Re: [syzbot] [bpf?] KASAN: stack-out-of-bounds Write in __bpf_get_stack

[syzbot <syzbot+d1b7fa1092def3628bd7@syzkaller.appspotmail.com>]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

SYZFAIL: failed to recv rpc

SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)


Warning: Permanently added '10.128.0.125' (ED25519) to the list of known hosts.
2026/01/04 20:08:05 parsed 1 programs
[   79.730779][ T5830] cgroup: Unknown subsys name 'net'
[   79.857873][ T5830] cgroup: Unknown subsys name 'cpuset'
[   79.866524][ T5830] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   81.320295][ T5830] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   84.221144][ T5848] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   84.415568][ T5850] chnl_net:caif_netlink_parms(): no params data found
[   84.924026][ T5850] bridge0: port 1(bridge_slave_0) entered blocking state
[   84.939498][ T5850] bridge0: port 1(bridge_slave_0) entered disabled state
[   84.954819][ T5850] bridge_slave_0: entered allmulticast mode
[   84.966272][ T5850] bridge_slave_0: entered promiscuous mode
[   85.069500][ T5850] bridge0: port 2(bridge_slave_1) entered blocking state
[   85.083944][ T5850] bridge0: port 2(bridge_slave_1) entered disabled state
[   85.091552][ T5850] bridge_slave_1: entered allmulticast mode
[   85.099656][ T5850] bridge_slave_1: entered promiscuous mode
[   85.261717][ T5850] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   85.274934][ T5850] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   85.565286][ T5850] team0: Port device team_slave_0 added
[   85.646765][ T5850] team0: Port device team_slave_1 added
[   85.855034][ T5850] batman_adv: batadv0: Adding interface: batadv_slave_0
[   85.862110][ T5850] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   85.890810][ T5850] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   85.937899][ T5850] batman_adv: batadv0: Adding interface: batadv_slave_1
[   85.955505][ T5850] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   85.983082][ T5850] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   86.096947][ T3011] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   86.119091][ T3011] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   86.222916][ T5850] hsr_slave_0: entered promiscuous mode
[   86.231976][ T5850] hsr_slave_1: entered promiscuous mode
[   86.386654][ T3011] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   86.408435][ T3011] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   86.852590][   T10] cfg80211: failed to load regulatory.db
[   86.916761][ T5915] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   86.926505][ T5915] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   86.934375][ T5915] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   86.942612][ T5915] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   86.950324][ T5915] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   87.486879][ T5850] netdevsim netdevsim4 netdevsim0: renamed from eth0
[   87.547161][ T5850] netdevsim netdevsim4 netdevsim1: renamed from eth1
[   87.628902][ T5850] netdevsim netdevsim4 netdevsim2: renamed from eth2
[   87.675708][ T5850] netdevsim netdevsim4 netdevsim3: renamed from eth3
[   88.020388][ T5850] 8021q: adding VLAN 0 to HW filter on device bond0
[   88.043725][ T5850] 8021q: adding VLAN 0 to HW filter on device team0
[   88.072115][ T3011] bridge0: port 1(bridge_slave_0) entered blocking state
[   88.079410][ T3011] bridge0: port 1(bridge_slave_0) entered forwarding state
[   88.110616][   T50] bridge0: port 2(bridge_slave_1) entered blocking state
[   88.117968][   T50] bridge0: port 2(bridge_slave_1) entered forwarding state
[   88.378710][ T5850] 8021q: adding VLAN 0 to HW filter on device batadv0
[   88.578669][ T5850] veth0_vlan: entered promiscuous mode
[   88.590813][ T5850] veth1_vlan: entered promiscuous mode
[   88.622078][ T5850] veth0_macvtap: entered promiscuous mode
[   88.632051][ T5850] veth1_macvtap: entered promiscuous mode
[   88.648977][ T5850] batman_adv: batadv0: Interface activated: batadv_slave_0
[   88.663182][ T5850] batman_adv: batadv0: Interface activated: batadv_slave_1
[   88.678972][   T50] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   88.690533][   T50] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   88.700858][   T50] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   88.710553][   T50] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2026/01/04 20:08:16 executed programs: 0
[   88.865865][ T5915] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   88.876934][ T5915] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   88.885437][ T5915] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   88.893744][ T5915] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   88.901576][ T5915] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   88.995249][ T5151] Bluetooth: hci0: command tx timeout
[   89.100161][ T5949] chnl_net:caif_netlink_parms(): no params data found
[   89.177370][ T5949] bridge0: port 1(bridge_slave_0) entered blocking state
[   89.184801][ T5949] bridge0: port 1(bridge_slave_0) entered disabled state
[   89.191961][ T5949] bridge_slave_0: entered allmulticast mode
[   89.199570][ T5949] bridge_slave_0: entered promiscuous mode
[   89.207774][ T5949] bridge0: port 2(bridge_slave_1) entered blocking state
[   89.215047][ T5949] bridge0: port 2(bridge_slave_1) entered disabled state
[   89.222237][ T5949] bridge_slave_1: entered allmulticast mode
[   89.229908][ T5949] bridge_slave_1: entered promiscuous mode
[   89.259789][ T5949] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   89.271299][ T5949] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   89.302556][ T5949] team0: Port device team_slave_0 added
[   89.310953][ T5949] team0: Port device team_slave_1 added
[   89.338706][ T5949] batman_adv: batadv0: Adding interface: batadv_slave_0
[   89.345761][ T5949] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   89.372170][ T5949] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   89.384318][ T5949] batman_adv: batadv0: Adding interface: batadv_slave_1
[   89.391316][ T5949] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   89.417983][ T5949] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   89.468539][ T5949] hsr_slave_0: entered promiscuous mode
[   89.475789][ T5949] hsr_slave_1: entered promiscuous mode
[   89.481886][ T5949] debugfs: 'hsr0' already exists in 'hsr'
[   89.488687][ T5949] Cannot create hsr debugfs directory
[   89.630976][ T5949] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   89.646717][ T5949] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   89.657293][ T5949] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   89.668667][ T5949] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   89.739310][ T5949] 8021q: adding VLAN 0 to HW filter on device bond0
[   89.757774][ T5949] 8021q: adding VLAN 0 to HW filter on device team0
[   89.770803][   T50] bridge0: port 1(bridge_slave_0) entered blocking state
[   89.778040][   T50] bridge0: port 1(bridge_slave_0) entered forwarding state
[   89.792156][ T1140] bridge0: port 2(bridge_slave_1) entered blocking state
[   89.799296][ T1140] bridge0: port 2(bridge_slave_1) entered forwarding state
[   89.960666][ T5949] 8021q: adding VLAN 0 to HW filter on device batadv0
[   90.002819][ T5949] veth0_vlan: entered promiscuous mode
[   90.014073][ T5949] veth1_vlan: entered promiscuous mode
[   90.043369][ T5949] veth0_macvtap: entered promiscuous mode
[   90.054407][ T5949] veth1_macvtap: entered promiscuous mode
[   90.072472][ T5949] batman_adv: batadv0: Interface activated: batadv_slave_0
[   90.088593][ T5949] batman_adv: batadv0: Interface activated: batadv_slave_1
[   90.101621][   T50] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   90.111812][   T50] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   90.124276][   T50] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   90.137103][   T50] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   90.202203][   T36] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   90.210471][   T36] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   90.241519][   T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   90.250208][   T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   90.511972][   T36] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2271743110=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 4e1406b4d
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/ccfgb6KF.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         a069190b bpf: Replace __opt annotation with __nullable..
git tree:       bpf-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c5e9eccee9bc2fe
dashboard link: https://syzkaller.appspot.com/bug?extid=d1b7fa1092def3628bd7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12414f92580000