On 2024-08-31 13:55:02 [-0700], syzbot wrote: > syzbot suspects this issue was fixed by commit: > > commit 401cb7dae8130fd34eb84648e02ab4c506df7d5e > Author: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> > Date: Thu Jun 20 13:22:04 2024 +0000 > > net: Reference bpf_redirect_info via task_struct on PREEMPT_RT. > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12597c63980000 > start commit: 36534d3c5453 tcp: use signed arithmetic in tcp_rtx_probe0_.. > git tree: bpf > kernel config: https://syzkaller.appspot.com/x/.config?x=333ebe38d43c42e2 > dashboard link: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13390aea980000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10948741980000 This looks like ri->tgt_value is a NULL pointer (dst in dev_map_enqueue()). The commit referenced by syz should not have fixed that. It is possible that there were leftovers in bpf_redirect_info (from a previous invocation) which were memset(,0,) during the switch from per-CPU to stack usage and now it does not trigger anymore. Sebastian
