* [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu @ 2026-06-30 6:20 syzbot 2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis 0 siblings, 1 reply; 17+ messages in thread From: syzbot @ 2026-06-30 6:20 UTC (permalink / raw) To: andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song Hello, syzbot found the following issue on: HEAD commit: e771677c937d Merge tag 'for-linus-iommufd' of git://git.ke.. git tree: bpf console output: https://syzkaller.appspot.com/x/log.txt?x=144f8aae580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1ce9592ed82f8125 dashboard link: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=124c12ae580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b89986580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/5c69b301ec25/disk-e771677c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/8267811b5065/vmlinux-e771677c.xz kernel image: https://storage.googleapis.com/syzbot-assets/bcc54586e6c4/bzImage-e771677c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 CPU: 1 UID: 0 PID: 5820 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 __do_sys_bpf kernel/bpf/syscall.c:6537 [inline] __se_sys_bpf kernel/bpf/syscall.c:6534 [inline] __x64_sys_bpf+0xba/0xd0 kernel/bpf/syscall.c:6534 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fce2819ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcea2ad4b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fce28415fa0 RCX: 00007fce2819ce59 RDX: 0000000000000038 RSI: 00002000000018c0 RDI: 0000000000000019 RBP: 00007fce28232d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fce28415fac R14: 00007fce28415fa0 R15: 00007fce28415fa0 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot @ 2026-06-30 8:41 ` Edward Adam Davis 2026-06-30 8:49 ` sashiko-bot 0 siblings, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-06-30 8:41 UTC (permalink / raw) To: syzbot+fd7e415d891073b83e1f Cc: andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() calls smp_processor_id() in a preemptible context. Fix by using per_cpu_ptr() with raw_smp_processor_id() instead. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- kernel/bpf/memalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c index bd45dda9dc35..151d9c8183bc 100644 --- a/kernel/bpf/memalloc.c +++ b/kernel/bpf/memalloc.c @@ -957,7 +957,7 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr) if (!ptr) return; - unit_free_rcu(this_cpu_ptr(ma->cache), ptr); + unit_free_rcu(per_cpu_ptr(ma->cache, raw_smp_processor_id()), ptr); } /* Directly does a kfree() without putting 'ptr' back to the free_llist -- 2.43.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis @ 2026-06-30 8:49 ` sashiko-bot 2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis 0 siblings, 1 reply; 17+ messages in thread From: sashiko-bot @ 2026-06-30 8:49 UTC (permalink / raw) To: Edward Adam Davis; +Cc: bpf Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: Pre-existing issues: - [High] Silencing a preemption warning with `raw_smp_processor_id()` leaves a severe cross-CPU task migration hazard intact, leading to lockless list corruption in the BPF memory allocator. -- commit b3d3adf96792401d9a691908ba210c6315bac1bb Author: Edward Adam Davis <eadavis@qq.com> bpf: Fix smp_processor_id() call trace for preemptible kernels This patch attempts to resolve a preemption warning in bpf_mem_cache_free_rcu() by replacing this_cpu_ptr() with per_cpu_ptr() and raw_smp_processor_id(). Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c > index e9662db7198fe..f2b7828e6ac7c 100644 > --- a/kernel/bpf/memalloc.c > +++ b/kernel/bpf/memalloc.c > @@ -951,7 +951,7 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr) > if (!ptr) > return; > > - unit_free_rcu(this_cpu_ptr(ma->cache), ptr); > + unit_free_rcu(per_cpu_ptr(ma->cache, raw_smp_processor_id()), ptr); [Severity: High] This is a pre-existing issue with bpf_mem_cache_free_rcu() being called in a preemptible context, but does silencing the warning with raw_smp_processor_id() leave the underlying cross-CPU task migration hazard intact? If a task evaluates raw_smp_processor_id(), gets preempted, and then migrates to another CPU, unit_free_rcu() will execute on the new CPU while still operating on the original CPU's cache. Since unit_free_rcu() only disables local interrupts for the current CPU, the original CPU can concurrently modify its own cache. This could lead to data races on the local_t active counter and concurrent execution of the non-atomic __llist_add() operation, as seen here: kernel/bpf/memalloc.c:unit_free_rcu() { ... local_irq_save(flags); if (local_inc_return(&c->active) == 1) { if (__llist_add(llnode, &c->free_by_rcu)) ... } Could this concurrent access corrupt the lockless lists? > } > > /* Directly does a kfree() without putting 'ptr' back to the free_llist -- Sashiko AI review · https://sashiko.dev/#/patchset/tencent_C4C3064909A16EDCAEDB0C8767D886D01206@qq.com?part=1 ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 8:49 ` sashiko-bot @ 2026-06-30 9:11 ` Edward Adam Davis 2026-06-30 9:48 ` sashiko-bot 0 siblings, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-06-30 9:11 UTC (permalink / raw) To: sashiko-bot Cc: andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() access needs to be guarded against preemption. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- v1 -> v2: using guard against preemption kernel/bpf/memalloc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c index bd45dda9dc35..1d7ddfc1c9d1 100644 --- a/kernel/bpf/memalloc.c +++ b/kernel/bpf/memalloc.c @@ -957,7 +957,9 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr) if (!ptr) return; + get_cpu(); unit_free_rcu(this_cpu_ptr(ma->cache), ptr); + put_cpu(); } /* Directly does a kfree() without putting 'ptr' back to the free_llist -- 2.43.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis @ 2026-06-30 9:48 ` sashiko-bot 2026-06-30 11:14 ` Edward Adam Davis 0 siblings, 1 reply; 17+ messages in thread From: sashiko-bot @ 2026-06-30 9:48 UTC (permalink / raw) To: Edward Adam Davis; +Cc: bpf Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] The patch addresses the syzbot warning at the wrong layer by adding `get_cpu()`/`put_cpu()` inside the BPF memory allocator. This masks the caller's missing migration protection while leaving sibling allocator APIs vulnerable to the exact same crash. -- commit 231004c76441ce47022b6f1dabd04453961dcac4 Author: Edward Adam Davis <eadavis@qq.com> bpf: Fix smp_processor_id() call trace for preemptible kernels This patch wraps unit_free_rcu() with get_cpu() and put_cpu() in bpf_mem_cache_free_rcu() to avoid a preemption warning. Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c > index e9662db7198fe..8f91f2b3848ff 100644 > --- a/kernel/bpf/memalloc.c > +++ b/kernel/bpf/memalloc.c > @@ -951,7 +951,9 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr) > if (!ptr) > return; > [Severity: High] Does this fix the issue at the right layer? By adding the preemption protection here, it masks the fact that the caller is running with migration enabled, which leaves sibling APIs vulnerable. For example, in __rhtab_map_lookup_and_delete_batch() in kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem() without disabling migration. If the map elements contain special fields (like BPF_KPTR), rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which eventually calls bpf_mem_free(). Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection: kernel/bpf/memalloc.c:bpf_mem_free() { ... unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr); ... } Will this result in the exact same BUG being triggered on that path? Should the missing migration protection be added to __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator here? > + get_cpu(); > unit_free_rcu(this_cpu_ptr(ma->cache), ptr); > + put_cpu(); > } -- Sashiko AI review · https://sashiko.dev/#/patchset/tencent_45066D89AD6EF9AED34CA567FA46CA52C606@qq.com?part=1 ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 9:48 ` sashiko-bot @ 2026-06-30 11:14 ` Edward Adam Davis 2026-06-30 12:25 ` Jiayuan Chen 0 siblings, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-06-30 11:14 UTC (permalink / raw) To: sashiko-bot; +Cc: bpf, eadavis, sashiko-reviews On Tue, 30 Jun 2026 09:48:23 +0000, Sashiko wrote: > [Severity: High] > Does this fix the issue at the right layer? By adding the preemption > protection here, it masks the fact that the caller is running with migration > enabled, which leaves sibling APIs vulnerable. > > For example, in __rhtab_map_lookup_and_delete_batch() in > kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem() > without disabling migration. > > If the map elements contain special fields (like BPF_KPTR), > rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which > eventually calls bpf_mem_free(). > > Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection: > > kernel/bpf/memalloc.c:bpf_mem_free() { > ... > unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr); > ... > } > > Will this result in the exact same BUG being triggered on that path? Should > the missing migration protection be added to > __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator > here? Like this? diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 9f394e1aa2e8..7b98c2eea685 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, } if (do_delete) { + get_cpu(); for (i = 0; i < total; i++) rhtab_delete_elem(rhtab, del_elems[i], NULL, 0); + put_cpu(); } rcu_read_unlock(); ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 11:14 ` Edward Adam Davis @ 2026-06-30 12:25 ` Jiayuan Chen 2026-06-30 12:46 ` Edward Adam Davis 0 siblings, 1 reply; 17+ messages in thread From: Jiayuan Chen @ 2026-06-30 12:25 UTC (permalink / raw) To: Edward Adam Davis, sashiko-bot; +Cc: bpf, sashiko-reviews On 6/30/26 7:14 PM, Edward Adam Davis wrote: > On Tue, 30 Jun 2026 09:48:23 +0000, Sashiko wrote: >> [Severity: High] >> Does this fix the issue at the right layer? By adding the preemption >> protection here, it masks the fact that the caller is running with migration >> enabled, which leaves sibling APIs vulnerable. >> >> For example, in __rhtab_map_lookup_and_delete_batch() in >> kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem() >> without disabling migration. >> >> If the map elements contain special fields (like BPF_KPTR), >> rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which >> eventually calls bpf_mem_free(). >> >> Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection: >> >> kernel/bpf/memalloc.c:bpf_mem_free() { >> ... >> unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr); >> ... >> } >> >> Will this result in the exact same BUG being triggered on that path? Should >> the missing migration protection be added to >> __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator >> here? > Like this? > > diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c > index 9f394e1aa2e8..7b98c2eea685 100644 > --- a/kernel/bpf/hashtab.c > +++ b/kernel/bpf/hashtab.c > @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, > } > > if (do_delete) { > + get_cpu(); > for (i = 0; i < total; i++) > rhtab_delete_elem(rhtab, del_elems[i], NULL, 0); > + put_cpu(); > } > > rcu_read_unlock(); This splat is specific to rhash... For HASH/PERCPU_HASH/..., most operations are performed under bpf_disable_instrumentation(); see __htab_map_lookup_and_delete_batch(). But for rhash, bpf_mem_cache_free_rcu() is called outside the bpf_disable_instrumentation() region; see __rhtab_map_lookup_and_delete_batch(). note: map_lookup_and_delete_batch() disable cpu migration ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 12:25 ` Jiayuan Chen @ 2026-06-30 12:46 ` Edward Adam Davis 2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis 0 siblings, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-06-30 12:46 UTC (permalink / raw) To: jiayuan.chen; +Cc: bpf, eadavis, sashiko-bot, sashiko-reviews On Tue, 30 Jun 2026 20:25:30 +0800, Jiayuan Chen wrote: >On 6/30/26 7:14 PM, Edward Adam Davis wrote: >> On Tue, 30 Jun 2026 09:48:23 +0000, Sashiko wrote: >>> [Severity: High] >>> Does this fix the issue at the right layer? By adding the preemption >>> protection here, it masks the fact that the caller is running with migration >>> enabled, which leaves sibling APIs vulnerable. >>> >>> For example, in __rhtab_map_lookup_and_delete_batch() in >>> kernel/bpf/hashtab.c, the batch loop iterates and calls rhtab_delete_elem() >>> without disabling migration. >>> >>> If the map elements contain special fields (like BPF_KPTR), >>> rhtab_delete_elem() will first call rhtab_check_and_free_fields(), which >>> eventually calls bpf_mem_free(). >>> >>> Since bpf_mem_free() also uses this_cpu_ptr() without get_cpu() protection: >>> >>> kernel/bpf/memalloc.c:bpf_mem_free() { >>> ... >>> unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr); >>> ... >>> } >>> >>> Will this result in the exact same BUG being triggered on that path? Should >>> the missing migration protection be added to >>> __rhtab_map_lookup_and_delete_batch() instead of modifying the allocator >>> here? >> Like this? >> >> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c >> index 9f394e1aa2e8..7b98c2eea685 100644 >> --- a/kernel/bpf/hashtab.c >> +++ b/kernel/bpf/hashtab.c >> @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, >> } >> >> if (do_delete) { >> + get_cpu(); >> for (i = 0; i < total; i++) >> rhtab_delete_elem(rhtab, del_elems[i], NULL, 0); >> + put_cpu(); >> } >> >> rcu_read_unlock(); > > >This splat is specific to rhash... > >For HASH/PERCPU_HASH/..., most operations are performed under >bpf_disable_instrumentation(); see __htab_map_lookup_and_delete_batch(). > >But for rhash, bpf_mem_cache_free_rcu() is called outside the >bpf_disable_instrumentation() region; see >__rhtab_map_lookup_and_delete_batch(). Let's use bpf_disable/enable_instrumentation() consistently to protect __rhtab_map_lookup_and_delete_batch(). diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 9f394e1aa2e8..d3f2f8a379e8 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, dst_val = values; total = 0; + bpf_disable_instrumentation(); rcu_read_lock(); /* @@ -3313,6 +3314,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, elem = rhtab_lookup_elem(map, cursor); if (!elem) { rcu_read_unlock(); + bpf_enable_instrumentation(); ret = -EAGAIN; goto free; } @@ -3350,6 +3352,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, } rcu_read_unlock(); + bpf_enable_instrumentation(); if (total == 0) { ret = -ENOENT; ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH v3] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 12:46 ` Edward Adam Davis @ 2026-06-30 13:09 ` Edward Adam Davis 2026-06-30 13:22 ` sashiko-bot 0 siblings, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-06-30 13:09 UTC (permalink / raw) To: eadavis Cc: jiayuan.chen, sashiko-bot, sashiko-reviews, andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() access needs to be guarded against preemption. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- v1 -> v2: using guard against preemption v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() kernel/bpf/hashtab.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 9f394e1aa2e8..d3f2f8a379e8 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, dst_val = values; total = 0; + bpf_disable_instrumentation(); rcu_read_lock(); /* @@ -3313,6 +3314,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, elem = rhtab_lookup_elem(map, cursor); if (!elem) { rcu_read_unlock(); + bpf_enable_instrumentation(); ret = -EAGAIN; goto free; } @@ -3350,6 +3352,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, } rcu_read_unlock(); + bpf_enable_instrumentation(); if (total == 0) { ret = -ENOENT; -- 2.43.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v3] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis @ 2026-06-30 13:22 ` sashiko-bot 2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis 2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis 0 siblings, 2 replies; 17+ messages in thread From: sashiko-bot @ 2026-06-30 13:22 UTC (permalink / raw) To: Edward Adam Davis; +Cc: bpf Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] Wrapping the entire batch operation in `bpf_disable_instrumentation()` elevates `bpf_prog_active` for an unbounded duration, leaking the state across preemption and blinding BPF tracing globally on the CPU. -- commit 121a3f2517b4814c567c049b787ed0317746073a Author: Edward Adam Davis <eadavis@qq.com> bpf: Fix smp_processor_id() call trace for preemptible kernels This commit addresses an smp_processor_id() warning in preemptible context by wrapping the batch loop with bpf_disable_instrumentation() and bpf_enable_instrumentation(). Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c > index 9f394e1aa2e85..d3f2f8a379e86 100644 > --- a/kernel/bpf/hashtab.c > +++ b/kernel/bpf/hashtab.c > @@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, > dst_val = values; > total = 0; > > + bpf_disable_instrumentation(); > rcu_read_lock(); [Severity: High] Does wrapping this batch operation in bpf_disable_instrumentation() risk blinding BPF tracing globally on the CPU if preemption occurs? bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter. Because migrate_disable() and rcu_read_lock() do not disable preemption under CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long loop. If preempted, bpf_prog_active would remain elevated on that CPU, which could cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing events (kprobes, tracepoints, perf). -- Sashiko AI review · https://sashiko.dev/#/patchset/tencent_4F9E5F1B854B1D1BB42574BA76BB5133BF08@qq.com?part=1 ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 13:22 ` sashiko-bot @ 2026-06-30 14:11 ` Edward Adam Davis 2026-06-30 14:29 ` sashiko-bot 2026-06-30 14:46 ` bot+bpf-ci 2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis 1 sibling, 2 replies; 17+ messages in thread From: Edward Adam Davis @ 2026-06-30 14:11 UTC (permalink / raw) To: sashiko-bot Cc: eadavis, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() access needs to be guarded against migration. Wrapping this batch operation in bpf_disable_instrumentation() risk blinding BPF tracing globally on the CPU if preemption occurs. bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter. Because migrate_disable() and rcu_read_lock() do not disable preemption under CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long loop. If preempted, bpf_prog_active would remain elevated on that CPU, which could cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing events (kprobes, tracepoints, perf). Therefore, we fix this by disabling preemption rather than prohibiting migration. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- v1 -> v2: using guard against preemption v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() v3 -> v4: disable preempt to make this_cpu_ptr() work kernel/bpf/hashtab.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 9f394e1aa2e8..7b98c2eea685 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, } if (do_delete) { + get_cpu(); for (i = 0; i < total; i++) rhtab_delete_elem(rhtab, del_elems[i], NULL, 0); + put_cpu(); } rcu_read_unlock(); -- 2.43.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis @ 2026-06-30 14:29 ` sashiko-bot 2026-06-30 14:46 ` bot+bpf-ci 1 sibling, 0 replies; 17+ messages in thread From: sashiko-bot @ 2026-06-30 14:29 UTC (permalink / raw) To: Edward Adam Davis; +Cc: bpf Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider: New issues: - [High] Unbounded preempt-disabled loop causes severe scheduling latency and soft lockups. Pre-existing issues: - [High] Synchronous freeing of map element fields upon deletion violates RCU reader guarantees, causing Use-After-Free. -- commit 366a895a5502b13454a28525375f08655dba66d2 Author: Edward Adam Davis <eadavis@qq.com> bpf: Fix smp_processor_id() call trace for preemptible kernels This commit attempts to fix a preemption warning in bpf_mem_cache_free_rcu() by wrapping the batch deletion loop in get_cpu() and put_cpu(). This disables preemption rather than prohibiting migration. Link: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c > index 9f394e1aa2e85..7b98c2eea6859 100644 > --- a/kernel/bpf/hashtab.c > +++ b/kernel/bpf/hashtab.c > @@ -3345,8 +3345,10 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, > } > > if (do_delete) { > + get_cpu(); > for (i = 0; i < total; i++) > rhtab_delete_elem(rhtab, del_elems[i], NULL, 0); [Severity: High] Will this unbounded loop with preemption disabled cause soft lockups? The user-space process provides the count parameter which determines the size of the total variable. Wrapping this potentially massive loop inside get_cpu() and put_cpu() completely disables preemption for the entire duration of the deletion loop. Can this lead to severe CPU latency spikes and system unresponsiveness, especially on real-time and preemptible kernels? [Severity: High] This is a pre-existing issue, but does calling rhtab_delete_elem() here violate RCU reader guarantees? Looking at rhtab_delete_elem() in kernel/bpf/hashtab.c, it synchronously frees the element's special fields: kernel/bpf/hashtab.c:rhtab_delete_elem() { ... /* Release internal structs: kptr, bpf_timer, task_work, wq */ rhtab_check_and_free_fields(rhtab, elem); bpf_mem_cache_free_rcu(&rhtab->ma, elem); return 0; } Since rhtab_check_and_free_fields() immediately calls bpf_obj_free_fields(), this destroys fields (like kptr) before the RCU grace period elapses. Could concurrent RCU readers accessing the element during the grace period read freed pointers, resulting in a use-after-free? > + put_cpu(); > } > > rcu_read_unlock(); -- Sashiko AI review · https://sashiko.dev/#/patchset/tencent_5E4F8F8DADA5DE0DAD924ADD835DD7991707@qq.com?part=1 ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis 2026-06-30 14:29 ` sashiko-bot @ 2026-06-30 14:46 ` bot+bpf-ci 1 sibling, 0 replies; 17+ messages in thread From: bot+bpf-ci @ 2026-06-30 14:46 UTC (permalink / raw) To: eadavis, sashiko-bot Cc: eadavis, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai [-- Attachment #1: Type: text/plain, Size: 3946 bytes --] > bpf: Fix smp_processor_id() call trace for preemptible kernels > > bpf_mem_cache_free_rcu() maybe called in preemptible context, this > will trigger the below warning message: > > BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 > caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > Call Trace: > check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 > bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 > __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 > bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 > __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 > > this_cpu_ptr() access needs to be guarded against migration. The commit message says "guarded against migration" but the fix actually disables preemption using get_cpu()/put_cpu(). Is this description accurate? get_cpu() does preempt_disable() + __smp_processor_id(), not just migrate_disable(). The later sentence "disabling preemption rather than prohibiting migration" correctly describes the fix, but this earlier line understates the requirement. > Wrapping this batch operation in bpf_disable_instrumentation() risk > blinding BPF tracing globally on the CPU if preemption occurs. > > bpf_disable_instrumentation() increments the per-CPU bpf_prog_active counter. > Because migrate_disable() and rcu_read_lock() do not disable preemption under > CONFIG_PREEMPT_RCU, the task can be preempted during this potentially long > loop. > > If preempted, bpf_prog_active would remain elevated on that CPU, which could > cause subsequent tasks scheduled on the same CPU to silently drop BPF tracing > events (kprobes, tracepoints, perf). The reasoning about bpf_disable_instrumentation() is sound, but could the commit message clarify that rhtab_delete_elem() already calls bpf_disable_instrumentation() internally? Looking at rhtab_delete_elem(): kernel/bpf/hashtab.c:rhtab_delete_elem() { ... bpf_disable_instrumentation(); ret = rhashtable_remove_fast(&rhtab->table, &elem->htab_node, rhtab->rhtable_params); bpf_enable_instrumentation(); ... } This means the same "blinding BPF tracing" window already exists in the per-element path. The argument is against a longer-held instrumentation disable across the entire loop, not a categorical concern. > Therefore, we fix this by disabling preemption rather than prohibiting > migration. > > Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Should the Fixes tag point to a different commit? The bug occurs when __rhtab_map_lookup_and_delete_batch() calls rhtab_delete_elem() which calls bpf_mem_cache_free_rcu() in preemptible context. Commit 5af6807bdb10 introduced bpf_mem_free_rcu() in 2023 but did not modify kernel/bpf/hashtab.c or introduce the rhtab code. The call chain was introduced by: Fixes: 6905f8601298 ("bpf: Allow special fields in resizable hashtab") which added the rhtab implementation including __rhtab_map_lookup_and_delete_batch() and the call to bpf_mem_cache_free_rcu() in rhtab_delete_elem(). > Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > Signed-off-by: Edward Adam Davis <eadavis@qq.com> [ ... ] > diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c > --- a/kernel/bpf/hashtab.c > +++ b/kernel/bpf/hashtab.c > @@ -3345,8 +3345,10 @@ > } > > if (do_delete) { > + get_cpu(); > for (i = 0; i < total; i++) > rhtab_delete_elem(rhtab, del_elems[i], NULL, 0); > + put_cpu(); > } > > rcu_read_unlock(); --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28451219226 ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-06-30 13:22 ` sashiko-bot 2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis @ 2026-07-01 0:27 ` Edward Adam Davis 2026-07-01 19:57 ` Andrii Nakryiko 1 sibling, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-07-01 0:27 UTC (permalink / raw) To: sashiko-bot Cc: eadavis, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() requires the caller to prevent task migration. These helpers currently do not enforce that requirement and may be invoked from preemptible contexts, leading to accesses to another CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr() to pin the task while accessing the per-CPU allocator state. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- v1 -> v2: using guard against preemption v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() v3 -> v4: disable preempt to make this_cpu_ptr() work v4 -> v5: in mem free disable preemption kernel/bpf/memalloc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c index e9662db7198f..2118fe725ed4 100644 --- a/kernel/bpf/memalloc.c +++ b/kernel/bpf/memalloc.c @@ -911,7 +911,8 @@ void notrace bpf_mem_free(struct bpf_mem_alloc *ma, void *ptr) if (WARN_ON_ONCE(idx < 0)) return; - unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr); + unit_free(get_cpu_ptr(ma->caches)->cache + idx, ptr); + put_cpu_ptr(ma->caches); } void notrace bpf_mem_free_rcu(struct bpf_mem_alloc *ma, void *ptr) @@ -927,7 +928,8 @@ void notrace bpf_mem_free_rcu(struct bpf_mem_alloc *ma, void *ptr) if (WARN_ON_ONCE(idx < 0)) return; - unit_free_rcu(this_cpu_ptr(ma->caches)->cache + idx, ptr); + unit_free_rcu(get_cpu_ptr(ma->caches)->cache + idx, ptr); + put_cpu_ptr(ma->caches); } void notrace *bpf_mem_cache_alloc(struct bpf_mem_alloc *ma) @@ -951,7 +953,8 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr) if (!ptr) return; - unit_free_rcu(this_cpu_ptr(ma->cache), ptr); + unit_free_rcu(get_cpu_ptr(ma->cache), ptr); + put_cpu_ptr(ma->cache); } /* Directly does a kfree() without putting 'ptr' back to the free_llist -- 2.43.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis @ 2026-07-01 19:57 ` Andrii Nakryiko 2026-07-02 4:34 ` Edward Adam Davis 0 siblings, 1 reply; 17+ messages in thread From: Andrii Nakryiko @ 2026-07-01 19:57 UTC (permalink / raw) To: Edward Adam Davis Cc: sashiko-bot, jiayuan.chen, sashiko-reviews, andrii, ast, bpf, daniel, eddyz87, emil, jolsa, linux-kernel, martin.lau, memxor, netdev, song, syzkaller-bugs, yonghong.song On Tue, Jun 30, 2026 at 5:27 PM Edward Adam Davis <eadavis@qq.com> wrote: > > bpf_mem_cache_free_rcu() maybe called in preemptible context, this > will trigger the below warning message: > > BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 > caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > Call Trace: > check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 > bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 > __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 > bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 > __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 > > this_cpu_ptr() requires the caller to prevent task migration. > These helpers currently do not enforce that requirement and may > be invoked from preemptible contexts, leading to accesses to another > CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr() > to pin the task while accessing the per-CPU allocator state. > > Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") > Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.") > Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- from what I can see, bpf_mem_free() is called through bpf kfuncs only, and all BPF programs run with migration disabled. So this seems like a false positive. For per-cpu checking, it should probably check that either preemption is disabled or migration is disabled. tl;dr, there doesn't seem to be any pw-bot: cr > v1 -> v2: using guard against preemption > v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() > v3 -> v4: disable preempt to make this_cpu_ptr() work > v4 -> v5: in mem free disable preemption > maybe throttle your patch resubmission spree a bit?.. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-07-01 19:57 ` Andrii Nakryiko @ 2026-07-02 4:34 ` Edward Adam Davis 2026-07-02 5:40 ` Alexei Starovoitov 0 siblings, 1 reply; 17+ messages in thread From: Edward Adam Davis @ 2026-07-02 4:34 UTC (permalink / raw) To: andrii.nakryiko Cc: andrii, ast, bpf, daniel, eadavis, eddyz87, emil, jiayuan.chen, jolsa, linux-kernel, martin.lau, memxor, netdev, sashiko-bot, sashiko-reviews, song, syzkaller-bugs, yonghong.song On Wed, 1 Jul 2026 12:57:52 -0700, Andrii Nakryiko wrote: > > bpf_mem_cache_free_rcu() maybe called in preemptible context, this > > will trigger the below warning message: > > > > BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 > > caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > > Call Trace: > > check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 > > bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > > rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 > > __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 > > bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 > > __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 > > > > this_cpu_ptr() requires the caller to prevent task migration. > > These helpers currently do not enforce that requirement and may > > be invoked from preemptible contexts, leading to accesses to another > > CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr() > > to pin the task while accessing the per-CPU allocator state. > > > > Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") > > Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.") > > Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > --- > > from what I can see, bpf_mem_free() is called through bpf kfuncs only, > and all BPF programs run with migration disabled. So this seems like a > false positive. For per-cpu checking, it should probably check that > either preemption is disabled or migration is disabled. tl;dr, there > doesn't seem to be any Today, I researched the call sites of bpf_mem_free() in detail; it is called directly by bpf kfuns only. Different BPF program types execute in distinct kernel contexts: for instance, XDP and TC typically run in non-sleepable networking contexts, whereas `raw_tp`, `tracing`, `LSM`, `syscall` and especially sleepable BPF programs may run in contexts where preemption and migration are enabled. Consequently, any shared BPF code (such as a helper or kfunc) that accesses per-CPU data must not rely on the caller having disabled migration; instead, it must internally ensure that CPU migration does not occur during the access. Taking into account the CI reviewer's feedback [1] and my further investigation into BPF programs as described above, the adjustments related to bpf_mem_free() should be retained. [1] https://lore.kernel.org/all/20260630094823.897BD1F00A3D@smtp.kernel.org > > pw-bot: cr > > > v1 -> v2: using guard against preemption > > v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() > > v3 -> v4: disable preempt to make this_cpu_ptr() work > > v4 -> v5: in mem free disable preemption > > > > maybe throttle your patch resubmission spree a bit?.. My earlier actions were driven by a desire to keep pace with the CI reviewer's response speed. Moving forward, I will slow down the cadence of new patch submissions, as you suggested. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v5] bpf: Fix smp_processor_id() call trace for preemptible kernels 2026-07-02 4:34 ` Edward Adam Davis @ 2026-07-02 5:40 ` Alexei Starovoitov 0 siblings, 0 replies; 17+ messages in thread From: Alexei Starovoitov @ 2026-07-02 5:40 UTC (permalink / raw) To: Edward Adam Davis Cc: Andrii Nakryiko, Andrii Nakryiko, Alexei Starovoitov, bpf, Daniel Borkmann, Eduard, Emil Tsalapatis, Jiayuan Chen, Jiri Olsa, LKML, Martin KaFai Lau, Kumar Kartikeya Dwivedi, Network Development, sashiko, sashiko-reviews, Song Liu, syzkaller-bugs, Yonghong Song On Wed, Jul 1, 2026 at 9:35 PM Edward Adam Davis <eadavis@qq.com> wrote: > > On Wed, 1 Jul 2026 12:57:52 -0700, Andrii Nakryiko wrote: > > > bpf_mem_cache_free_rcu() maybe called in preemptible context, this > > > will trigger the below warning message: > > > > > > BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 > > > caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > > > Call Trace: > > > check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 > > > bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 > > > rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 > > > __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 > > > bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 > > > __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 > > > > > > this_cpu_ptr() requires the caller to prevent task migration. > > > These helpers currently do not enforce that requirement and may > > > be invoked from preemptible contexts, leading to accesses to another > > > CPU's per-CPU cache after migration. Use get_cpu_ptr()/put_cpu_ptr() > > > to pin the task while accessing the per-CPU allocator state. > > > > > > Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") > > > Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.") > > > Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > --- > > > > from what I can see, bpf_mem_free() is called through bpf kfuncs only, > > and all BPF programs run with migration disabled. So this seems like a > > false positive. For per-cpu checking, it should probably check that > > either preemption is disabled or migration is disabled. tl;dr, there > > doesn't seem to be any > Today, I researched the call sites of bpf_mem_free() in detail; it is > called directly by bpf kfuns only. > > Different BPF program types execute in distinct kernel contexts: for > instance, XDP and TC typically run in non-sleepable networking contexts, > whereas `raw_tp`, `tracing`, `LSM`, `syscall` and especially sleepable > BPF programs may run in contexts where preemption and migration are > enabled. Consequently, any shared BPF code (such as a helper or kfunc) > that accesses per-CPU data must not rely on the caller having disabled > migration; instead, it must internally ensure that CPU migration does > not occur during the access. > > Taking into account the CI reviewer's feedback [1] and my further > investigation into BPF programs as described above, the adjustments > related to bpf_mem_free() should be retained. > > [1] > https://lore.kernel.org/all/20260630094823.897BD1F00A3D@smtp.kernel.org > > > > pw-bot: cr > > > > > v1 -> v2: using guard against preemption > > > v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() > > > v3 -> v4: disable preempt to make this_cpu_ptr() work > > > v4 -> v5: in mem free disable preemption > > > > > > > maybe throttle your patch resubmission spree a bit?.. > My earlier actions were driven by a desire to keep pace with the CI > reviewer's response speed. > Moving forward, I will slow down the cadence of new patch submissions, > as you suggested. Don't bother. You don't sound like a human. Bots are not welcomed here. ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2026-07-02 5:41 UTC | newest] Thread overview: 17+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-30 6:20 [syzbot] [bpf?] BUG: using smp_processor_id() in preemptible code in bpf_mem_cache_free_rcu syzbot 2026-06-30 8:41 ` [PATCH] bpf: Fix smp_processor_id() call trace for preemptible kernels Edward Adam Davis 2026-06-30 8:49 ` sashiko-bot 2026-06-30 9:11 ` [PATCH v2] " Edward Adam Davis 2026-06-30 9:48 ` sashiko-bot 2026-06-30 11:14 ` Edward Adam Davis 2026-06-30 12:25 ` Jiayuan Chen 2026-06-30 12:46 ` Edward Adam Davis 2026-06-30 13:09 ` [PATCH v3] " Edward Adam Davis 2026-06-30 13:22 ` sashiko-bot 2026-06-30 14:11 ` [PATCH v4] " Edward Adam Davis 2026-06-30 14:29 ` sashiko-bot 2026-06-30 14:46 ` bot+bpf-ci 2026-07-01 0:27 ` [PATCH v5] " Edward Adam Davis 2026-07-01 19:57 ` Andrii Nakryiko 2026-07-02 4:34 ` Edward Adam Davis 2026-07-02 5:40 ` Alexei Starovoitov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox