Hello I found a bug titled "general protection fault in bpf_check" with modified syzkaller, and maybe it is related to net/bpf. I also confirmed in the latest net/bpf/bpf-next tree. If you fix this issue, please add the following tag to the commit: Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> Reported-by: yue sun <samsun1006219@xxxxxxxxx> kernel: bpf-next cc9b22dfa735800980e7362f02aff6f1c2280996 kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=9f47e8dfa53b0b11 with KASAN enabled compiler: gcc (Debian 12.2.0-14) 12.2.0 [ 413.543678][ T8244] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 413.546252][ T8244] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 413.547723][ T8244] CPU: 0 PID: 8244 Comm: 477 Not tainted 6.8.0-05230-g114b5b3b4bde #5 [ 413.549221][ T8244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 413.550994][ T8244] RIP: 0010:do_misc_fixups+0xf58/0x5610 [ 413.552073][ T8244] Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f [ 413.555539][ T8244] RSP: 0018:ffffc9000e17f538 EFLAGS: 00010216 [ 413.556688][ T8244] RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6bda1 [ 413.558131][ T8244] RDX: ffff88801f339ec0 RSI: ffffffff81a6b296 RDI: 0000000000000030 [ 413.559606][ T8244] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001 [ 413.561027][ T8244] R10: 0000000000010000 R11: ffff8880296fd66c R12: 0000000000010000 [ 413.562467][ T8244] R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058 [ 413.563913][ T8244] FS: 0000000017f1a380(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 [ 413.565538][ T8244] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 413.566730][ T8244] CR2: 0000000020000300 CR3: 0000000020f26000 CR4: 0000000000750ef0 [ 413.568167][ T8244] PKRU: 55555554 [ 413.568869][ T8244] Call Trace: [ 413.569513][ T8244] <TASK> [ 413.570058][ T8244] ? show_regs+0x97/0xa0 [ 413.570867][ T8244] ? die_addr+0x56/0xe0 [ 413.571654][ T8244] ? exc_general_protection+0x155/0x230 [ 413.572715][ T8244] ? asm_exc_general_protection+0x26/0x30 [ 413.573792][ T8244] ? do_misc_fixups+0x1a01/0x5610 [ 413.574744][ T8244] ? do_misc_fixups+0xef6/0x5610 [ 413.575684][ T8244] ? do_misc_fixups+0xf58/0x5610 [ 413.576630][ T8244] ? do_misc_fixups+0xef6/0x5610 [ 413.577586][ T8244] ? kvfree+0x50/0x60 [ 413.578371][ T8244] ? __kasan_slab_free+0x11d/0x1a0 [ 413.579349][ T8244] ? kfree+0x129/0x370 [ 413.580148][ T8244] ? __x64_sys_bpf+0x7d/0xc0 [ 413.581034][ T8244] ? __pfx_do_misc_fixups+0x10/0x10 [ 413.582047][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.583165][ T8244] ? __sanitizer_cov_trace_switch+0x54/0x90 [ 413.584336][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.585458][ T8244] ? convert_ctx_accesses+0x1275/0x1860 [ 413.586560][ T8244] ? __pfx_convert_ctx_accesses+0x10/0x10 [ 413.587658][ T8244] ? __pfx_check_max_stack_depth_subprog+0x10/0x10 [ 413.588909][ T8244] ? kvfree+0x50/0x60 [ 413.589714][ T8244] bpf_check+0x38a5/0xb3b0 [ 413.590651][ T8244] ? pcpu_memcg_post_alloc_hook+0x260/0x6f0 [ 413.591807][ T8244] ? __pfx_bpf_check+0x10/0x10 [ 413.592767][ T8244] ? find_held_lock+0x2d/0x110 [ 413.593752][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.594898][ T8244] ? bpf_prog_load+0xe3c/0x27e0 [ 413.595900][ T8244] ? __pfx_lock_release+0x10/0x10 [ 413.596947][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.598122][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.599280][ T8244] ? __pfx___might_resched+0x10/0x10 [ 413.600306][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.601402][ T8244] ? ktime_get_with_offset+0x326/0x560 [ 413.602469][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.603551][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.604659][ T8244] bpf_prog_load+0xf3b/0x27e0 [ 413.605595][ T8244] ? __pfx_bpf_prog_load+0x10/0x10 [ 413.606583][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.607669][ T8244] ? find_held_lock+0x2d/0x110 [ 413.608610][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.609786][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.610878][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.611964][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.613106][ T8244] __sys_bpf+0xa17/0x4ef0 [ 413.614002][ T8244] ? __pfx___sys_bpf+0x10/0x10 [ 413.614957][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.616043][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.617128][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.618211][ T8244] ? find_held_lock+0x2d/0x110 [ 413.619173][ T8244] ? __pfx___up_read+0x10/0x10 [ 413.620107][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.621230][ T8244] ? handle_mm_fault+0x541/0xab0 [ 413.622251][ T8244] __x64_sys_bpf+0x7d/0xc0 [ 413.623117][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5 [ 413.624208][ T8244] ? lockdep_hardirqs_on+0x7c/0x110 [ 413.625212][ T8244] do_syscall_64+0xd5/0x260 [ 413.626098][ T8244] entry_SYSCALL_64_after_hwframe+0x6d/0x75 =* repro.c =* #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> #ifndef __NR_bpf #define __NR_bpf 321 #endif int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); *(uint32_t*)0x20000300 = 0x18; *(uint32_t*)0x20000304 = 4; *(uint64_t*)0x20000308 = 0x200000c0; memcpy((void*)0x200000c0, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xbf" "\x02\x01\x00\x00\x00\x01\x00\x95", 25); *(uint64_t*)0x20000310 = 0x20000000; memcpy((void*)0x20000000, "syzkaller\000", 10); *(uint32_t*)0x20000318 = 2; *(uint32_t*)0x2000031c = 0; *(uint64_t*)0x20000320 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; memset((void*)0x20000330, 0, 16); *(uint32_t*)0x20000340 = 0; *(uint32_t*)0x20000344 = 0; *(uint32_t*)0x20000348 = -1; *(uint32_t*)0x2000034c = 8; *(uint64_t*)0x20000350 = 0; *(uint32_t*)0x20000358 = 0; *(uint32_t*)0x2000035c = 0x10; *(uint64_t*)0x20000360 = 0; *(uint32_t*)0x20000368 = 0; *(uint32_t*)0x2000036c = 0; *(uint32_t*)0x20000370 = 0; *(uint32_t*)0x20000374 = 0; *(uint64_t*)0x20000378 = 0; *(uint64_t*)0x20000380 = 0; *(uint32_t*)0x20000388 = 0x10; *(uint32_t*)0x2000038c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000300ul, /*size=*/0x90ul); return 0; } =* repro.txt =* bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x18, 0x4, &(0x7f00000000c0)=ANY=[@ANYBLOB="18000000000000000000000000ffffffbf0201000000010095"], &(0x7f0000000000)='syzkaller\x00', 0x2}, 0x90) see aslo https://gist.github.com/xrivendell7/22f4cb7e2a991946919aa94ae1418f17. I hope it helps. best regards. xingwei Lee
