[syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    73399b58e5e5 Add linux-next specific files for 20240718
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111f2195980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=54e443ddc2b981c8
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1602cf31980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106fde5e980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fbab059c854f/disk-73399b58.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/874a209f4c3f/vmlinux-73399b58.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f34e5c7be278/bzImage-73399b58.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in ./kernel/bpf/devmap.c:385:28
index 16 is out of range for type 'struct xdp_frame *[16]'
CPU: 1 UID: 0 PID: 5101 Comm: syz-executor232 Not tainted 6.10.0-next-20240718-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 bq_xmit_all+0x157/0x11d0 kernel/bpf/devmap.c:385
 __dev_flush+0x81/0x160 kernel/bpf/devmap.c:425
 xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 ce cf 5c f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 69 c4 f5 65 8b 05 04 5f 65 74 85 c0 74 43 48 c7 04 24 0e 36
RSP: 0018:ffffc9000369fb60 EFLAGS: 00000206
RAX: 3e45100d05912800 RBX: 1ffff920006d3f70 RCX: ffffffff817023ea
RDX: dffffc0000000000 RSI: ffffffff8bcad5c0 RDI: 0000000000000001
RBP: ffffc9000369fbf0 R08: ffffffff9300f817 R09: 1ffffffff2601f02
R10: dffffc0000000000 R11: fffffbfff2601f03 R12: dffffc0000000000
R13: 1ffff920006d3f6c R14: ffffc9000369fb80 R15: 0000000000000246
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 do_notify_parent_cldstop+0x9ab/0xb50 kernel/signal.c:2216
 ptrace_stop+0x465/0x940 kernel/signal.c:2319
 ptrace_do_notify kernel/signal.c:2393 [inline]
 ptrace_notify+0x255/0x380 kernel/signal.c:2405
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_entry include/linux/ptrace.h:452 [inline]
 syscall_trace_enter+0x5d/0x150 kernel/entry/common.c:45
 syscall_enter_from_user_mode_work include/linux/entry-common.h:168 [inline]
 syscall_enter_from_user_mode include/linux/entry-common.h:198 [inline]
 do_syscall_64+0xcc/0x230 arch/x86/entry/common.c:79
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f708ebe0e20
Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d 81 e2 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
RSP: 002b:00007ffd97b2a878 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000015 RCX: 00007f708ebe0e20
RDX: ffffffffffffffb8 RSI: 0000000020000240 RDI: 0000000000000014
RBP: 0000000000000000 R08: 00007ffd97b2a9a8 R09: 00007ffd97b2a9a8
R10: 00007ffd97b2a9a8 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ffd97b2a8b0 R15: 00007ffd97b2a8a0
 </TASK>
---[ end trace ]---
----------------
Code disassembly (best guess):
   0:	9c                   	pushf
   1:	8f 44 24 20          	pop    0x20(%rsp)
   5:	42 80 3c 23 00       	cmpb   $0x0,(%rbx,%r12,1)
   a:	74 08                	je     0x14
   c:	4c 89 f7             	mov    %r14,%rdi
   f:	e8 ce cf 5c f6       	call   0xf65ccfe2
  14:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  19:	75 52                	jne    0x6d
  1b:	41 f7 c7 00 02 00 00 	test   $0x200,%r15d
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 c3 69 c4 f5       	call   0xf5c469f2 <-- trapping instruction
  2f:	65 8b 05 04 5f 65 74 	mov    %gs:0x74655f04(%rip),%eax        # 0x74655f3a
  36:	85 c0                	test   %eax,%eax
  38:	74 43                	je     0x7d
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[Jesper Dangaard Brouer]

On 19/07/2024 07.12, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    73399b58e5e5 Add linux-next specific files for 20240718
> git tree:       linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=111f2195980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=54e443ddc2b981c8
> dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1602cf31980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106fde5e980000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/fbab059c854f/disk-73399b58.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/874a209f4c3f/vmlinux-73399b58.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/f34e5c7be278/bzImage-73399b58.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> UBSAN: array-index-out-of-bounds in ./kernel/bpf/devmap.c:385:28
> index 16 is out of range for type 'struct xdp_frame *[16]'
> CPU: 1 UID: 0 PID: 5101 Comm: syz-executor232 Not tainted 6.10.0-next-20240718-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
> Call Trace:
>   <IRQ>
>   __dump_stack lib/dump_stack.c:94 [inline]
>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
>   ubsan_epilogue lib/ubsan.c:231 [inline]
>   __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
>   bq_xmit_all+0x157/0x11d0 kernel/bpf/devmap.c:385
>   __dev_flush+0x81/0x160 kernel/bpf/devmap.c:425
>   xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300

When xdp_do_check_flushed() calls __dev_flush(), this indicate that some 
driver didn't call xdp_do_flush() after NAPI finished.

What NIC device driver is this tested on?

--Jesper

>   __napi_poll+0xe4/0x490 net/core/dev.c:6774
>   napi_poll net/core/dev.c:6840 [inline]
>   net_rx_action+0x89b/0x1240 net/core/dev.c:6962
>   handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
>   __do_softirq kernel/softirq.c:588 [inline]
>   invoke_softirq kernel/softirq.c:428 [inline]
>   __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
>   irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
>   common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
>   </IRQ>
>   <TASK>
>   asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
> RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
> RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
> Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 ce cf 5c f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 69 c4 f5 65 8b 05 04 5f 65 74 85 c0 74 43 48 c7 04 24 0e 36
> RSP: 0018:ffffc9000369fb60 EFLAGS: 00000206
> RAX: 3e45100d05912800 RBX: 1ffff920006d3f70 RCX: ffffffff817023ea
> RDX: dffffc0000000000 RSI: ffffffff8bcad5c0 RDI: 0000000000000001
> RBP: ffffc9000369fbf0 R08: ffffffff9300f817 R09: 1ffffffff2601f02
> R10: dffffc0000000000 R11: fffffbfff2601f03 R12: dffffc0000000000
> R13: 1ffff920006d3f6c R14: ffffc9000369fb80 R15: 0000000000000246
>   spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
>   do_notify_parent_cldstop+0x9ab/0xb50 kernel/signal.c:2216
>   ptrace_stop+0x465/0x940 kernel/signal.c:2319
>   ptrace_do_notify kernel/signal.c:2393 [inline]
>   ptrace_notify+0x255/0x380 kernel/signal.c:2405
>   ptrace_report_syscall include/linux/ptrace.h:415 [inline]
>   ptrace_report_syscall_entry include/linux/ptrace.h:452 [inline]
>   syscall_trace_enter+0x5d/0x150 kernel/entry/common.c:45
>   syscall_enter_from_user_mode_work include/linux/entry-common.h:168 [inline]
>   syscall_enter_from_user_mode include/linux/entry-common.h:198 [inline]
>   do_syscall_64+0xcc/0x230 arch/x86/entry/common.c:79
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f708ebe0e20
> Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d 81 e2 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
> RSP: 002b:00007ffd97b2a878 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
> RAX: ffffffffffffffda RBX: 0000000000000015 RCX: 00007f708ebe0e20
> RDX: ffffffffffffffb8 RSI: 0000000020000240 RDI: 0000000000000014
> RBP: 0000000000000000 R08: 00007ffd97b2a9a8 R09: 00007ffd97b2a9a8
> R10: 00007ffd97b2a9a8 R11: 0000000000000202 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007ffd97b2a8b0 R15: 00007ffd97b2a8a0
>   </TASK>
> ---[ end trace ]---
> ----------------
> Code disassembly (best guess):
>     0:	9c                   	pushf
>     1:	8f 44 24 20          	pop    0x20(%rsp)
>     5:	42 80 3c 23 00       	cmpb   $0x0,(%rbx,%r12,1)
>     a:	74 08                	je     0x14
>     c:	4c 89 f7             	mov    %r14,%rdi
>     f:	e8 ce cf 5c f6       	call   0xf65ccfe2
>    14:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
>    19:	75 52                	jne    0x6d
>    1b:	41 f7 c7 00 02 00 00 	test   $0x200,%r15d
>    22:	74 01                	je     0x25
>    24:	fb                   	sti
>    25:	bf 01 00 00 00       	mov    $0x1,%edi
> * 2a:	e8 c3 69 c4 f5       	call   0xf5c469f2 <-- trapping instruction
>    2f:	65 8b 05 04 5f 65 74 	mov    %gs:0x74655f04(%rip),%eax        # 0x74655f3a
>    36:	85 c0                	test   %eax,%eax
>    38:	74 43                	je     0x7d
>    3a:	48                   	rex.W
>    3b:	c7                   	.byte 0xc7
>    3c:	04 24                	add    $0x24,%al
>    3e:	0e                   	(bad)
>    3f:	36                   	ss
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

syzbot has bisected this issue to:

commit fecef4cd42c689a200bdd39e6fffa71475904bc1
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date:   Thu Jul 4 14:48:15 2024 +0000

    tun: Assign missing bpf_net_context.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12ddc995980000
start commit:   720261cfc732 Merge tag 'bcachefs-2024-07-18.2' of https://..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=11ddc995980000
console output: https://syzkaller.appspot.com/x/log.txt?x=16ddc995980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=93ca6cd6f392cb76
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1791eb49980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118cf7a5980000

Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [net?] KMSAN: uninit-value in hsr_get_node (3)
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 kernel/bpf/devmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 9e0e3b0a18e4..bca00badc0f8 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -465,7 +465,7 @@ static void bq_enqueue(struct net_device *dev, struct xdp_frame *xdpf,
 	 * Do the same with xdp_prog and flush_list since these fields
 	 * are only ever modified together.
 	 */
-	if (!bq->dev_rx) {
+	if (!bq->dev_rx && bq->count <= DEV_MAP_BULK_SIZE) {
 		struct list_head *flush_list = bpf_net_ctx_get_dev_flush_list();
 
 		bq->dev_rx = dev_rx;
--

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 kernel/bpf/devmap.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 9e0e3b0a18e4..5e2ee97ad09f 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -378,7 +378,9 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
 	int to_send = cnt;
 	int i;
 
-	if (unlikely(!cnt))
+	printk(KERN_INFO "bq->count = %u\n",cnt);
+
+	if (unlikely(!cnt) || unlikely(cnt) > DEV_MAP_BULK_SIZE)
 		return;
 
 	for (i = 0; i < cnt; i++) {
--

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 kernel/bpf/devmap.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 9e0e3b0a18e4..5e2ee97ad09f 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -378,7 +378,9 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
 	int to_send = cnt;
 	int i;
 
-	if (unlikely(!cnt))
+	printk(KERN_INFO "bq->count = %u\n",cnt);
+
+	if (unlikely(!cnt) || unlikely(cnt) > DEV_MAP_BULK_SIZE)
 		return;
 
 	for (i = 0; i < cnt; i++) {
--

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 kernel/bpf/cpumap.c | 2 +-
 kernel/bpf/devmap.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
index fbdf5a1aabfe..8fccc311397c 100644
--- a/kernel/bpf/cpumap.c
+++ b/kernel/bpf/cpumap.c
@@ -676,7 +676,7 @@ static void bq_flush_to_queue(struct xdp_bulk_queue *bq)
 	struct ptr_ring *q;
 	int i;
 
-	if (unlikely(!bq->count))
+	if (unlikely(!bq->count) || unlikely(bq->count) > CPU_MAP_BULK_SIZE)
 		return;
 
 	q = rcpu->queue;
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 9e0e3b0a18e4..4b9203deb711 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -378,7 +378,7 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
 	int to_send = cnt;
 	int i;
 
-	if (unlikely(!cnt))
+	if (unlikely(!cnt) || unlikely(cnt) > DEV_MAP_BULK_SIZE)
 		return;
 
 	for (i = 0; i < cnt; i++) {
--

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 kernel/bpf/cpumap.c | 6 ++----
 kernel/bpf/devmap.c | 3 +--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
index 8fccc311397c..22e1c62fc0f4 100644
--- a/kernel/bpf/cpumap.c
+++ b/kernel/bpf/cpumap.c
@@ -708,6 +708,7 @@ static void bq_flush_to_queue(struct xdp_bulk_queue *bq)
 static void bq_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_frame *xdpf)
 {
 	struct xdp_bulk_queue *bq = this_cpu_ptr(rcpu->bulkq);
+	struct list_head *flush_list = bpf_net_ctx_get_cpu_map_flush_list();
 
 	if (unlikely(bq->count == CPU_MAP_BULK_SIZE))
 		bq_flush_to_queue(bq);
@@ -723,11 +724,8 @@ static void bq_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_frame *xdpf)
 	 */
 	bq->q[bq->count++] = xdpf;
 
-	if (!bq->flush_node.prev) {
-		struct list_head *flush_list = bpf_net_ctx_get_cpu_map_flush_list();
-
+	if (!bq->flush_node.prev)
 		list_add(&bq->flush_node, flush_list);
-	}
 }
 
 int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_frame *xdpf,
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 4b9203deb711..dfde65014374 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -454,6 +454,7 @@ static void bq_enqueue(struct net_device *dev, struct xdp_frame *xdpf,
 		       struct net_device *dev_rx, struct bpf_prog *xdp_prog)
 {
 	struct xdp_dev_bulk_queue *bq = this_cpu_ptr(dev->xdp_bulkq);
+	struct list_head *flush_list = bpf_net_ctx_get_cpu_map_flush_list();
 
 	if (unlikely(bq->count == DEV_MAP_BULK_SIZE))
 		bq_xmit_all(bq, 0);
@@ -466,8 +467,6 @@ static void bq_enqueue(struct net_device *dev, struct xdp_frame *xdpf,
 	 * are only ever modified together.
 	 */
 	if (!bq->dev_rx) {
-		struct list_head *flush_list = bpf_net_ctx_get_dev_flush_list();
-
 		bq->dev_rx = dev_rx;
 		bq->xdp_prog = xdp_prog;
 		list_add(&bq->flush_node, flush_list);
--

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f9fe37d9e16a6cfd5f4d1f536686ea71db3196f

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git d839a73179ae91c07f5f2f97ccb9c69b2b7c3306

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git upstream

---
 include/linux/filter.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index b6672ff61407..22691015d175 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -842,15 +842,15 @@ static inline void bpf_net_ctx_get_all_used_flush_lists(struct list_head **lh_ma
 	if (!IS_ENABLED(CONFIG_BPF_SYSCALL))
 		return;
 
-	lh = &bpf_net_ctx->dev_map_flush_list;
+	lh = this_cpu_ptr(&bpf_net_ctx->dev_map_flush_list);
 	if (kern_flags & BPF_RI_F_DEV_MAP_INIT && !list_empty(lh))
 		*lh_dev = lh;
 
-	lh = &bpf_net_ctx->cpu_map_flush_list;
+	lh = this_cpu_ptr(&bpf_net_ctx->cpu_map_flush_list);
 	if (kern_flags & BPF_RI_F_CPU_MAP_INIT && !list_empty(lh))
 		*lh_map = lh;
 
-	lh = &bpf_net_ctx->xskmap_map_flush_list;
+	lh = this_cpu_ptr(&bpf_net_ctx->xskmap_map_flush_list);
 	if (IS_ENABLED(CONFIG_XDP_SOCKETS) &&
 	    kern_flags & BPF_RI_F_XSK_MAP_INIT && !list_empty(lh))
 		*lh_xsk = lh;
--

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fd8db07705c55a995c42b1e71afc42faad675b0b

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 605c96997d89c01c11bbddb4db820ede570581c7

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3b2aef99221d395ce37efa426d7b50e7dcd621d6a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3b2aef99221d395ce37efa426d7b50e7dcd621d6

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fecef4cd42c689a200bdd39e6fffa71475904bc1

Re: [syzbot] Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all
Author: aha310510@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 605c96997d89c01c11bbddb4db820ede570581c7

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in bq_flush_to_queue

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 6250 Comm: syz.0.140 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:bq_flush_to_queue+0x44/0x610 kernel/bpf/cpumap.c:675
Code: df e8 b0 d8 d6 ff 49 8d 5e 50 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 d6 cd 39 00 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 1d 05 00 00 44 8b 65 00 4d 8d 6e 58 4c
RSP: 0018:ffffc90000007a80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88807e7fb910 RCX: ffff888020138000
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff88807e7fb8c0
RBP: 0000000000000000 R08: ffffffff895fbdfa R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 0000000000000001
R13: ffffc900030277c0 R14: ffff88807e7fb8c0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ca5ffff CR3: 0000000049242000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __cpu_map_flush+0x5d/0xd0 kernel/bpf/cpumap.c:767
 xdp_do_check_flushed+0x136/0x240 net/core/filter.c:4304
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:unwind_next_frame+0x677/0x2a00 arch/x86/kernel/unwind_orc.c:495
Code: 24 08 48 c7 c0 6c 55 bb 8f 48 29 c3 48 c7 c1 a8 75 2c 90 48 c1 fb 02 4c 8d 3c 5b 4d 01 ff 49 01 cf 0f 84 82 00 00 00 49 89 ee <e8> f4 34 52 00 49 8d 6f 04 49 8d 5f 05 48 89 e8 48 c1 e8 03 42 0f
RSP: 0018:ffffc900030272a8 EFLAGS: 00000286
RAX: ffffffff81410c9e RBX: 0000000000000000 RCX: ffffffff903ce67e
RDX: 0000000000000000 RSI: ffffffff81eac064 RDI: ffffffff81eabf32
RBP: 1ffff92000604e70 R08: ffffffff81410c60 R09: ffffc90003027470
R10: 0000000000000003 R11: ffffffff817ee9a0 R12: ffffffff8fc64b50
R13: dffffc0000000000 R14: 1ffff92000604e70 R15: ffffffff903ce67e
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2235 [inline]
 slab_free mm/slub.c:4464 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4539
 vma_lock_free kernel/fork.c:455 [inline]
 __vm_area_free+0xe0/0x110 kernel/fork.c:511
 remove_vma mm/mmap.c:146 [inline]
 exit_mmap+0x645/0xc80 mm/mmap.c:3365
 __mmput+0x115/0x380 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f389ef75b59
Code: Unable to access opcode bytes at 0x7f389ef75b2f.
RSP: 002b:00007f389fd440f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f389f105f68 RCX: 00007f389ef75b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f389f105f68
RBP: 00007f389f105f60 R08: 00007f389fd446c0 R09: 00007f389fd446c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f389f105f6c
R13: 000000000000000b R14: 00007ffd4ff20a20 R15: 00007ffd4ff20b08
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bq_flush_to_queue+0x44/0x610 kernel/bpf/cpumap.c:675
Code: df e8 b0 d8 d6 ff 49 8d 5e 50 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 d6 cd 39 00 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 1d 05 00 00 44 8b 65 00 4d 8d 6e 58 4c
RSP: 0018:ffffc90000007a80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88807e7fb910 RCX: ffff888020138000
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff88807e7fb8c0
RBP: 0000000000000000 R08: ffffffff895fbdfa R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 0000000000000001
R13: ffffc900030277c0 R14: ffff88807e7fb8c0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ca5ffff CR3: 0000000049242000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 b0 d8 d6 ff       	call   0xffd6d8b5
   5:	49 8d 5e 50          	lea    0x50(%r14),%rbx
   9:	48 89 d8             	mov    %rbx,%rax
   c:	48 c1 e8 03          	shr    $0x3,%rax
  10:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  15:	74 08                	je     0x1f
  17:	48 89 df             	mov    %rbx,%rdi
  1a:	e8 d6 cd 39 00       	call   0x39cdf5
  1f:	48 8b 2b             	mov    (%rbx),%rbp
  22:	48 89 e8             	mov    %rbp,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	0f 85 1d 05 00 00    	jne    0x553
  36:	44 8b 65 00          	mov    0x0(%rbp),%r12d
  3a:	4d 8d 6e 58          	lea    0x58(%r14),%r13
  3e:	4c                   	rex.WR


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16870195980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __dev_flush

Oops: general protection fault, probably for non-canonical address 0xe3fffa2200be422b: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x1ffff11005f21158-0x1ffff11005f2115f]
CPU: 1 PID: 6413 Comm: syz.0.240 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__dev_flush+0x5b/0x160
Code: 48 89 ef e8 97 80 3a 00 48 8b 5d 00 48 39 eb 0f 84 ff 00 00 00 48 89 2c 24 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 65 80 3a 00 48 8b 03 48 89 44
RSP: 0018:ffffc90000a18af0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 1ffff11005f2115a RCX: ffff88802f908000
RDX: 0000000080000100 RSI: 0000000000000010 RDI: ffffc900039ff810
RBP: ffffc900039ff810 R08: ffffffff895fbdfa R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 0000000000000000
R13: 03fffe2200be422b R14: 0000000000000010 R15: ffffc900039ff810
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fba6ef06030 CR3: 0000000077bb8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:memcg_account_kmem+0x0/0x1e0 mm/memcontrol.c:3371
Code: c1 0f 8c 4e ff ff ff 48 89 df e8 db 1c f7 ff e9 41 ff ff ff e8 81 d4 87 09 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48
RSP: 0018:ffffc900039ffa50 EFLAGS: 00000297
RAX: ffff888026bc4000 RBX: 0000000000000001 RCX: ffffc900039ff903
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff888026bc4000
RBP: ffff888026bc4000 R08: ffffffff8fae89af R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 1ffffd4000155f37
R13: ffff88802f460980 R14: dffffc0000000000 R15: ffffea0000aaf9b8
 obj_cgroup_uncharge_pages mm/memcontrol.c:3394 [inline]
 __memcg_kmem_uncharge_page+0x104/0x310 mm/memcontrol.c:3468
 memcg_kmem_uncharge_page include/linux/memcontrol.h:1818 [inline]
 exit_task_stack_account+0x94/0x340 kernel/fork.c:564
 do_exit+0x1d02/0x27f0 kernel/exit.c:918
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fba6ed75b59
Code: Unable to access opcode bytes at 0x7fba6ed75b2f.
RSP: 002b:00007fba6e7ff0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fba6ef05f68 RCX: 00007fba6ed75b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fba6ef05f68
RBP: 00007fba6ef05f60 R08: 00007fba6e7ff6c0 R09: 00007fba6e7ff6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fba6ef05f6c
R13: 000000000000000b R14: 00007ffedc919aa0 R15: 00007ffedc919b88
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__dev_flush+0x5b/0x160
Code: 48 89 ef e8 97 80 3a 00 48 8b 5d 00 48 39 eb 0f 84 ff 00 00 00 48 89 2c 24 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 65 80 3a 00 48 8b 03 48 89 44
RSP: 0018:ffffc90000a18af0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 1ffff11005f2115a RCX: ffff88802f908000
RDX: 0000000080000100 RSI: 0000000000000010 RDI: ffffc900039ff810
RBP: ffffc900039ff810 R08: ffffffff895fbdfa R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 0000000000000000
R13: 03fffe2200be422b R14: 0000000000000010 R15: ffffc900039ff810
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fba6ef06030 CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 89 ef             	mov    %rbp,%rdi
   3:	e8 97 80 3a 00       	call   0x3a809f
   8:	48 8b 5d 00          	mov    0x0(%rbp),%rbx
   c:	48 39 eb             	cmp    %rbp,%rbx
   f:	0f 84 ff 00 00 00    	je     0x114
  15:	48 89 2c 24          	mov    %rbp,(%rsp)
  19:	49 89 dd             	mov    %rbx,%r13
  1c:	49 c1 ed 03          	shr    $0x3,%r13
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	41 80 7c 05 00 00    	cmpb   $0x0,0x0(%r13,%rax,1) <-- trapping instruction
  30:	74 08                	je     0x3a
  32:	48 89 df             	mov    %rbx,%rdi
  35:	e8 65 80 3a 00       	call   0x3a809f
  3a:	48 8b 03             	mov    (%rbx),%rax
  3d:	48                   	rex.W
  3e:	89                   	.byte 0x89
  3f:	44                   	rex.R


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1283bdfd980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in bq_xmit_all

==================================================================
BUG: KASAN: slab-use-after-free in bq_xmit_all+0x134/0x11d0 kernel/bpf/devmap.c:385
Read of size 8 at addr ffff88802e0fa748 by task syz.0.32/5981

CPU: 1 PID: 5981 Comm: syz.0.32 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 bq_xmit_all+0x134/0x11d0 kernel/bpf/devmap.c:385
 __dev_flush+0x81/0x160 kernel/bpf/devmap.c:425
 xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:propagate_protected_usage+0x42/0x210 mm/page_counter.c:22
Code: fc ff df e8 d0 ab 95 ff 49 8d 9c 24 a0 00 00 00 49 89 de 49 c1 ee 03 41 80 3c 2e 00 74 08 48 89 df e8 d2 a1 f8 ff 48 83 3b 00 <74> 78 48 89 1c 24 49 8d bc 24 80 00 00 00 48 89 f8 48 c1 e8 03 80
RSP: 0018:ffffc90003c87160 EFLAGS: 00000246
RAX: ffffffff81fd96f0 RBX: ffff8880162dc1e0 RCX: ffff8880271e3c00
RDX: 0000000000000000 RSI: 000000000000014a RDI: ffff8880162dc140
RBP: dffffc0000000000 R08: ffffffff81fd9639 R09: 1ffff11002c5b828
R10: dffffc0000000000 R11: ffffed1002c5b829 R12: ffff8880162dc140
R13: ffffc90003c872e0 R14: 1ffff11002c5b83c R15: 000000000000014a
 page_counter_uncharge+0x2e/0x70 mm/page_counter.c:158
 uncharge_batch+0xde/0x4f0 mm/memcontrol.c:7637
 __mem_cgroup_uncharge_folios+0x14a/0x1c0 mm/memcontrol.c:7739
 mem_cgroup_uncharge_folios include/linux/memcontrol.h:721 [inline]
 folios_put_refs+0x932/0xa60 mm/swap.c:1023
 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 exit_mmap+0x44f/0xc80 mm/mmap.c:3354
 __mmput+0x115/0x380 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc403375b59
Code: Unable to access opcode bytes at 0x7fc403375b2f.
RSP: 002b:00007fc4041330f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fc403505f68 RCX: 00007fc403375b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc403505f68
RBP: 00007fc403505f60 R08: 00007fc4041336c0 R09: 00007fc4041336c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc403505f6c
R13: 000000000000000b R14: 00007ffd23f516c0 R15: 00007ffd23f517a8
 </TASK>

Allocated by task 5977:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3979 [inline]
 slab_alloc_node mm/slub.c:4028 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4035
 vm_area_dup+0x27/0x290 kernel/fork.c:484
 __split_vma+0x1a9/0xc30 mm/mmap.c:2394
 split_vma mm/mmap.c:2466 [inline]
 vma_modify+0x194/0x350 mm/mmap.c:2500
 vma_modify_flags include/linux/mm.h:3352 [inline]
 mprotect_fixup+0x3ea/0xa90 mm/mprotect.c:637
 do_mprotect_pkey+0x908/0xe00 mm/mprotect.c:820
 __do_sys_mprotect mm/mprotect.c:841 [inline]
 __se_sys_mprotect mm/mprotect.c:838 [inline]
 __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:838
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5977:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2235 [inline]
 slab_free mm/slub.c:4464 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4539
 remove_vma mm/mmap.c:146 [inline]
 exit_mmap+0x645/0xc80 mm/mmap.c:3365
 __mmput+0x115/0x380 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 __do_sys_exit_group kernel/exit.c:1037 [inline]
 __se_sys_exit_group kernel/exit.c:1035 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
 x64_sys_call+0x26c3/0x26d0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802e0fa6c8
 which belongs to the cache vm_area_struct of size 184
The buggy address is located 128 bytes inside of
 freed 184-byte region [ffff88802e0fa6c8, ffff88802e0fa780)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e0fa
memcg:ffff88806981bc01
anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000000 ffff888015eefb40 ffffea00008fcf00 dead000000000005
raw: 0000000000000000 0000000000100010 00000001ffffefff ffff88806981bc01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5298, tgid 5298 (rm), ts 85421049674, free_ts 85420936799
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2304
 allocate_slab+0x5a/0x2f0 mm/slub.c:2467
 new_slab mm/slub.c:2520 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3706
 __slab_alloc+0x58/0xa0 mm/slub.c:3796
 __slab_alloc_node mm/slub.c:3849 [inline]
 slab_alloc_node mm/slub.c:4016 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4035
 vm_area_dup+0x27/0x290 kernel/fork.c:484
 __split_vma+0x1a9/0xc30 mm/mmap.c:2394
 do_vmi_align_munmap+0x388/0x18c0 mm/mmap.c:2592
 do_vmi_munmap+0x261/0x2f0 mm/mmap.c:2759
 __vm_munmap+0x1fc/0x400 mm/mmap.c:3038
 elf_map fs/binfmt_elf.c:383 [inline]
 elf_load+0x2d8/0x6f0 fs/binfmt_elf.c:408
 load_elf_binary+0x1027/0x2680 fs/binfmt_elf.c:1167
 search_binary_handler fs/exec.c:1821 [inline]
 exec_binprm fs/exec.c:1863 [inline]
 bprm_execve+0xaf8/0x1770 fs/exec.c:1914
page last free pid 5298 tgid 5298 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_folios+0xf12/0x19c0 mm/page_alloc.c:2637
 folios_put_refs+0x93a/0xa60 mm/swap.c:1024
 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 shift_arg_pages fs/exec.c:781 [inline]
 setup_arg_pages+0xd2d/0x1000 fs/exec.c:880
 load_elf_binary+0xb80/0x2680 fs/binfmt_elf.c:1014
 search_binary_handler fs/exec.c:1821 [inline]
 exec_binprm fs/exec.c:1863 [inline]
 bprm_execve+0xaf8/0x1770 fs/exec.c:1914
 do_execveat_common+0x55f/0x6f0 fs/exec.c:2021
 do_execve fs/exec.c:2095 [inline]
 __do_sys_execve fs/exec.c:2171 [inline]
 __se_sys_execve fs/exec.c:2166 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802e0fa600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802e0fa680: fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
>ffff88802e0fa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88802e0fa780: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff88802e0fa800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	df e8                	fucomip %st(0),%st
   2:	d0 ab 95 ff 49 8d    	shrb   -0x72b6006b(%rbx)
   8:	9c                   	pushf
   9:	24 a0                	and    $0xa0,%al
   b:	00 00                	add    %al,(%rax)
   d:	00 49 89             	add    %cl,-0x77(%rcx)
  10:	de 49 c1             	fimuls -0x3f(%rcx)
  13:	ee                   	out    %al,(%dx)
  14:	03 41 80             	add    -0x80(%rcx),%eax
  17:	3c 2e                	cmp    $0x2e,%al
  19:	00 74 08 48          	add    %dh,0x48(%rax,%rcx,1)
  1d:	89 df                	mov    %ebx,%edi
  1f:	e8 d2 a1 f8 ff       	call   0xfff8a1f6
  24:	48 83 3b 00          	cmpq   $0x0,(%rbx)
* 28:	74 78                	je     0xa2 <-- trapping instruction
  2a:	48 89 1c 24          	mov    %rbx,(%rsp)
  2e:	49 8d bc 24 80 00 00 	lea    0x80(%r12),%rdi
  35:	00
  36:	48 89 f8             	mov    %rdi,%rax
  39:	48 c1 e8 03          	shr    $0x3,%rax
  3d:	80                   	.byte 0x80


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155234ad980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=122040b1980000

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __cpu_map_flush

Oops: general protection fault, probably for non-canonical address 0xdffffc00248b33c0: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000124599e00-0x0000000124599e07]
CPU: 0 PID: 8590 Comm: syz.0.1336 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__cpu_map_flush+0x42/0xd0
Code: e8 83 d9 d6 ff 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 bd ce 39 00 49 8b 1e 4c 39 f3 74 77 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 9f ce 39 00 4c 8b 23 48 8d 7b c0
RSP: 0018:ffffc90000007b10 EFLAGS: 00010206
RAX: 00000000248b33c0 RBX: 0000000124599e00 RCX: ffff888024599e00
RDX: 0000000080000101 RSI: 0000000000000010 RDI: ffffc900041d7800
RBP: dffffc0000000000 R08: ffffffff895fbdfa R09: 1ffffffff1f5d13d
R10: dffffc0000000000 R11: fffffbfff1f5d13e R12: ffffc900041d7800
R13: ffffc900041d7820 R14: ffffc900041d7800 R15: dffffc0000000000
FS:  00007feec5f366c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007feec5306030 CR3: 0000000022d0e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x136/0x240 net/core/filter.c:4304
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:finish_task_switch+0x1ea/0x870 kernel/sched/core.c:5062
Code: c9 50 e8 19 b6 0b 00 48 83 c4 08 4c 89 f7 e8 7d 38 00 00 0f 1f 44 00 00 4c 89 f7 e8 50 1b 2e 0a e8 8b f2 36 00 fb 48 8b 5d c0 <48> 8d bb f8 15 00 00 48 89 f8 48 c1 e8 03 49 be 00 00 00 00 00 fc
RSP: 0018:ffffc900041d77a8 EFLAGS: 00000286
RAX: b5a136e6a96a7500 RBX: ffff888024599e00 RCX: ffffffff947c8703
RDX: dffffc0000000000 RSI: ffffffff8bcacd20 RDI: ffffffff8c1f9a40
RBP: ffffc900041d77f0 R08: ffffffff8fae89ef R09: 1ffffffff1f5d13d
R10: dffffc0000000000 R11: fffffbfff1f5d13e R12: 1ffff11017287eb3
R13: dffffc0000000000 R14: ffff8880b943e800 R15: ffff8880b943f598
 context_switch kernel/sched/core.c:5191 [inline]
 __schedule+0x17b6/0x4a10 kernel/sched/core.c:6529
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6621
 futex_wait_queue+0x14e/0x1d0 kernel/futex/waitwake.c:370
 __futex_wait+0x17f/0x320 kernel/futex/waitwake.c:669
 futex_wait+0x101/0x360 kernel/futex/waitwake.c:697
 do_futex+0x33b/0x560 kernel/futex/syscalls.c:102
 __do_sys_futex kernel/futex/syscalls.c:179 [inline]
 __se_sys_futex+0x3f9/0x480 kernel/futex/syscalls.c:160
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7feec5175b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feec5f360f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007feec5305f68 RCX: 00007feec5175b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007feec5305f68
RBP: 00007feec5305f60 R08: 00007feec5f366c0 R09: 00007feec5f366c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007feec5305f6c
R13: 000000000000000b R14: 00007ffc29b39510 R15: 00007ffc29b395f8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__cpu_map_flush+0x42/0xd0
Code: e8 83 d9 d6 ff 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 bd ce 39 00 49 8b 1e 4c 39 f3 74 77 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 9f ce 39 00 4c 8b 23 48 8d 7b c0
RSP: 0018:ffffc90000007b10 EFLAGS: 00010206
RAX: 00000000248b33c0 RBX: 0000000124599e00 RCX: ffff888024599e00
RDX: 0000000080000101 RSI: 0000000000000010 RDI: ffffc900041d7800
RBP: dffffc0000000000 R08: ffffffff895fbdfa R09: 1ffffffff1f5d13d
R10: dffffc0000000000 R11: fffffbfff1f5d13e R12: ffffc900041d7800
R13: ffffc900041d7820 R14: ffffc900041d7800 R15: dffffc0000000000
FS:  00007feec5f366c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007feec5306030 CR3: 0000000022d0e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 83 d9 d6 ff       	call   0xffd6d988
   5:	4c 89 f0             	mov    %r14,%rax
   8:	48 c1 e8 03          	shr    $0x3,%rax
   c:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  11:	74 08                	je     0x1b
  13:	4c 89 f7             	mov    %r14,%rdi
  16:	e8 bd ce 39 00       	call   0x39ced8
  1b:	49 8b 1e             	mov    (%r14),%rbx
  1e:	4c 39 f3             	cmp    %r14,%rbx
  21:	74 77                	je     0x9a
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 9f ce 39 00       	call   0x39ced8
  39:	4c 8b 23             	mov    (%rbx),%r12
  3c:	48 8d 7b c0          	lea    -0x40(%rbx),%rdi


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14ac4595980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=154c8cad980000

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __dev_flush

bq->count = 0
Oops: general protection fault, probably for non-canonical address 0xdffffc0003fffe01: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x000000001ffff008-0x000000001ffff00f]
CPU: 1 PID: 6644 Comm: syz.0.358 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__list_del include/linux/list.h:195 [inline]
RIP: 0010:__list_del_clearprev include/linux/list.h:209 [inline]
RIP: 0010:__dev_flush+0xe4/0x160 kernel/bpf/devmap.c:430
Code: b8 00 00 00 00 00 fc ff df 41 80 7c 05 00 00 49 89 c5 74 08 48 89 df e8 0a 80 3a 00 48 8b 2b 48 8d 5d 08 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 dd 80 3a 00 4c 89 23 4c 89 e0 48
RSP: 0018:ffffc90000a18af0 EFLAGS: 00010202
RAX: 0000000003fffe01 RBX: 000000001ffff008 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88802e31a120
RBP: 000000001ffff000 R08: ffff88802e31a11f R09: 0000000000000000
R10: ffff88802e31a110 R11: ffffed1005c63424 R12: 0000000020000000
R13: dffffc0000000000 R14: ffff88802e31a100 R15: 1ffff11005c63420
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efc38d06030 CR3: 000000002d8c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:page_ext_get+0x5/0x2a0 mm/page_ext.c:518
Code: f1 49 91 ff 90 0f 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 55 <41> 57 41 56 41 54 53 48 89 fb e8 bc 49 91 ff e8 57 40 78 ff 4c 8d
RSP: 0018:ffffc90003d6f378 EFLAGS: 00000283
RAX: 0000001e5a5649e6 RBX: ffffea00019ecd00 RCX: 0000001f7035090d
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffea00019ecd00
RBP: 0000000000000000 R08: ffffea00019ecd37 R09: 1ffffd400033d9a6
R10: dffffc0000000000 R11: fffff9400033d9a7 R12: 0000000000000005
R13: ffffea00019ecd00 R14: 0000000000000000 R15: 0000000000000000
 __reset_page_owner+0x2f/0x3f0 mm/page_owner.c:290
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_folios+0xf12/0x19c0 mm/page_alloc.c:2637
 folios_put_refs+0x93a/0xa60 mm/swap.c:1024
 folios_put include/linux/mm.h:1572 [inline]
 folio_batch_move_lru+0x5d7/0x690 mm/swap.c:227
 lru_add_drain_cpu+0x10e/0x8c0 mm/swap.c:657
 lru_add_drain+0x123/0x3e0 mm/swap.c:757
 exit_mmap+0x22b/0xc80 mm/mmap.c:3336
 __mmput+0x115/0x380 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efc38b75b59
Code: Unable to access opcode bytes at 0x7efc38b75b2f.
RSP: 002b:00007efc385ff0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007efc38d05f68 RCX: 00007efc38b75b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007efc38d05f68
RBP: 00007efc38d05f60 R08: 00007efc385ff6c0 R09: 00007efc385ff6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007efc38d05f6c
R13: 000000000000000b R14: 00007fff8a519330 R15: 00007fff8a519418
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del include/linux/list.h:195 [inline]
RIP: 0010:__list_del_clearprev include/linux/list.h:209 [inline]
RIP: 0010:__dev_flush+0xe4/0x160 kernel/bpf/devmap.c:430
Code: b8 00 00 00 00 00 fc ff df 41 80 7c 05 00 00 49 89 c5 74 08 48 89 df e8 0a 80 3a 00 48 8b 2b 48 8d 5d 08 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 dd 80 3a 00 4c 89 23 4c 89 e0 48
RSP: 0018:ffffc90000a18af0 EFLAGS: 00010202
RAX: 0000000003fffe01 RBX: 000000001ffff008 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88802e31a120
RBP: 000000001ffff000 R08: ffff88802e31a11f R09: 0000000000000000
R10: ffff88802e31a110 R11: ffffed1005c63424 R12: 0000000020000000
R13: dffffc0000000000 R14: ffff88802e31a100 R15: 1ffff11005c63420
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efc38d06030 CR3: 000000002d8c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	b8 00 00 00 00       	mov    $0x0,%eax
   5:	00 fc                	add    %bh,%ah
   7:	ff                   	(bad)
   8:	df 41 80             	filds  -0x80(%rcx)
   b:	7c 05                	jl     0x12
   d:	00 00                	add    %al,(%rax)
   f:	49 89 c5             	mov    %rax,%r13
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 0a 80 3a 00       	call   0x3a8026
  1c:	48 8b 2b             	mov    (%rbx),%rbp
  1f:	48 8d 5d 08          	lea    0x8(%rbp),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 dd 80 3a 00       	call   0x3a8116
  39:	4c 89 23             	mov    %r12,(%rbx)
  3c:	4c 89 e0             	mov    %r12,%rax
  3f:	48                   	rex.W


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103033fd980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13eae521980000

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __cpu_map_flush

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 6414 Comm: syz.0.248 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__cpu_map_flush+0x42/0xd0
Code: e8 93 d9 d6 ff 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 bd ce 39 00 49 8b 1e 4c 39 f3 74 77 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 9f ce 39 00 4c 8b 23 48 8d 7b c0
RSP: 0018:ffffc90000a18b10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88806b371e00
RDX: 0000000080000100 RSI: 0000000000000010 RDI: ffffc9000319f800
RBP: dffffc0000000000 R08: ffffffff895fbdfa R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: ffffc9000319f800
R13: ffffc9000319f820 R14: ffffc9000319f800 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3b96706030 CR3: 0000000025528000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x136/0x240 net/core/filter.c:4304
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5763
Code: 2b 00 74 08 4c 89 f7 e8 1a cb 86 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0018:ffffc9000319f8c0 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff92000633f24 RCX: a82dc8c22c65f400
RDX: dffffc0000000000 RSI: ffffffff8bcadea0 RDI: ffffffff8c1f9a00
RBP: ffffc9000319fa08 R08: ffffffff92fd0607 R09: 1ffffffff25fa0c0
R10: dffffc0000000000 R11: fffffbfff25fa0c1 R12: 1ffff92000633f20
R13: dffffc0000000000 R14: ffffc9000319f920 R15: 0000000000000246
 rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
 rcu_read_lock include/linux/rcupdate.h:839 [inline]
 get_mem_cgroup_from_objcg+0x36/0x150 include/linux/memcontrol.h:533
 obj_cgroup_uncharge_pages mm/memcontrol.c:3392 [inline]
 __memcg_kmem_uncharge_page+0xf5/0x310 mm/memcontrol.c:3468
 memcg_kmem_uncharge_page include/linux/memcontrol.h:1818 [inline]
 exit_task_stack_account+0xd7/0x340 kernel/fork.c:564
 do_exit+0x1d02/0x27f0 kernel/exit.c:918
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3b96575b59
Code: Unable to access opcode bytes at 0x7f3b96575b2f.
RSP: 002b:00007f3b973cb0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f3b96705f68 RCX: 00007f3b96575b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f3b96705f68
RBP: 00007f3b96705f60 R08: 00007f3b973cb6c0 R09: 00007f3b973cb6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3b96705f6c
R13: 000000000000000b R14: 00007ffd55a3d740 R15: 00007ffd55a3d828
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__cpu_map_flush+0x42/0xd0
Code: e8 93 d9 d6 ff 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 bd ce 39 00 49 8b 1e 4c 39 f3 74 77 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 9f ce 39 00 4c 8b 23 48 8d 7b c0
RSP: 0018:ffffc90000a18b10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88806b371e00
RDX: 0000000080000100 RSI: 0000000000000010 RDI: ffffc9000319f800
RBP: dffffc0000000000 R08: ffffffff895fbdfa R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: ffffc9000319f800
R13: ffffc9000319f820 R14: ffffc9000319f800 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3b96706030 CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 93 d9 d6 ff       	call   0xffd6d998
   5:	4c 89 f0             	mov    %r14,%rax
   8:	48 c1 e8 03          	shr    $0x3,%rax
   c:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  11:	74 08                	je     0x1b
  13:	4c 89 f7             	mov    %r14,%rdi
  16:	e8 bd ce 39 00       	call   0x39ced8
  1b:	49 8b 1e             	mov    (%r14),%rbx
  1e:	4c 39 f3             	cmp    %r14,%rbx
  21:	74 77                	je     0x9a
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 9f ce 39 00       	call   0x39ced8
  39:	4c 8b 23             	mov    (%rbx),%r12
  3c:	48 8d 7b c0          	lea    -0x40(%rbx),%rdi


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103762e6980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=123c8cad980000

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in bq_flush_to_queue

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 6041 Comm: syz.0.49 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:bq_flush_to_queue+0x44/0x610 kernel/bpf/cpumap.c:675
Code: df e8 30 d9 d6 ff 49 8d 5e 50 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 d6 cd 39 00 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 1d 05 00 00 44 8b 65 00 4d 8d 6e 58 4c
RSP: 0018:ffffc90000007a80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88802a8dc290 RCX: ffff88802e52bc00
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff88802a8dc240
RBP: 0000000000000000 R08: ffffffff895fbd7a R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 0000000000000002
R13: ffffc900034ff7c0 R14: ffff88802a8dc240 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3025ffff CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __cpu_map_flush+0x5d/0xd0 kernel/bpf/cpumap.c:765
 xdp_do_check_flushed+0x136/0x240 net/core/filter.c:4304
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_switch+0x9d/0x120 kernel/kcov.c:341
Code: 00 00 4d 85 d2 0f 84 8b 00 00 00 4c 8b 4c 24 20 65 4c 8b 1c 25 40 d5 03 00 31 d2 eb 08 48 ff c2 49 39 d2 74 71 4c 8b 74 d6 10 <65> 8b 05 64 8c 70 7e a9 00 01 ff 00 74 11 a9 00 01 00 00 74 de 41
RSP: 0018:ffffc900034ff280 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88802e52bc00
RDX: 0000000000000006 RSI: ffffffff8e1a32a0 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000005 R09: ffffffff81410f0e
R10: 0000000000000008 R11: ffff88802e52bc00 R12: ffffffff9027c0cc
R13: dffffc0000000000 R14: 0000000000000008 R15: 1ffff9200069fe70
 unwind_next_frame+0x7be/0x2a00 arch/x86/kernel/unwind_orc.c:515
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2235 [inline]
 slab_free mm/slub.c:4464 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4539
 vma_lock_free kernel/fork.c:455 [inline]
 __vm_area_free+0xe0/0x110 kernel/fork.c:511
 remove_vma mm/mmap.c:146 [inline]
 exit_mmap+0x645/0xc80 mm/mmap.c:3365
 __mmput+0x115/0x380 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff317375b59
Code: Unable to access opcode bytes at 0x7ff317375b2f.
RSP: 002b:00007ff3180f50f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007ff317505f68 RCX: 00007ff317375b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007ff317505f68
RBP: 00007ff317505f60 R08: 00007ff3180f56c0 R09: 00007ff3180f56c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff317505f6c
R13: 000000000000000b R14: 00007ffc63823320 R15: 00007ffc63823408
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bq_flush_to_queue+0x44/0x610 kernel/bpf/cpumap.c:675
Code: df e8 30 d9 d6 ff 49 8d 5e 50 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 d6 cd 39 00 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 1d 05 00 00 44 8b 65 00 4d 8d 6e 58 4c
RSP: 0018:ffffc90000007a80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88802a8dc290 RCX: ffff88802e52bc00
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff88802a8dc240
RBP: 0000000000000000 R08: ffffffff895fbd7a R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: 0000000000000002
R13: ffffc900034ff7c0 R14: ffff88802a8dc240 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3025ffff CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 30 d9 d6 ff       	call   0xffd6d935
   5:	49 8d 5e 50          	lea    0x50(%r14),%rbx
   9:	48 89 d8             	mov    %rbx,%rax
   c:	48 c1 e8 03          	shr    $0x3,%rax
  10:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  15:	74 08                	je     0x1f
  17:	48 89 df             	mov    %rbx,%rdi
  1a:	e8 d6 cd 39 00       	call   0x39cdf5
  1f:	48 8b 2b             	mov    (%rbx),%rbp
  22:	48 89 e8             	mov    %rbp,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	0f 85 1d 05 00 00    	jne    0x553
  36:	44 8b 65 00          	mov    0x0(%rbp),%r12d
  3a:	4d 8d 6e 58          	lea    0x58(%r14),%r13
  3e:	4c                   	rex.WR


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=128d0ae6980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1346ca3d980000

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
Tested-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

Tested on:

commit:         3f9fe37d net: Move per-CPU flush-lists to bpf_net_cont..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=116bd2e6980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f0b82937c5cd6774
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
Tested-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

Tested on:

commit:         d839a731 net: Optimize xdp_do_flush() with bpf_net_con..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17b493e9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d0559deea039729f
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/upstream: failed to run ["git" "fetch" "--force" "f569e972c8e9057ee9c286220c83a480ebf30cc5" "upstream"]: exit status 128
fatal: couldn't find remote ref upstream



Tested on:

commit:         [unknown 
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=93ca6cd6f392cb76
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10fef15e980000

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
Tested-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

Tested on:

commit:         fd8db077 bpf, devmap: Add .map_alloc_check
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=152f62e6980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=909a84ad1424a029
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in bq_flush_to_queue

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 6059 Comm: syz.0.51 Not tainted 6.10.0-rc6-syzkaller-01399-g605c96997d89 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:bq_flush_to_queue+0x44/0x610 kernel/bpf/cpumap.c:675
Code: df e8 50 dc d6 ff 49 8d 5e 50 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 a6 b1 39 00 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 1d 05 00 00 44 8b 65 00 4d 8d 6e 58 4c
RSP: 0018:ffffc90000a18a80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880652a4290 RCX: ffff888073870000
RDX: 0000000080000101 RSI: 0000000000000010 RDI: ffff8880652a4240
RBP: 0000000000000000 R08: ffffffff895a503a R09: 1ffffffff1f5969d
R10: dffffc0000000000 R11: fffffbfff1f5969e R12: 0000000000000002
R13: ffffc900037d7820 R14: ffff8880652a4240 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33b5ffff CR3: 000000000e132000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __cpu_map_flush+0x5d/0xd0 kernel/bpf/cpumap.c:767
 xdp_do_check_flushed+0x136/0x240 net/core/filter.c:4304
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 1e d9 6c f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> e3 79 d9 f5 65 8b 05 34 b3 77 74 85 c0 74 43 48 c7 04 24 0e 36
RSP: 0018:ffffc900037d7580 EFLAGS: 00000206
RAX: 35c09d964b24e400 RBX: 1ffff920006faeb4 RCX: ffffffff8172d8aa
RDX: dffffc0000000000 RSI: ffffffff8bcabb40 RDI: 0000000000000001
RBP: ffffc900037d7610 R08: ffffffff92f875b7 R09: 1ffffffff25f0eb6
R10: dffffc0000000000 R11: fffffbfff25f0eb7 R12: dffffc0000000000
R13: 1ffff920006faeb0 R14: ffffc900037d75a0 R15: 0000000000000246
 __debug_check_no_obj_freed lib/debugobjects.c:998 [inline]
 debug_check_no_obj_freed+0x561/0x580 lib/debugobjects.c:1019
 slab_free_hook mm/slub.c:2163 [inline]
 slab_free mm/slub.c:4438 [inline]
 kmem_cache_free+0x10f/0x350 mm/slub.c:4513
 vma_lock_free kernel/fork.c:453 [inline]
 __vm_area_free+0xe0/0x110 kernel/fork.c:509
 remove_vma mm/mmap.c:146 [inline]
 exit_mmap+0x645/0xc80 mm/mmap.c:3365
 __mmput+0x115/0x3c0 kernel/fork.c:1346
 exit_mm+0x220/0x310 kernel/exit.c:567
 do_exit+0x9aa/0x27e0 kernel/exit.c:863
 do_group_exit+0x207/0x2c0 kernel/exit.c:1025
 get_signal+0x16a1/0x1740 kernel/signal.c:2909
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1530b75b59
Code: Unable to access opcode bytes at 0x7f1530b75b2f.
RSP: 002b:00007f153197b0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f1530d05f68 RCX: 00007f1530b75b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1530d05f68
RBP: 00007f1530d05f60 R08: 00007f153197b6c0 R09: 00007f153197b6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1530d05f6c
R13: 000000000000000b R14: 00007ffd94c0c0d0 R15: 00007ffd94c0c1b8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bq_flush_to_queue+0x44/0x610 kernel/bpf/cpumap.c:675
Code: df e8 50 dc d6 ff 49 8d 5e 50 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 a6 b1 39 00 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 1d 05 00 00 44 8b 65 00 4d 8d 6e 58 4c
RSP: 0018:ffffc90000a18a80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880652a4290 RCX: ffff888073870000
RDX: 0000000080000101 RSI: 0000000000000010 RDI: ffff8880652a4240
RBP: 0000000000000000 R08: ffffffff895a503a R09: 1ffffffff1f5969d
R10: dffffc0000000000 R11: fffffbfff1f5969e R12: 0000000000000002
R13: ffffc900037d7820 R14: ffff8880652a4240 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33b5ffff CR3: 000000000e132000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 50 dc d6 ff       	call   0xffd6dc55
   5:	49 8d 5e 50          	lea    0x50(%r14),%rbx
   9:	48 89 d8             	mov    %rbx,%rax
   c:	48 c1 e8 03          	shr    $0x3,%rax
  10:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  15:	74 08                	je     0x1f
  17:	48 89 df             	mov    %rbx,%rdi
  1a:	e8 a6 b1 39 00       	call   0x39b1c5
  1f:	48 8b 2b             	mov    (%rbx),%rbp
  22:	48 89 e8             	mov    %rbp,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	0f 85 1d 05 00 00    	jne    0x553
  36:	44 8b 65 00          	mov    0x0(%rbp),%r12d
  3a:	4d 8d 6e 58          	lea    0x58(%r14),%r13
  3e:	4c                   	rex.WR


Tested on:

commit:         605c9699 bpf: relax zero fixed offset constraint on KF..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=146d0ae6980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8defeae77515c9b1
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
Tested-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

Tested on:

commit:         a6fcd19d bpf: Defer work in bpf_timer_cancel_and_free
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=178fcfe9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1ace69f521989b1f
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/3b2aef99221d395ce37efa426d7b50e7dcd621d6a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69: failed to run ["git" "fetch" "--force" "f569e972c8e9057ee9c286220c83a480ebf30cc5" "3b2aef99221d395ce37efa426d7b50e7dcd621d6a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69"]: exit status 128
fatal: couldn't find remote ref 3b2aef99221d395ce37efa426d7b50e7dcd621d6a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69



Tested on:

commit:         [unknown 
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3b2aef99221d395ce37efa426d7b50e7dcd621d6a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69
kernel config:  https://syzkaller.appspot.com/x/.config?x=93ca6cd6f392cb76
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       

Note: no patches were applied.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
Tested-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

Tested on:

commit:         3b2aef99 net: ethernet: mediatek: Allow gaps in MAC al..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1668e595980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8defeae77515c9b1
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __xsk_map_flush

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 0 PID: 7230 Comm: syz.0.654 Not tainted 6.10.0-rc6-syzkaller-01232-gfecef4cd42c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__xsk_map_flush+0x56/0x2b0
Code: 80 3c 28 00 74 08 48 89 df e8 96 68 92 f6 4c 8b 3b 49 39 df 0f 84 43 02 00 00 48 89 1c 24 4c 89 f8 48 c1 e8 03 48 89 44 24 08 <42> 80 3c 28 00 74 08 4c 89 ff e8 6b 68 92 f6 49 8b 07 48 89 44 24
RSP: 0018:ffffc90000007ae8 EFLAGS: 00010203
RAX: 0000000000000008 RBX: ffffc90004087820 RCX: ffff88807b148000
RDX: 0000000080000101 RSI: 0000000000000010 RDI: ffffc90004087820
RBP: dffffc0000000000 R08: ffffffff8959f41a R09: 1ffffffff1f5941d
R10: dffffc0000000000 R11: fffffbfff1f5941e R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000010 R15: 0000000000000046
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd8bf106030 CR3: 000000001e6d4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x18e/0x240 net/core/filter.c:4308
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_write_unlock_irq include/linux/rwlock_api_smp.h:274 [inline]
RIP: 0010:_raw_write_unlock_irq+0x29/0x50 kernel/locking/spinlock.c:358
Code: 90 f3 0f 1e fa 53 48 89 fb 48 83 c7 18 48 8b 74 24 08 e8 7a de e6 f5 48 89 df e8 52 33 e8 f5 e8 cd d9 11 f6 fb bf 01 00 00 00 <e8> 22 ee d9 f5 65 8b 05 a3 26 78 74 85 c0 74 06 5b c3 cc cc cc cc
RSP: 0018:ffffc90004087ab0 EFLAGS: 00000282
RAX: 4c2770ac48549a00 RBX: ffffffff8e00a040 RCX: ffffffff9477c603
RDX: dffffc0000000000 RSI: ffffffff8bcabb40 RDI: 0000000000000001
RBP: ffffc90004087c20 R08: ffffffff8faca0ef R09: 1ffffffff1f5941d
R10: dffffc0000000000 R11: fffffbfff1f5941e R12: 1ffff1100f6290ad
R13: 1ffff1100f6290ac R14: ffff88801fc4bcc0 R15: dffffc0000000000
 exit_notify kernel/exit.c:768 [inline]
 do_exit+0x19c4/0x27e0 kernel/exit.c:896
 do_group_exit+0x207/0x2c0 kernel/exit.c:1025
 get_signal+0x16a1/0x1740 kernel/signal.c:2909
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd8bef75b59
Code: Unable to access opcode bytes at 0x7fd8bef75b2f.
RSP: 002b:00007fd8bfe150f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fd8bf105f68 RCX: 00007fd8bef75b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fd8bf105f68
RBP: 00007fd8bf105f60 R08: 00007fd8bfe156c0 R09: 00007fd8bfe156c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd8bf105f6c
R13: 000000000000000b R14: 00007ffd2583fbe0 R15: 00007ffd2583fcc8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__xsk_map_flush+0x56/0x2b0
Code: 80 3c 28 00 74 08 48 89 df e8 96 68 92 f6 4c 8b 3b 49 39 df 0f 84 43 02 00 00 48 89 1c 24 4c 89 f8 48 c1 e8 03 48 89 44 24 08 <42> 80 3c 28 00 74 08 4c 89 ff e8 6b 68 92 f6 49 8b 07 48 89 44 24
RSP: 0018:ffffc90000007ae8 EFLAGS: 00010203
RAX: 0000000000000008 RBX: ffffc90004087820 RCX: ffff88807b148000
RDX: 0000000080000101 RSI: 0000000000000010 RDI: ffffc90004087820
RBP: dffffc0000000000 R08: ffffffff8959f41a R09: 1ffffffff1f5941d
R10: dffffc0000000000 R11: fffffbfff1f5941e R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000010 R15: 0000000000000046
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd8bf106030 CR3: 000000000e132000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	80 3c 28 00          	cmpb   $0x0,(%rax,%rbp,1)
   4:	74 08                	je     0xe
   6:	48 89 df             	mov    %rbx,%rdi
   9:	e8 96 68 92 f6       	call   0xf69268a4
   e:	4c 8b 3b             	mov    (%rbx),%r15
  11:	49 39 df             	cmp    %rbx,%r15
  14:	0f 84 43 02 00 00    	je     0x25d
  1a:	48 89 1c 24          	mov    %rbx,(%rsp)
  1e:	4c 89 f8             	mov    %r15,%rax
  21:	48 c1 e8 03          	shr    $0x3,%rax
  25:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 ff             	mov    %r15,%rdi
  34:	e8 6b 68 92 f6       	call   0xf69268a4
  39:	49 8b 07             	mov    (%r15),%rax
  3c:	48                   	rex.W
  3d:	89                   	.byte 0x89
  3e:	44                   	rex.R
  3f:	24                   	.byte 0x24


Tested on:

commit:         fecef4cd tun: Assign missing bpf_net_context.
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10ed355e980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8defeae77515c9b1
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in bq_xmit_all

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __cpu_map_flush

Oops: general protection fault, probably for non-canonical address 0xe3fffb24000bcbe2: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x1ffff920005e5f10-0x1ffff920005e5f17]
CPU: 1 PID: 11356 Comm: syz.0.2720 Not tainted 6.10.0-rc6-syzkaller-01399-g605c96997d89 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__cpu_map_flush+0x42/0xd0
Code: e8 33 dd d6 ff 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 8d b2 39 00 49 8b 1e 4c 39 f3 74 77 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 6f b2 39 00 4c 8b 23 48 8d 7b c0
RSP: 0018:ffffc90000a18b10 EFLAGS: 00010206
RAX: 03ffff24000bcbe2 RBX: 1ffff920005e5f10 RCX: ffff88807b34da00
RDX: 0000000080000100 RSI: 0000000000000000 RDI: ffffc90002f2f800
RBP: dffffc0000000000 R08: ffffffff895a503a R09: 1ffffffff1f5969d
R10: dffffc0000000000 R11: fffffbfff1f5969e R12: ffffc90002f2f800
R13: ffffc90002f2f7c0 R14: ffffc90002f2f800 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f14a6b06030 CR3: 0000000027bec000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x136/0x240 net/core/filter.c:4304
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:account_kernel_stack+0x289/0x3f0 kernel/fork.c:540
Code: 4d e8 db ea 3e 00 48 8b 5c 24 08 4d 85 f6 75 10 e8 cc ea 3e 00 49 83 fc 38 75 15 e9 09 01 00 00 e8 bc ea 3e 00 fb 49 83 fc 38 <0f> 84 f9 00 00 00 e8 ac ea 3e 00 49 83 c4 08 e9 2d fe ff ff e8 9e
RSP: 0018:ffffc90002f2f9c0 EFLAGS: 00000293
RAX: ffffffff81573ae4 RBX: ffff88806d454020 RCX: ffff88807b34da00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002f2fa88 R08: ffffffff81573ab6 R09: 1ffffffff1f5969d
R10: dffffc0000000000 R11: fffffbfff1f5969e R12: 0000000000000000
R13: ffffc90002f2fa00 R14: 0000000000000200 R15: ffffc90002f2fa20
 exit_task_stack_account+0x2a/0x340 kernel/fork.c:554
 do_exit+0x1cfa/0x27e0 kernel/exit.c:917
 do_group_exit+0x207/0x2c0 kernel/exit.c:1025
 get_signal+0x16a1/0x1740 kernel/signal.c:2909
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f14a6975b59
Code: Unable to access opcode bytes at 0x7f14a6975b2f.
RSP: 002b:00007f14a77350f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f14a6b05f68 RCX: 00007f14a6975b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f14a6b05f68
RBP: 00007f14a6b05f60 R08: 00007f14a77356c0 R09: 00007f14a77356c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f14a6b05f6c
R13: 000000000000000b R14: 00007ffc7a3935b0 R15: 00007ffc7a393698
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__cpu_map_flush+0x42/0xd0
Code: e8 33 dd d6 ff 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 8d b2 39 00 49 8b 1e 4c 39 f3 74 77 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 6f b2 39 00 4c 8b 23 48 8d 7b c0
RSP: 0018:ffffc90000a18b10 EFLAGS: 00010206
RAX: 03ffff24000bcbe2 RBX: 1ffff920005e5f10 RCX: ffff88807b34da00
RDX: 0000000080000100 RSI: 0000000000000000 RDI: ffffc90002f2f800
RBP: dffffc0000000000 R08: ffffffff895a503a R09: 1ffffffff1f5969d
R10: dffffc0000000000 R11: fffffbfff1f5969e R12: ffffc90002f2f800
R13: ffffc90002f2f7c0 R14: ffffc90002f2f800 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f14a6b06030 CR3: 000000000e132000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 33 dd d6 ff       	call   0xffd6dd38
   5:	4c 89 f0             	mov    %r14,%rax
   8:	48 c1 e8 03          	shr    $0x3,%rax
   c:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  11:	74 08                	je     0x1b
  13:	4c 89 f7             	mov    %r14,%rdi
  16:	e8 8d b2 39 00       	call   0x39b2a8
  1b:	49 8b 1e             	mov    (%r14),%rbx
  1e:	4c 39 f3             	cmp    %r14,%rbx
  21:	74 77                	je     0x9a
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 6f b2 39 00       	call   0x39b2a8
  39:	4c 8b 23             	mov    (%rbx),%r12
  3c:	48 8d 7b c0          	lea    -0x40(%rbx),%rdi


Tested on:

commit:         605c9699 bpf: relax zero fixed offset constraint on KF..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13e810a1980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8defeae77515c9b1
dashboard link: https://syzkaller.appspot.com/bug?extid=707d98c8649695eaf329
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.