================================================================== BUG: KASAN: use-after-free in bq_enqueue kernel/bpf/cpumap.c:749 [inline] BUG: KASAN: use-after-free in cpu_map_enqueue+0xb0/0x310 kernel/bpf/cpumap.c:775 Read of size 8 at addr ffff0000cd56b208 by task syz.3.346/5344 CPU: 1 PID: 5344 Comm: syz.3.346 Not tainted 6.1.127-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x174/0x4c0 mm/kasan/report.c:427 kasan_report+0xd4/0x130 mm/kasan/report.c:531 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351 bq_enqueue kernel/bpf/cpumap.c:749 [inline] cpu_map_enqueue+0xb0/0x310 kernel/bpf/cpumap.c:775 __xdp_do_redirect_frame net/core/filter.c:4324 [inline] xdp_do_redirect+0x54c/0x9d8 net/core/filter.c:4368 tun_xdp_act+0xf4/0xfd0 drivers/net/tun.c:1625 tun_build_skb drivers/net/tun.c:1715 [inline] tun_get_user+0x27d4/0x386c drivers/net/tun.c:1818 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:2044 call_write_iter include/linux/fs.h:2265 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x610/0x91c fs/read_write.c:584 ksys_write+0x15c/0x26c fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:646 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Allocated by task 5319: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:936 [inline] __kmalloc_node+0xe0/0x1d0 mm/slab_common.c:943 kmalloc_node include/linux/slab.h:589 [inline] bpf_map_kmalloc_node+0x21c/0x610 kernel/bpf/syscall.c:452 __cpu_map_entry_alloc kernel/bpf/cpumap.c:445 [inline] cpu_map_update_elem+0x260/0xda0 kernel/bpf/cpumap.c:603 bpf_map_update_value+0x294/0x844 kernel/bpf/syscall.c:188 map_update_elem+0x538/0x6b8 kernel/bpf/syscall.c:1463 __sys_bpf+0x2dc/0x654 kernel/bpf/syscall.c:5013 __do_sys_bpf kernel/bpf/syscall.c:5129 [inline] __se_sys_bpf kernel/bpf/syscall.c:5127 [inline] __arm64_sys_bpf+0x80/0x98 kernel/bpf/syscall.c:5127 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Freed by task 5320: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674 kfree+0xcc/0x1b8 mm/slab_common.c:988 put_cpu_map_entry+0x5a8/0x648 kernel/bpf/cpumap.c:161 cpu_map_kthread_run+0x2188/0x223c kernel/bpf/cpumap.c:408 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Last potentially related work creation: kasan_save_stack+0x40/0x70 mm/kasan/common.c:45 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496 insert_work+0x64/0x384 kernel/workqueue.c:1361 __queue_work+0xd48/0x136c kernel/workqueue.c:1520 queue_work_on+0xc0/0x16c kernel/workqueue.c:1548 queue_work include/linux/workqueue.h:512 [inline] schedule_work include/linux/workqueue.h:573 [inline] __cpu_map_entry_replace+0x17c/0x19c kernel/bpf/cpumap.c:558 cpu_map_free+0xac/0x170 kernel/bpf/cpumap.c:641 bpf_map_free_deferred+0xbc/0xd0 kernel/bpf/syscall.c:635 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Second to last potentially related work creation: kasan_save_stack+0x40/0x70 mm/kasan/common.c:45 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496 call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845 __cpu_map_entry_replace+0x94/0x19c kernel/bpf/cpumap.c:556 cpu_map_free+0xac/0x170 kernel/bpf/cpumap.c:641 bpf_map_free_deferred+0xbc/0xd0 kernel/bpf/syscall.c:635 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 The buggy address belongs to the object at ffff0000cd56b200 which belongs to the cache kmalloc-cg-256 of size 256 The buggy address is located 8 bytes inside of 256-byte region [ffff0000cd56b200, ffff0000cd56b300) The buggy address belongs to the physical page: page:000000001f482857 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d56a head:000000001f482857 order:1 compound_mapcount:0 compound_pincount:0 memcg:ffff0000f5333201 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 fffffc0003528300 dead000000000003 ffff0000c0002f00 raw: 0000000000000000 0000000080100010 00000001ffffffff ffff0000f5333201 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000cd56b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000cd56b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000cd56b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000cd56b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000cd56b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Unable to handle kernel paging request at virtual address e0ae108713c63ca4 KASAN: maybe wild-memory-access in range [0x057484389e31e520-0x057484389e31e527] Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [e0ae108713c63ca4] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 5344 Comm: syz.3.346 Tainted: G B 6.1.127-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : bq_enqueue kernel/bpf/cpumap.c:751 [inline] pc : cpu_map_enqueue+0x100/0x310 kernel/bpf/cpumap.c:775 lr : bq_enqueue kernel/bpf/cpumap.c:749 [inline] lr : cpu_map_enqueue+0xd8/0x310 kernel/bpf/cpumap.c:775 sp : ffff8000218275b0 x29: ffff8000218275b0 x28: ffff0000f0310000 x27: ffff0001b3d12f00 x26: ffff0000cd56b200 x25: ffff80019e31d000 x24: dfff800000000000 x23: 00ae908713c63ca4 x22: ffff800015a91148 x21: 057484389e31e520 x20: 057484389e31e4c8 x19: ffff0000caf90000 x18: 0000000000000278 x17: 0000000000000000 x16: ffff80001232fa24 x15: 0000000000000002 x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000080000 x11: 000000000002f0d7 x10: ffff80002626b000 x9 : ffff8000086ab3fc x8 : ffff80019e31d000 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800021826db8 x4 : ffff800015b731c0 x3 : ffff8000081a873c x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000008 Call trace: bq_enqueue kernel/bpf/cpumap.c:751 [inline] cpu_map_enqueue+0x100/0x310 kernel/bpf/cpumap.c:775 __xdp_do_redirect_frame net/core/filter.c:4324 [inline] xdp_do_redirect+0x54c/0x9d8 net/core/filter.c:4368 tun_xdp_act+0xf4/0xfd0 drivers/net/tun.c:1625 tun_build_skb drivers/net/tun.c:1715 [inline] tun_get_user+0x27d4/0x386c drivers/net/tun.c:1818 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:2044 call_write_iter include/linux/fs.h:2265 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x610/0x91c fs/read_write.c:584 ksys_write+0x15c/0x26c fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:646 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Code: f9400288 8b170114 91016295 d343feb7 (38f86ae8) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: f9400288 ldr x8, [x20] 4: 8b170114 add x20, x8, x23 8: 91016295 add x21, x20, #0x58 c: d343feb7 lsr x23, x21, #3 * 10: 38f86ae8 ldrsb w8, [x23, x24] <-- trapping instruction