================================================================== BUG: KASAN: invalid-access in dev_map_enqueue+0x4/0xb0 kernel/bpf/devmap.c:538 Read at addr f5f00000043e9800 by task syz.0.11780/5381 Pointer tag: [f5], memory tag: [fd] CPU: 0 PID: 5381 Comm: syz.0.11780 Not tainted 6.10.0-rc7-syzkaller-00141-g43db1e03c086 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x108/0x618 mm/kasan/report.c:488 kasan_report+0x88/0xac mm/kasan/report.c:601 report_tag_fault arch/arm64/mm/fault.c:331 [inline] do_tag_recovery arch/arm64/mm/fault.c:343 [inline] __do_kernel_fault+0x1a0/0x1dc arch/arm64/mm/fault.c:385 do_bad_area arch/arm64/mm/fault.c:485 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:750 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:826 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:432 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:492 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593 dev_map_enqueue+0x4/0xb0 kernel/bpf/devmap.c:538 tun_xdp_act+0x5c/0x2c4 drivers/net/tun.c:1626 tun_build_skb.constprop.0+0x310/0x430 drivers/net/tun.c:1716 tun_get_user+0x7dc/0xf94 drivers/net/tun.c:1819 tun_chr_write_iter+0x5c/0xe8 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x238/0x370 fs/read_write.c:590 ksys_write+0x70/0x104 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x1c/0x28 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150 el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 The buggy address belongs to the object at fff00000043e9800 which belongs to the cache kmalloc-cg-64 of size 64 The buggy address is located 0 bytes inside of 48-byte region [fff00000043e9800, fff00000043e9830) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xf4f00000043e9240 pfn:0x443e9 memcg:f1f00000042a3a01 ksm flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) page_type: 0xffffefff(slab) raw: 01ffc00000000000 f4f0000002c03a00 ffffc1ffc00d4cc0 dead000000000003 raw: f4f00000043e9240 000000008040003b 00000001ffffefff f1f00000042a3a01 page dumped because: kasan: bad access detected Memory state around the buggy address: fff00000043e9600: f9 f9 f9 f9 f4 f4 f4 fe fe fe fe fe f7 f7 f7 fe fff00000043e9700: fe fe fe fe f2 f2 f2 fe fc fc fc fe fc fc fc fc >fff00000043e9800: fd fd fd fe f2 f2 f2 fe f2 f2 f2 fe fe fe fe fe ^ fff00000043e9900: f9 f9 f9 fe fa fa fa fe fe fe fe fe f9 f9 f9 fe fff00000043e9a00: f9 f9 f9 fe fe fe fe fe f5 f5 f5 fe fc fc fc fe ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 00000000000001d9 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 52-bit VAs, pgdp=000000004610fa80 [00000000000001d9] pgd=080000004781e003, p4d=080000006d140003, pud=0800000049f8a003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 5381 Comm: syz.0.11780 Tainted: G B 6.10.0-rc7-syzkaller-00141-g43db1e03c086 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : __xdp_enqueue kernel/bpf/devmap.c:484 [inline] pc : dev_map_enqueue+0xc/0xb0 kernel/bpf/devmap.c:541 lr : __xdp_do_redirect_frame net/core/filter.c:4402 [inline] lr : xdp_do_redirect+0x104/0x240 net/core/filter.c:4442 sp : ffff80008b91baa0 x29: ffff80008b91baa0 x28: f7ff80008a798000 x27: f2f000000980815e x26: 0000000000000000 x25: f2f000000d0c0a00 x24: fcf0000009567780 x23: f2f000000d0c0000 x22: fff07ffffd2e9000 x21: fff000007f8d4d20 x20: f2f0000009808000 x19: ffff8000825ebd20 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200003c0 x14: 0000000000000002 x13: 0000000000000000 x12: 00000000000692d3 x11: 0000000000000000 x10: fff000007f9fe258 x9 : ffff800081516894 x8 : ffff80008b91bbe8 x7 : 0019000000000004 x6 : 0000000000000118 x5 : f5f00000043e9800 x4 : 000000000000000e x3 : f0f0000006472fe0 x2 : f2f000000d0c0000 x1 : f2f0000009808000 x0 : 0000000000000001 Call trace: dev_map_enqueue+0xc/0xb0 kernel/bpf/devmap.c:541 tun_xdp_act+0x5c/0x2c4 drivers/net/tun.c:1626 tun_build_skb.constprop.0+0x310/0x430 drivers/net/tun.c:1716 tun_get_user+0x7dc/0xf94 drivers/net/tun.c:1819 tun_chr_write_iter+0x5c/0xe8 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x238/0x370 fs/read_write.c:590 ksys_write+0x70/0x104 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x1c/0x28 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150 el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: d65f03c0 aa0003e3 f9400000 f9400c63 (b941d805) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: d65f03c0 ret 4: aa0003e3 mov x3, x0 8: f9400000 ldr x0, [x0] c: f9400c63 ldr x3, [x3, #24] * 10: b941d805 ldr w5, [x0, #472] <-- trapping instruction