From: sashiko-bot@kernel.org
To: "Edward Adam Davis" <eadavis@qq.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels
Date: Tue, 30 Jun 2026 14:29:07 +0000 [thread overview]
Message-ID: <20260630142907.A9DB21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <tencent_5E4F8F8DADA5DE0DAD924ADD835DD7991707@qq.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] Unbounded preempt-disabled loop causes severe scheduling latency and soft lockups.
Pre-existing issues:
- [High] Synchronous freeing of map element fields upon deletion violates RCU reader guarantees, causing Use-After-Free.
--
commit 366a895a5502b13454a28525375f08655dba66d2
Author: Edward Adam Davis <eadavis@qq.com>
bpf: Fix smp_processor_id() call trace for preemptible kernels
This commit attempts to fix a preemption warning in bpf_mem_cache_free_rcu()
by wrapping the batch deletion loop in get_cpu() and put_cpu(). This disables
preemption rather than prohibiting migration.
Link: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 9f394e1aa2e85..7b98c2eea6859 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map,
> }
>
> if (do_delete) {
> + get_cpu();
> for (i = 0; i < total; i++)
> rhtab_delete_elem(rhtab, del_elems[i], NULL, 0);
[Severity: High]
Will this unbounded loop with preemption disabled cause soft lockups?
The user-space process provides the count parameter which determines the size
of the total variable. Wrapping this potentially massive loop inside get_cpu()
and put_cpu() completely disables preemption for the entire duration of the
deletion loop.
Can this lead to severe CPU latency spikes and system unresponsiveness,
especially on real-time and preemptible kernels?
[Severity: High]
This is a pre-existing issue, but does calling rhtab_delete_elem() here
violate RCU reader guarantees?
Looking at rhtab_delete_elem() in kernel/bpf/hashtab.c, it synchronously
frees the element's special fields:
kernel/bpf/hashtab.c:rhtab_delete_elem() {
...
/* Release internal structs: kptr, bpf_timer, task_work, wq */
rhtab_check_and_free_fields(rhtab, elem);
bpf_mem_cache_free_rcu(&rhtab->ma, elem);
return 0;
}
Since rhtab_check_and_free_fields() immediately calls bpf_obj_free_fields(),
this destroys fields (like kptr) before the RCU grace period elapses.
Could concurrent RCU readers accessing the element during the grace period
read freed pointers, resulting in a use-after-free?
> + put_cpu();
> }
>
> rcu_read_unlock();
--
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_5E4F8F8DADA5DE0DAD924ADD835DD7991707@qq.com?part=1
next prev parent reply other threads:[~2026-06-30 14:29 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot
2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis
2026-06-30 8:49 ` sashiko-bot
2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis
2026-06-30 9:48 ` sashiko-bot
2026-06-30 11:14 ` Edward Adam Davis
2026-06-30 12:25 ` Jiayuan Chen
2026-06-30 12:46 ` Edward Adam Davis
2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis
2026-06-30 13:22 ` sashiko-bot
2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis
2026-06-30 14:29 ` sashiko-bot [this message]
2026-06-30 14:46 ` bot+bpf-ci
2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis
2026-07-01 19:57 ` Andrii Nakryiko
2026-07-02 4:34 ` Edward Adam Davis
2026-07-02 5:40 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630142907.A9DB21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=eadavis@qq.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox