On Thu, 20 Jan 2022 at 15:17, syzbot <syzbot+5027de09e0964fd78ce1@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > syzbot suspects this issue was fixed by commit: > > commit 218d747a4142f281a256687bb513a135c905867b > Author: John Fastabend <john.fastabend@xxxxxxxxx> > Date: Tue Jan 4 21:46:45 2022 +0000 > > bpf, sockmap: Fix double bpf_prog_put on error case in map_link I can confirm the above commit fixes the issue, but it references a slightly different report. Looks like the only difference is __bpf_prog_put instead of bpf_prog_put: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put KASAN: vmalloc-out-of-bounds Read in bpf_prog_put However, looking at the stack traces for the two bugs shows that __bpf_prog_put() is really the location for both reports, see: https://syzkaller.appspot.com/bug?id=797cd651dd0d9bd921e4fa51b792f5afdc3f390f kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 mm/kasan/report.c:450 __bpf_prog_put.constprop.0+0x1dd/0x220 kernel/bpf/syscall.c:1812 kernel/bpf/syscall.c:1812 bpf_prog_put kernel/bpf/syscall.c:1829 [inline] bpf_prog_put kernel/bpf/syscall.c:1829 [inline] kernel/bpf/syscall.c:1837 vs. https://syzkaller.appspot.com/bug?extid=bb73e71cf4b8fd376a4f kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] kernel/bpf/syscall.c:1829 bpf_prog_put+0x8c/0x4f0 kernel/bpf/syscall.c:1829 kernel/bpf/syscall.c:1829 Looks to me like the compiler's inlining decision caused syzbot to see __bpf_prog_put() instead of bpf_prog_put(), but I can't tell if it's because it got inlined or because of the .constprop.0 suffix... I guess syzbot skips the [inline] entries when deciding which function to report the bug in? In any case: #syz dup: KASAN: vmalloc-out-of-bounds Read in bpf_prog_put Vegard
