bisecting cause commit starting from 2019fc96af228b412bdb2e8e0ad4b1fc12046a51 building syzkaller on cf9142006bfa242d2bbf5916749e42327103f803 testing commit 2019fc96af228b412bdb2e8e0ad4b1fc12046a51 with gcc (GCC) 8.1.0 kernel signature: e3722411f0db40a8550ed306b77e980de4bb8e43bd54710bc661ad36b632045b all runs: crashed: possible deadlock in htab_lru_map_delete_node testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: d6cc2112bd3b5cf5dfb844108d485c9d43febd3c4bcf9a855f455ca33f55e780 all runs: OK # git bisect start 2019fc96af228b412bdb2e8e0ad4b1fc12046a51 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 6090 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 3868a52f2e619f94525241d1d08bbddfad6d3ae9bd78c596c552d76c75fc992a all runs: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 2314 revisions left to test after this (roughly 12 steps) [bd2463ac7d7ec51d432f23bf0e893fb371a908cd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit bd2463ac7d7ec51d432f23bf0e893fb371a908cd with gcc (GCC) 8.1.0 kernel signature: 505555eb685aa40e8d2d22878e2c37a512ffadb345e5d47dfcf18d3924957502 all runs: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad bd2463ac7d7ec51d432f23bf0e893fb371a908cd Bisecting: 1616 revisions left to test after this (roughly 11 steps) [6bc82d9b7e6371673992ed5e3897cf7fb8cc4f41] qed: rt init valid initialization changed testing commit 6bc82d9b7e6371673992ed5e3897cf7fb8cc4f41 with gcc (GCC) 8.1.0 kernel signature: 0cefcfdbbbb40e9802454182f73f281bb67335b08049639f70ee9c8c3b63c89b all runs: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad 6bc82d9b7e6371673992ed5e3897cf7fb8cc4f41 Bisecting: 808 revisions left to test after this (roughly 10 steps) [b9ae51273655a72a12fba730843fd72fb132735a] hsr: fix dummy hsr_debugfs_rename() declaration testing commit b9ae51273655a72a12fba730843fd72fb132735a with gcc (GCC) 8.1.0 kernel signature: f46cc88611197e11482e8c6ab2b5c07d3fa72ce3d1717c9219c2abbf316e6f2e all runs: OK # git bisect good b9ae51273655a72a12fba730843fd72fb132735a Bisecting: 435 revisions left to test after this (roughly 9 steps) [7c453526dc50460c63ff28df7673570dd057c5d0] net/mlx5e: Enable all available stats for uplink reps testing commit 7c453526dc50460c63ff28df7673570dd057c5d0 with gcc (GCC) 8.1.0 kernel signature: ae81dee5ac644308ee22ae195a0d2752d3ac3150e0d9af05ee84b09821fefc40 all runs: OK # git bisect good 7c453526dc50460c63ff28df7673570dd057c5d0 Bisecting: 218 revisions left to test after this (roughly 8 steps) [5a44c71ccda60a50073c5d7fe3f694cdfa3ab0c2] drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' testing commit 5a44c71ccda60a50073c5d7fe3f694cdfa3ab0c2 with gcc (GCC) 8.1.0 kernel signature: 0c5d949fe42dc030f0f1205fdb49321348a9b19af1c866af6f9b326df58d1946 all runs: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad 5a44c71ccda60a50073c5d7fe3f694cdfa3ab0c2 Bisecting: 108 revisions left to test after this (roughly 7 steps) [cf4eeee5ff56180b525bfb6a204071216ca4000a] pie: rearrange macros in order of length testing commit cf4eeee5ff56180b525bfb6a204071216ca4000a with gcc (GCC) 8.1.0 kernel signature: 5b4f8b47a1dfe815eab1896dc6074a20ba8dc47e8f1d7425866c1ee83a42b2a7 all runs: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad cf4eeee5ff56180b525bfb6a204071216ca4000a Bisecting: 53 revisions left to test after this (roughly 6 steps) [f0fac2cec2861abc6fc0c094fb2584d9a33f868d] selftests/bpf: Add batch ops testing to array bpf map testing commit f0fac2cec2861abc6fc0c094fb2584d9a33f868d with gcc (GCC) 8.1.0 kernel signature: 27c24278737ea801d644535b18f99906f7fcbded4cf16afb89fa2ba6e7f1d13c run #0: crashed: possible deadlock in htab_lru_map_delete_node run #1: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #2: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #3: crashed: possible deadlock in htab_lru_map_delete_node run #4: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #5: crashed: possible deadlock in htab_lru_map_delete_node run #6: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #7: crashed: possible deadlock in htab_lru_map_delete_node run #8: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #9: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad f0fac2cec2861abc6fc0c094fb2584d9a33f868d Bisecting: 26 revisions left to test after this (roughly 5 steps) [360301a6c21be87fe881546bd5f22eccf7a165c5] selftests/bpf: Add unit tests for global functions testing commit 360301a6c21be87fe881546bd5f22eccf7a165c5 with gcc (GCC) 8.1.0 kernel signature: 0c511e8df52832c24c1c469f2f0bc7e8987af53483021bbda3d373e2eb663185 all runs: OK # git bisect good 360301a6c21be87fe881546bd5f22eccf7a165c5 Bisecting: 13 revisions left to test after this (roughly 4 steps) [d3a56931f9c8644a52e7a6735954c84ea895e8c3] xsk: Support allocations of large umems testing commit d3a56931f9c8644a52e7a6735954c84ea895e8c3 with gcc (GCC) 8.1.0 kernel signature: 0bf6334b764136ebfba97429f0153247bc2146977ca45934e26e48e710515d02 all runs: OK # git bisect good d3a56931f9c8644a52e7a6735954c84ea895e8c3 Bisecting: 6 revisions left to test after this (roughly 3 steps) [cb4d03ab499d4c040f4ab6fd4389d2b49f42b5a5] bpf: Add generic support for lookup batch op testing commit cb4d03ab499d4c040f4ab6fd4389d2b49f42b5a5 with gcc (GCC) 8.1.0 kernel signature: 1a385f1c42f29ea6b1c6b6285299c659e54bc87bc8e8e1128232d82e991294d2 all runs: OK # git bisect good cb4d03ab499d4c040f4ab6fd4389d2b49f42b5a5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [057996380a42bb64ccc04383cfa9c0ace4ea11f0] bpf: Add batch ops to all htab bpf map testing commit 057996380a42bb64ccc04383cfa9c0ace4ea11f0 with gcc (GCC) 8.1.0 kernel signature: da9f9f4ef56d18933ae6d3895cac073a09231445d2bd079cca4bfc499ea2bcc4 run #0: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #1: crashed: possible deadlock in htab_lru_map_delete_node run #2: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #3: crashed: possible deadlock in htab_lru_map_delete_node run #4: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #5: crashed: possible deadlock in htab_lru_map_delete_node run #6: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #7: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #8: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #9: crashed: possible deadlock in htab_lru_map_delete_node # git bisect bad 057996380a42bb64ccc04383cfa9c0ace4ea11f0 Bisecting: 0 revisions left to test after this (roughly 1 step) [c60f2d2861778de6370a4f4ca6ab1d7d4a32efae] bpf: Add lookup and update batch ops to arraymap testing commit c60f2d2861778de6370a4f4ca6ab1d7d4a32efae with gcc (GCC) 8.1.0 kernel signature: 9b223a16a4b51f813dd118e33dccd144d87b1f2c86c526518a6f8f9d31449177 all runs: OK # git bisect good c60f2d2861778de6370a4f4ca6ab1d7d4a32efae 057996380a42bb64ccc04383cfa9c0ace4ea11f0 is the first bad commit commit 057996380a42bb64ccc04383cfa9c0ace4ea11f0 Author: Yonghong Song Date: Wed Jan 15 10:43:04 2020 -0800 bpf: Add batch ops to all htab bpf map htab can't use generic batch support due some problematic behaviours inherent to the data structre, i.e. while iterating the bpf map a concurrent program might delete the next entry that batch was about to use, in that case there's no easy solution to retrieve the next entry, the issue has been discussed multiple times (see [1] and [2]). The only way hmap can be traversed without the problem previously exposed is by making sure that the map is traversing entire buckets. This commit implements those strict requirements for hmap, the implementation follows the same interaction that generic support with some exceptions: - If keys/values buffer are not big enough to traverse a bucket, ENOSPC will be returned. - out_batch contains the value of the next bucket in the iteration, not the next key, but this is transparent for the user since the user should never use out_batch for other than bpf batch syscalls. This commits implements BPF_MAP_LOOKUP_BATCH and adds support for new command BPF_MAP_LOOKUP_AND_DELETE_BATCH. Note that for update/delete batch ops it is possible to use the generic implementations. [1] https://lore.kernel.org/bpf/20190724165803.87470-1-brianvv@google.com/ [2] https://lore.kernel.org/bpf/20190906225434.3635421-1-yhs@fb.com/ Signed-off-by: Yonghong Song Signed-off-by: Brian Vazquez Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200115184308.162644-6-brianvv@google.com include/linux/bpf.h | 3 + include/uapi/linux/bpf.h | 1 + kernel/bpf/hashtab.c | 264 +++++++++++++++++++++++++++++++++++++++++++++++ kernel/bpf/syscall.c | 9 +- 4 files changed, 276 insertions(+), 1 deletion(-) culprit signature: da9f9f4ef56d18933ae6d3895cac073a09231445d2bd079cca4bfc499ea2bcc4 parent signature: 9b223a16a4b51f813dd118e33dccd144d87b1f2c86c526518a6f8f9d31449177 revisions tested: 15, total time: 3h28m0.207353084s (build: 1h38m49.063453378s, test: 1h48m10.729153035s) first bad commit: 057996380a42bb64ccc04383cfa9c0ace4ea11f0 bpf: Add batch ops to all htab bpf map cc: ["ast@kernel.org" "brianvv@google.com" "yhs@fb.com"] crash: possible deadlock in htab_lru_map_delete_node ====================================================== WARNING: possible circular locking dependency detected 5.5.0-rc4-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/8253 is trying to acquire lock: ffff888094bf80a0 (&htab->buckets[i].lock){....}, at: htab_lru_map_delete_node+0xbf/0x2d0 kernel/bpf/hashtab.c:593 but task is already holding lock: ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:325 [inline] ffff888094bf8a18 (&l->lock){....}, at: bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_pop_free+0x31e/0x13e0 kernel/bpf/bpf_lru_list.c:499 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&l->lock){....}: __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:151 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:325 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x31e/0x13e0 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop+0x24/0x90 kernel/bpf/hashtab.c:132 __htab_lru_percpu_map_update_elem+0x5b0/0x950 kernel/bpf/hashtab.c:1069 bpf_percpu_hash_update+0xe3/0x150 kernel/bpf/hashtab.c:1585 bpf_map_update_value.isra.25+0x1e8/0x6b0 kernel/bpf/syscall.c:181 generic_map_update_batch+0x3e3/0x4b0 kernel/bpf/syscall.c:1311 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&loc_l->lock){....}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:516 [inline] bpf_lru_push_free+0x1d5/0x4f0 kernel/bpf/bpf_lru_list.c:555 __htab_map_lookup_and_delete_batch+0x6e2/0x1170 kernel/bpf/hashtab.c:1374 htab_lru_map_lookup_and_delete_batch+0x17/0x20 kernel/bpf/hashtab.c:1491 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x17f4/0x32e0 kernel/bpf/syscall.c:3441 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&htab->buckets[i].lock){....}: check_prev_add kernel/locking/lockdep.c:2476 [inline] check_prevs_add kernel/locking/lockdep.c:2581 [inline] validate_chain kernel/locking/lockdep.c:2971 [inline] __lock_acquire+0x2899/0x4ef0 kernel/locking/lockdep.c:3955 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4485 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 htab_lru_map_delete_node+0xbf/0x2d0 kernel/bpf/hashtab.c:593 __bpf_lru_list_shrink_inactive kernel/bpf/bpf_lru_list.c:220 [inline] __bpf_lru_list_shrink+0xf3/0x3c0 kernel/bpf/bpf_lru_list.c:266 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:340 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x4cc/0x13e0 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop+0x24/0x90 kernel/bpf/hashtab.c:132 __htab_lru_percpu_map_update_elem+0x5b0/0x950 kernel/bpf/hashtab.c:1069 bpf_percpu_hash_update+0xe3/0x150 kernel/bpf/hashtab.c:1585 bpf_map_update_value.isra.25+0x1e8/0x6b0 kernel/bpf/syscall.c:181 generic_map_update_batch+0x3e3/0x4b0 kernel/bpf/syscall.c:1311 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: &htab->buckets[i].lock --> &loc_l->lock --> &l->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&l->lock); lock(&loc_l->lock); lock(&l->lock); lock(&htab->buckets[i].lock); *** DEADLOCK *** 3 locks held by syz-executor.3/8253: #0: ffffffff88d99180 (rcu_read_lock){....}, at: bpf_percpu_hash_update+0x0/0x150 kernel/bpf/hashtab.c:1565 #1: ffffe8ffffcbe2f0 (&loc_l->lock){....}, at: bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:443 [inline] #1: ffffe8ffffcbe2f0 (&loc_l->lock){....}, at: bpf_lru_pop_free+0x2d7/0x13e0 kernel/bpf/bpf_lru_list.c:499 #2: ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:325 [inline] #2: ffff888094bf8a18 (&l->lock){....}, at: bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] #2: ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_pop_free+0x31e/0x13e0 kernel/bpf/bpf_lru_list.c:499 stack backtrace: CPU: 0 PID: 8253 Comm: syz-executor.3 Not tainted 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_circular_bug.isra.39.cold.58+0x15a/0x169 kernel/locking/lockdep.c:1685 check_noncircular+0x349/0x400 kernel/locking/lockdep.c:1809 check_prev_add kernel/locking/lockdep.c:2476 [inline] check_prevs_add kernel/locking/lockdep.c:2581 [inline] validate_chain kernel/locking/lockdep.c:2971 [inline] __lock_acquire+0x2899/0x4ef0 kernel/locking/lockdep.c:3955 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4485 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 htab_lru_map_delete_node+0xbf/0x2d0 kernel/bpf/hashtab.c:593 __bpf_lru_list_shrink_inactive kernel/bpf/bpf_lru_list.c:220 [inline] __bpf_lru_list_shrink+0xf3/0x3c0 kernel/bpf/bpf_lru_list.c:266 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:340 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x4cc/0x13e0 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop+0x24/0x90 kernel/bpf/hashtab.c:132 __htab_lru_percpu_map_update_elem+0x5b0/0x950 kernel/bpf/hashtab.c:1069 bpf_percpu_hash_update+0xe3/0x150 kernel/bpf/hashtab.c:1585 bpf_map_update_value.isra.25+0x1e8/0x6b0 kernel/bpf/syscall.c:181 generic_map_update_batch+0x3e3/0x4b0 kernel/bpf/syscall.c:1311 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c6c9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fefcb1dcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fefcb1dd6d4 RCX: 000000000045c6c9 RDX: 0000000000000038 RSI: 0000000020000040 RDI: 000000000000001a RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000062 R14: 00000000004c2ec4 R15: 000000000076bf2c ------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:22! invalid opcode: 0000 [#2] PREEMPT SMP KASAN CPU: 0 PID: 8253 Comm: syz-executor.3 Tainted: G D 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__phys_addr+0xac/0xc0 arch/x86/mm/physaddr.c:22 Code: 88 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 75 15 48 8b 05 e0 46 98 07 48 01 d8 48 81 fb ff ff ff 1f 76 b8 <0f> 0b e8 0d e6 6f 00 eb e4 90 66 2e 0f 1f 84 00 00 00 00 00 b8 00 RSP: 0018:ffffc90002e07a38 EFLAGS: 00010016 RAX: 000000007ffffff2 RBX: 000000007ffffff2 RCX: ffff888077121000 RDX: 1ffffffff118ea02 RSI: ffff8880aa4001c0 RDI: ffffffff88c75010 RBP: ffffc90002e07a48 R08: 00000000fcd58199 R09: fffffbfff135ebc1 R10: fffffbfff135ebc0 R11: ffffffff89af5e07 R12: fffffffffffffff2 R13: ffffffff8174c3bb R14: 0000000000000010 R15: ffff888094bf8800 FS: 00007fefcb1dd700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000021000000 CR3: 000000008efa8000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: virt_to_head_page include/linux/mm.h:731 [inline] virt_to_cache mm/slab.h:472 [inline] kfree+0x7b/0x2c0 mm/slab.c:3749 generic_map_update_batch+0x2fb/0x4b0 kernel/bpf/syscall.c:1322 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c6c9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fefcb1dcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fefcb1dd6d4 RCX: 000000000045c6c9 RDX: 0000000000000038 RSI: 0000000020000040 RDI: 000000000000001a RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000062 R14: 00000000004c2ec4 R15: 000000000076bf2c Modules linked in: ---[ end trace 475c69e4b5df6179 ]--- RIP: 0010:__phys_addr+0xac/0xc0 arch/x86/mm/physaddr.c:22 Code: 88 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 75 15 48 8b 05 e0 46 98 07 48 01 d8 48 81 fb ff ff ff 1f 76 b8 <0f> 0b e8 0d e6 6f 00 eb e4 90 66 2e 0f 1f 84 00 00 00 00 00 b8 00 RSP: 0018:ffffc90002e27a38 EFLAGS: 00010016 RAX: 000000007ffffff2 RBX: 000000007ffffff2 RCX: ffff888077065400 RDX: 1ffffffff118ea02 RSI: ffff8880aa4001c0 RDI: ffffffff88c75010 RBP: ffffc90002e27a48 R08: fffffbfff1243531 R09: fffffbfff1243531 R10: fffffbfff1243530 R11: ffffffff8921a983 R12: fffffffffffffff2 R13: ffffffff8174c3bb R14: 0000000000000010 R15: ffff888079041000 FS: 00007fefcb1dd700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000021000000 CR3: 000000008efa8000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400