, andrii, ast, bpf,
daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor,
netdev, song, syzkaller-bugs, yonghong.song
bpf_mem_cache_free_rcu() maybe called in preemptible context, this
will trigger the below warning message:
BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
Call Trace:
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
__rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
__sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
this_cpu_ptr() access needs to be guarded against preemption.
Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
v1 -> v2: using guard against preemption
v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation()
kernel/bpf/hashtab.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 9f394e1aa2e8..d3f2f8a379e8 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
dst_val = values;
total = 0;
+ bpf_disable_instrumentation();
rcu_read_lock();
/*
@@ -3313,6 +3314,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
elem = rhtab_lookup_elem(map, cursor);
if (!elem) {
rcu_read_unlock();
+ bpf_enable_instrumentation();
ret = -EAGAIN;
goto free;
}
@@ -3350,6 +3352,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
}
rcu_read_unlock();
+ bpf_enable_instrumentation();
if (total == 0) {
ret = -ENOENT;
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v3] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis
@ 2026-06-30 13:22 ` sashiko-bot
2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis
2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis
0 siblings, 2 replies; 17+ messages in thread
From: sashiko-bot @ 2026-06-30 13:22 UTC (permalink / raw)
To: Edward Adam Davis; +Cc: bpf
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Wrapping the entire batch operation in `bpf_disable_instrumentation()` elevates `bpf_prog_active` for an unbounded duration, leaking the state across preemption and blinding BPF tracing globally on the CPU.
--
commit 121a3f2517b4814c567c049b787ed0317746073a
Author: Edward Adam Davis <eadavis@qq.com>
bpf: Fix smp_processor_id() call trace for preemptible kernels
This commit addresses an smp_processor_id() warning in preemptible context by
wrapping the batch loop with bpf_disable_instrumentation() and
bpf_enable_instrumentation().
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 9f394e1aa2e85..d3f2f8a379e86 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
> dst_val = values;
> total = 0;
>
> + bpf_disable_instrumentation();
> rcu_read_lock();
[Severity: High]
Does wrapping this batch operation in bpf_disable_instrumentation() risk
blinding BPF tracing globally on the CPU if preemption occurs?
bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter.
Because migrate_disable() and rcu_read_lock() do not disable preemption under
CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long
loop.
If preempted, bpf_prog_active would remain elevated on that CPU, which could
cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing
events (kprobes, tracepoints, perf).
--
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_4F9E5F1B854B1D1BB42574BA76BB5133BF08@qq.com?part=1
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 13:22 ` sashiko-bot
@ 2026-06-30 14:11 ` Edward Adam Davis
2026-06-30 14:29 ` sashiko-bot
2026-06-30 14:46 ` bot+bpf-ci
2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis
1 sibling, 2 replies; 17+ messages in thread
From: Edward Adam Davis @ 2026-06-30 14:11 UTC (permalink / raw)
To: sashiko-bot
Cc: eadavis, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel,
eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev,
song, syzkaller-bugs, yonghong.song
bpf_mem_cache_free_rcu() maybe called in preemptible context, this
will trigger the below warning message:
BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
Call Trace:
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
__rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
__sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
this_cpu_ptr() access needs to be guarded against migration.
Wrapping this batch operation in bpf_disable_instrumentation() risk
blinding BPF tracing globally on the CPU if preemption occurs.
bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter.
Because migrate_disable() and rcu_read_lock() do not disable preemption under
CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long
loop.
If preempted, bpf_prog_active would remain elevated on that CPU, which could
cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing
events (kprobes, tracepoints, perf).
Therefore, we fix this by disabling preemption rather than prohibiting
migration.
Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
v1 -> v2: using guard against preemption
v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation()
v3 -> v4: disable preempt to make this_cpu_ptr() work
kernel/bpf/hashtab.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 9f394e1aa2e8..7b98c2eea685 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
}
if (do_delete) {
+ get_cpu();
for (i = 0; i < total; i++)
rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
+ put_cpu();
}
rcu_read_unlock();
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis
@ 2026-06-30 14:29 ` sashiko-bot
2026-06-30 14:46 ` bot+bpf-ci
1 sibling, 0 replies; 17+ messages in thread
From: sashiko-bot @ 2026-06-30 14:29 UTC (permalink / raw)
To: Edward Adam Davis; +Cc: bpf
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] Unbounded preempt-disabled loop causes severe scheduling latency and soft lockups.
Pre-existing issues:
- [High] Synchronous freeing of map element fields upon deletion violates RCU reader guarantees, causing Use-After-Free.
--
commit 366a895a5502b13454a28525375f08655dba66d2
Author: Edward Adam Davis <eadavis@qq.com>
bpf: Fix smp_processor_id() call trace for preemptible kernels
This commit attempts to fix a preemption warning in bpf_mem_cache_free_rcu()
by wrapping the batch deletion loop in get_cpu() and put_cpu(). This disables
preemption rather than prohibiting migration.
Link: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 9f394e1aa2e85..7b98c2eea6859 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
> }
>
> if (do_delete) {
> + get_cpu();
> for (i = 0; i < total; i++)
> rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
[Severity: High]
Will this unbounded loop with preemption disabled cause soft lockups?
The user-space process provides the count parameter which determines the size
of the total variable. Wrapping this potentially massive loop inside get_cpu()
and put_cpu() completely disables preemption for the entire duration of the
deletion loop.
Can this lead to severe CPU latency spikes and system unresponsiveness,
especially on real-time and preemptible kernels?
[Severity: High]
This is a pre-existing issue, but does calling rhtab_delete_elem() here
violate RCU reader guarantees?
Looking at rhtab_delete_elem() in kernel/bpf/hashtab.c, it synchronously
frees the element's special fields:
kernel/bpf/hashtab.c:rhtab_delete_elem() {
...
/* Release internal structs: kptr, bpf_timer, task_work, wq */
rhtab_check_and_free_fields(rhtab, elem);
bpf_mem_cache_free_rcu(&rhtab->ma, elem);
return 0;
}
Since rhtab_check_and_free_fields() immediately calls bpf_obj_free_fields(),
this destroys fields (like kptr) before the RCU grace period elapses.
Could concurrent RCU readers accessing the element during the grace period
read freed pointers, resulting in a use-after-free?
> + put_cpu();
> }
>
> rcu_read_unlock();
--
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_5E4F8F8DADA5DE0DAD924ADD835DD7991707@qq.com?part=1
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis
2026-06-30 14:29 ` sashiko-bot
@ 2026-06-30 14:46 ` bot+bpf-ci
1 sibling, 0 replies; 17+ messages in thread
From: bot+bpf-ci @ 2026-06-30 14:46 UTC (permalink / raw)
To: eadavis, sashiko-bot
Cc: eadavis, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel,
eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev,
song, syzkaller-bugs, yonghong.song, ast, andrii, daniel,
martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai
[-- Attachment #1: Type: text/plain, Size: 3946 bytes --]
> bpf: Fix smp_processor_id() call trace for preemptible kernels
>
> bpf_mem_cache_free_rcu() maybe called in preemptible context, this
> will trigger the below warning message:
>
> BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
> caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> Call Trace:
> check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
> bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
> __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
> bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
> __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
>
> this_cpu_ptr() access needs to be guarded against migration.
The commit message says "guarded against migration" but the fix actually
disables preemption using get_cpu()/put_cpu(). Is this description accurate?
get_cpu() does preempt_disable() + __smp_processor_id(), not just
migrate_disable(). The later sentence "disabling preemption rather than
prohibiting migration" correctly describes the fix, but this earlier line
understates the requirement.
> Wrapping this batch operation in bpf_disable_instrumentation() risk
> blinding BPF tracing globally on the CPU if preemption occurs.
>
> bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter.
> Because migrate_disable() and rcu_read_lock() do not disable preemption under
> CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long
> loop.
>
> If preempted, bpf_prog_active would remain elevated on that CPU, which could
> cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing
> events (kprobes, tracepoints, perf).
The reasoning about bpf_disable_instrumentation() is sound, but could the
commit message clarify that rhtab_delete_elem() already calls
bpf_disable_instrumentation() internally?
Looking at rhtab_delete_elem():
kernel/bpf/hashtab.c:rhtab_delete_elem() {
...
bpf_disable_instrumentation();
ret = rhashtable_remove_fast(&rhtab->table, &elem->htab_node,
rhtab->rhtable_params);
bpf_enable_instrumentation();
...
}
This means the same "blinding BPF tracing" window already exists in the
per-element path. The argument is against a longer-held instrumentation
disable across the entire loop, not a categorical concern.
> Therefore, we fix this by disabling preemption rather than prohibiting
> migration.
>
> Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
Should the Fixes tag point to a different commit? The bug occurs when
__rhtab_map_lookup_and_delete_batch() calls rhtab_delete_elem() which calls
bpf_mem_cache_free_rcu() in preemptible context.
Commit 5af6807bdb10 introduced bpf_mem_free_rcu() in 2023 but did not modify
kernel/bpf/hashtab.c or introduce the rhtab code. The call chain was
introduced by:
Fixes: 6905f8601298 ("bpf: Allow special fields in resizable hashtab")
which added the rhtab implementation including __rhtab_map_lookup_and_delete_batch()
and the call to bpf_mem_cache_free_rcu() in rhtab_delete_elem().
> Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
[ ... ]
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -3345,8 +3345,10 @@
> }
>
> if (do_delete) {
> + get_cpu();
> for (i = 0; i < total; i++)
> rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
> + put_cpu();
> }
>
> rcu_read_unlock();
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28451219226
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-06-30 13:22 ` sashiko-bot
2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis
@ 2026-07-01 0:27 ` Edward Adam Davis
2026-07-01 19:57 ` Andrii Nakryiko
1 sibling, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-07-01 0:27 UTC (permalink / raw)
To: sashiko-bot
Cc: eadavis, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel,
eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev,
song, syzkaller-bugs, yonghong.song
bpf_mem_cache_free_rcu() maybe called in preemptible context, this
will trigger the below warning message:
BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
Call Trace:
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
__rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
__sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
this_cpu_ptr() requires the caller to prevent task migration.
These helpers currently do not enforce that requirement and may
be invoked from preemptible contexts, leading to accesses to another
CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr()
to pin the task while accessing the per-CPU allocator state.
Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.")
Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
v1 -> v2: using guard against preemption
v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation()
v3 -> v4: disable preempt to make this_cpu_ptr() work
v4 -> v5: in mem free disable preemption
kernel/bpf/memalloc.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c
index e9662db7198f..2118fe725ed4 100644
--- a/kernel/bpf/memalloc.c
+++ b/kernel/bpf/memalloc.c
@@ -911,7 +911,8 @@ void notrace bpf_mem_free(struct bpf_mem_alloc *ma, void *ptr)
if (WARN_ON_ONCE(idx < 0))
return;
- unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
+ unit_free(get_cpu_ptr(ma->caches)->cache + idx, ptr);
+ put_cpu_ptr(ma->caches);
}
void notrace bpf_mem_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
@@ -927,7 +928,8 @@ void notrace bpf_mem_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
if (WARN_ON_ONCE(idx < 0))
return;
- unit_free_rcu(this_cpu_ptr(ma->caches)->cache + idx, ptr);
+ unit_free_rcu(get_cpu_ptr(ma->caches)->cache + idx, ptr);
+ put_cpu_ptr(ma->caches);
}
void notrace *bpf_mem_cache_alloc(struct bpf_mem_alloc *ma)
@@ -951,7 +953,8 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
if (!ptr)
return;
- unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
+ unit_free_rcu(get_cpu_ptr(ma->cache), ptr);
+ put_cpu_ptr(ma->cache);
}
/* Directly does a kfree() without putting 'ptr' back to the free_llist
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis
@ 2026-07-01 19:57 ` Andrii Nakryiko
2026-07-02 4:34 ` Edward Adam Davis
0 siblings, 1 reply; 17+ messages in thread
From: Andrii Nakryiko @ 2026-07-01 19:57 UTC (permalink / raw)
To: Edward Adam Davis
Cc: sashiko-bot, jiayuan.chen, sashiko-reviews, andrii, ast, bpf,
daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor,
netdev, song, syzkaller-bugs, yonghong.song
On Tue, Jun 30, 2026 at 5:27 PM Edward Adam Davis <eadavis@qq.com> wrote:
>
> bpf_mem_cache_free_rcu() maybe called in preemptible context, this
> will trigger the below warning message:
>
> BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
> caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> Call Trace:
> check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
> bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
> __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
> bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
> __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
>
> this_cpu_ptr() requires the caller to prevent task migration.
> These helpers currently do not enforce that requirement and may
> be invoked from preemptible contexts, leading to accesses to another
> CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr()
> to pin the task while accessing the per-CPU allocator state.
>
> Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
> Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.")
> Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
from what I can see, bpf_mem_free() is called through bpf kfuncs only,
and all BPF programs run with migration disabled. So this seems like a
false positive. For per-cpu checking, it should probably check that
either preemption is disabled or migration is disabled. tl;dr, there
doesn't seem to be any
pw-bot: cr
> v1 -> v2: using guard against preemption
> v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation()
> v3 -> v4: disable preempt to make this_cpu_ptr() work
> v4 -> v5: in mem free disable preemption
>
maybe throttle your patch resubmission spree a bit?..
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-07-01 19:57 ` Andrii Nakryiko
@ 2026-07-02 4:34 ` Edward Adam Davis
2026-07-02 5:40 ` Alexei Starovoitov
0 siblings, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2026-07-02 4:34 UTC (permalink / raw)
To: andrii.nakryiko
Cc: andrii, ast, bpf, daniel, eadavis, eddyz87, emil, jiayuan.chen,
jolsa, linux-kernel, martin.lau, memxor, netdev, sashiko-bot,
sashiko-reviews, song, syzkaller-bugs, yonghong.song
On Wed, 1 Jul 2026 12:57:52 -0700, Andrii Nakryiko wrote:
> > bpf_mem_cache_free_rcu() maybe called in preemptible context, this
> > will trigger the below warning message:
> >
> > BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
> > caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> > Call Trace:
> > check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
> > bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> > rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
> > __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
> > bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
> > __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
> >
> > this_cpu_ptr() requires the caller to prevent task migration.
> > These helpers currently do not enforce that requirement and may
> > be invoked from preemptible contexts, leading to accesses to another
> > CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr()
> > to pin the task while accessing the per-CPU allocator state.
> >
> > Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
> > Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.")
> > Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > ---
>
> from what I can see, bpf_mem_free() is called through bpf kfuncs only,
> and all BPF programs run with migration disabled. So this seems like a
> false positive. For per-cpu checking, it should probably check that
> either preemption is disabled or migration is disabled. tl;dr, there
> doesn't seem to be any
Today, I researched the call sites of bpf_mem_free() in detail; it is
called directly by bpf kfuns only.
Different BPF program types execute in distinct kernel contexts: for
instance, XDP and TC typically run in non-sleepable networking contexts,
whereas `raw_tp`, `tracing`, `LSM`, `syscall` and especially sleepable
BPF programs may run in contexts where preemption and migration are
enabled. Consequently, any shared BPF code (such as a helper or kfunc)
that accesses per-CPU data must not rely on the caller having disabled
migration; instead, it must internally ensure that CPU migration does
not occur during the access.
Taking into account the CI reviewer's feedback [1] and my further
investigation into BPF programs as described above, the adjustments
related to bpf_mem_free() should be retained.
[1]
https://lore.kernel.org/all/20260630094823.897BD1F00A3D@smtp.kernel.org
>
> pw-bot: cr
>
> > v1 -> v2: using guard against preemption
> > v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation()
> > v3 -> v4: disable preempt to make this_cpu_ptr() work
> > v4 -> v5: in mem free disable preemption
> >
>
> maybe throttle your patch resubmission spree a bit?..
My earlier actions were driven by a desire to keep pace with the CI
reviewer's response speed.
Moving forward, I will slow down the cadence of new patch submissions,
as you suggested.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels
2026-07-02 4:34 ` Edward Adam Davis
@ 2026-07-02 5:40 ` Alexei Starovoitov
0 siblings, 0 replies; 17+ messages in thread
From: Alexei Starovoitov @ 2026-07-02 5:40 UTC (permalink / raw)
To: Edward Adam Davis
Cc: Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, bpf,
Daniel Borkmann, Eduard, Emil Tsalapatis, Jiayuan Chen, Jiri Olsa,
LKML, Martin KaFai Lau, Kumar Kartikeya Dwivedi,
Network Development, sashiko, sashiko-reviews, Song Liu,
syzkaller-bugs, Yonghong Song
On Wed, Jul 1, 2026 at 9:35 PM Edward Adam Davis <eadavis@qq.com> wrote:
>
> On Wed, 1 Jul 2026 12:57:52 -0700, Andrii Nakryiko wrote:
> > > bpf_mem_cache_free_rcu() maybe called in preemptible context, this
> > > will trigger the below warning message:
> > >
> > > BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820
> > > caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> > > Call Trace:
> > > check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
> > > bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954
> > > rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969
> > > __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349
> > > bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1
> > > __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1
> > >
> > > this_cpu_ptr() requires the caller to prevent task migration.
> > > These helpers currently do not enforce that requirement and may
> > > be invoked from preemptible contexts, leading to accesses to another
> > > CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr()
> > > to pin the task while accessing the per-CPU allocator state.
> > >
> > > Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().")
> > > Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.")
> > > Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> > > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > > ---
> >
> > from what I can see, bpf_mem_free() is called through bpf kfuncs only,
> > and all BPF programs run with migration disabled. So this seems like a
> > false positive. For per-cpu checking, it should probably check that
> > either preemption is disabled or migration is disabled. tl;dr, there
> > doesn't seem to be any
> Today, I researched the call sites of bpf_mem_free() in detail; it is
> called directly by bpf kfuns only.
>
> Different BPF program types execute in distinct kernel contexts: for
> instance, XDP and TC typically run in non-sleepable networking contexts,
> whereas `raw_tp`, `tracing`, `LSM`, `syscall` and especially sleepable
> BPF programs may run in contexts where preemption and migration are
> enabled. Consequently, any shared BPF code (such as a helper or kfunc)
> that accesses per-CPU data must not rely on the caller having disabled
> migration; instead, it must internally ensure that CPU migration does
> not occur during the access.
>
> Taking into account the CI reviewer's feedback [1] and my further
> investigation into BPF programs as described above, the adjustments
> related to bpf_mem_free() should be retained.
>
> [1]
> https://lore.kernel.org/all/20260630094823.897BD1F00A3D@smtp.kernel.org
> >
> > pw-bot: cr
> >
> > > v1 -> v2: using guard against preemption
> > > v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation()
> > > v3 -> v4: disable preempt to make this_cpu_ptr() work
> > > v4 -> v5: in mem free disable preemption
> > >
> >
> > maybe throttle your patch resubmission spree a bit?..
> My earlier actions were driven by a desire to keep pace with the CI
> reviewer's response speed.
> Moving forward, I will slow down the cadence of new patch submissions,
> as you suggested.
Don't bother. You don't sound like a human.
Bots are not welcomed here.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2026-07-02 5:41 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot
2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis
2026-06-30 8:49 ` sashiko-bot
2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis
2026-06-30 9:48 ` sashiko-bot
2026-06-30 11:14 ` Edward Adam Davis
2026-06-30 12:25 ` Jiayuan Chen
2026-06-30 12:46 ` Edward Adam Davis
2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis
2026-06-30 13:22 ` sashiko-bot
2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis
2026-06-30 14:29 ` sashiko-bot
2026-06-30 14:46 ` bot+bpf-ci
2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis
2026-07-01 19:57 ` Andrii Nakryiko
2026-07-02 4:34 ` Edward Adam Davis
2026-07-02 5:40 ` Alexei Starovoitov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox