From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10804CEF14A for ; Tue, 8 Oct 2024 10:01:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8BD8A6B007B; Tue, 8 Oct 2024 06:01:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 86DD46B0083; Tue, 8 Oct 2024 06:01:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6E7A56B0085; Tue, 8 Oct 2024 06:01:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 548CA6B007B for ; Tue, 8 Oct 2024 06:01:17 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id C3FFFAC6E0 for ; Tue, 8 Oct 2024 10:01:14 +0000 (UTC) X-FDA: 82649992194.28.ADFBFB0 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by imf10.hostedemail.com (Postfix) with ESMTP id 7B8ECC001A for ; Tue, 8 Oct 2024 10:01:14 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=NwE+r5Ej; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Cu9em5JV; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=1n3pQQQB; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=UAKXMz7g; spf=pass (imf10.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728381495; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=auDmFYal75sChbZaknVCwko3uWEWFwGgE/swGMkMKss=; b=fYAX67L8+QtLrN2y6CxCqyCUmHHTKJ+GMqtm9KFnZJdwEabK3d1KgvEe0pQsbDs+mERwYA CGmsNOCZ9uR+AmY9SYPPcFnpQWiMzqYZhwm2eytgT9JSGnGP6jGvBGwBbs3Mw0GSf8bwge smQUJKOud/lVzSHJoJ9gkMCBTSxUABI= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=NwE+r5Ej; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Cu9em5JV; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=1n3pQQQB; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=UAKXMz7g; spf=pass (imf10.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728381495; a=rsa-sha256; cv=none; b=RFS+4ZbMgZWikHOR3cInQExspEywwrhNAAjCj4A9i0+F9ak17ok5HTWJV/S2WfUN0lchvN Z47PR3gusWHQp3R7OoeSz+K8ypv2yVUMeUIuXEXrKaHavhhd6anp6fAfuId7mc/EUOl054 L/zPVukaOSV4gw1crzOTqA6dyAR3WLM= Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id B2C921F7A5; Tue, 8 Oct 2024 10:01:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1728381672; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=auDmFYal75sChbZaknVCwko3uWEWFwGgE/swGMkMKss=; b=NwE+r5EjBxB+AfwgzBXoo80gUna92I+6hi7l3iIlzheBdyIsoA95hPzU2Q4S3sQVMOADR1 7WphlHaaylHqMBIliH9Io9YrfpqZPgmpHLs/mKxAIYOjyvVnKzmTel43NO2n5blhcxOPZe 5qkYOozm/OT74fsG+StZt0kXhJZEBY4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1728381672; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=auDmFYal75sChbZaknVCwko3uWEWFwGgE/swGMkMKss=; b=Cu9em5JVyrikwe5Fpak2RC1oyXfCCG3ilTkK4QIToJwZyGgEka+4HEoNOKMtzP5gIodEyj r1PnlZHJPJD2slDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1728381671; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=auDmFYal75sChbZaknVCwko3uWEWFwGgE/swGMkMKss=; b=1n3pQQQBIVlz5pT2Y/rlj0w2ZVpiqXWOqlrwCDEBeWPg3IWgXxwyYQsag/NfNWQ7/Aezob lG3X5bvQ1v3vQOGD/LhftDGT55nxlQ0meoWr5ve5sJ6ZeKzMesyfSCXWWLZuaCOy3eg6Kp k+iD1qnprwdou404o2fVhWF2Axtt2AE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1728381671; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=auDmFYal75sChbZaknVCwko3uWEWFwGgE/swGMkMKss=; b=UAKXMz7gytFoNFQdOEVoVxSznCm/DngyjMEVxA+GetC8V2RKytygMOIdvBIxm9Ons5lqaM NHsFMpyldFUwnDDA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 7D82B1340C; Tue, 8 Oct 2024 10:01:11 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id RrwGHucCBWfnQgAAD6G6ig (envelope-from ); Tue, 08 Oct 2024 10:01:11 +0000 Message-ID: <7d785f59-7c5a-45e6-b508-8814537a1522@suse.cz> Date: Tue, 8 Oct 2024 12:01:11 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [bpf?] WARNING in push_jmp_history Content-Language: en-US To: Eduard Zingerman , feng.tang@intel.com Cc: syzbot , 42.hyeyoo@gmail.com, akpm@linux-foundation.org, andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, cl@linux.com, daniel@iogearbox.net, haoluo@google.com, iamjoonsoo.kim@lge.com, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, martin.lau@linux.dev, penberg@kernel.org, rientjes@google.com, roman.gushchin@linux.dev, sdf@fomichev.me, song@kernel.org, syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev References: <6704f097.050a0220.1e4d62.0087.GAE@google.com> From: Vlastimil Babka Autocrypt: addr=vbabka@suse.cz; keydata= xsFNBFZdmxYBEADsw/SiUSjB0dM+vSh95UkgcHjzEVBlby/Fg+g42O7LAEkCYXi/vvq31JTB KxRWDHX0R2tgpFDXHnzZcQywawu8eSq0LxzxFNYMvtB7sV1pxYwej2qx9B75qW2plBs+7+YB 87tMFA+u+L4Z5xAzIimfLD5EKC56kJ1CsXlM8S/LHcmdD9Ctkn3trYDNnat0eoAcfPIP2OZ+ 9oe9IF/R28zmh0ifLXyJQQz5ofdj4bPf8ecEW0rhcqHfTD8k4yK0xxt3xW+6Exqp9n9bydiy tcSAw/TahjW6yrA+6JhSBv1v2tIm+itQc073zjSX8OFL51qQVzRFr7H2UQG33lw2QrvHRXqD Ot7ViKam7v0Ho9wEWiQOOZlHItOOXFphWb2yq3nzrKe45oWoSgkxKb97MVsQ+q2SYjJRBBH4 8qKhphADYxkIP6yut/eaj9ImvRUZZRi0DTc8xfnvHGTjKbJzC2xpFcY0DQbZzuwsIZ8OPJCc LM4S7mT25NE5kUTG/TKQCk922vRdGVMoLA7dIQrgXnRXtyT61sg8PG4wcfOnuWf8577aXP1x 6mzw3/jh3F+oSBHb/GcLC7mvWreJifUL2gEdssGfXhGWBo6zLS3qhgtwjay0Jl+kza1lo+Cv BB2T79D4WGdDuVa4eOrQ02TxqGN7G0Biz5ZLRSFzQSQwLn8fbwARAQABzSBWbGFzdGltaWwg QmFia2EgPHZiYWJrYUBzdXNlLmN6PsLBlAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgBYhBKlA1DSZLC6OmRA9UCJPp+fMgqZkBQJkBREIBQkRadznAAoJECJPp+fMgqZkNxIQ ALZRqwdUGzqL2aeSavbum/VF/+td+nZfuH0xeWiO2w8mG0+nPd5j9ujYeHcUP1edE7uQrjOC Gs9sm8+W1xYnbClMJTsXiAV88D2btFUdU1mCXURAL9wWZ8Jsmz5ZH2V6AUszvNezsS/VIT87 AmTtj31TLDGwdxaZTSYLwAOOOtyqafOEq+gJB30RxTRE3h3G1zpO7OM9K6ysLdAlwAGYWgJJ V4JqGsQ/lyEtxxFpUCjb5Pztp7cQxhlkil0oBYHkudiG8j1U3DG8iC6rnB4yJaLphKx57NuQ PIY0Bccg+r9gIQ4XeSK2PQhdXdy3UWBr913ZQ9AI2usid3s5vabo4iBvpJNFLgUmxFnr73SJ KsRh/2OBsg1XXF/wRQGBO9vRuJUAbnaIVcmGOUogdBVS9Sun/Sy4GNA++KtFZK95U7J417/J Hub2xV6Ehc7UGW6fIvIQmzJ3zaTEfuriU1P8ayfddrAgZb25JnOW7L1zdYL8rXiezOyYZ8Fm ZyXjzWdO0RpxcUEp6GsJr11Bc4F3aae9OZtwtLL/jxc7y6pUugB00PodgnQ6CMcfR/HjXlae h2VS3zl9+tQWHu6s1R58t5BuMS2FNA58wU/IazImc/ZQA+slDBfhRDGYlExjg19UXWe/gMcl De3P1kxYPgZdGE2eZpRLIbt+rYnqQKy8UxlszsBNBFsZNTUBCACfQfpSsWJZyi+SHoRdVyX5 J6rI7okc4+b571a7RXD5UhS9dlVRVVAtrU9ANSLqPTQKGVxHrqD39XSw8hxK61pw8p90pg4G /N3iuWEvyt+t0SxDDkClnGsDyRhlUyEWYFEoBrrCizbmahOUwqkJbNMfzj5Y7n7OIJOxNRkB IBOjPdF26dMP69BwePQao1M8Acrrex9sAHYjQGyVmReRjVEtv9iG4DoTsnIR3amKVk6si4Ea X/mrapJqSCcBUVYUFH8M7bsm4CSxier5ofy8jTEa/CfvkqpKThTMCQPNZKY7hke5qEq1CBk2 wxhX48ZrJEFf1v3NuV3OimgsF2odzieNABEBAAHCwXwEGAEKACYCGwwWIQSpQNQ0mSwujpkQ PVAiT6fnzIKmZAUCZAUSmwUJDK5EZgAKCRAiT6fnzIKmZOJGEACOKABgo9wJXsbWhGWYO7mD 8R8mUyJHqbvaz+yTLnvRwfe/VwafFfDMx5GYVYzMY9TWpA8psFTKTUIIQmx2scYsRBUwm5VI EurRWKqENcDRjyo+ol59j0FViYysjQQeobXBDDE31t5SBg++veI6tXfpco/UiKEsDswL1WAr tEAZaruo7254TyH+gydURl2wJuzo/aZ7Y7PpqaODbYv727Dvm5eX64HCyyAH0s6sOCyGF5/p eIhrOn24oBf67KtdAN3H9JoFNUVTYJc1VJU3R1JtVdgwEdr+NEciEfYl0O19VpLE/PZxP4wX PWnhf5WjdoNI1Xec+RcJ5p/pSel0jnvBX8L2cmniYnmI883NhtGZsEWj++wyKiS4NranDFlA HdDM3b4lUth1pTtABKQ1YuTvehj7EfoWD3bv9kuGZGPrAeFNiHPdOT7DaXKeHpW9homgtBxj 8aX/UkSvEGJKUEbFL9cVa5tzyialGkSiZJNkWgeHe+jEcfRT6pJZOJidSCdzvJpbdJmm+eED w9XOLH1IIWh7RURU7G1iOfEfmImFeC3cbbS73LQEFGe1urxvIH5K/7vX+FkNcr9ujwWuPE9b 1C2o4i/yZPLXIVy387EjA6GZMqvQUFuSTs/GeBcv0NjIQi8867H3uLjz+mQy63fAitsDwLmR EP+ylKVEKb0Q2A== In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 7B8ECC001A X-Stat-Signature: qgd93wcsp4qmcx5c894aq6udu3gohtng X-Rspam-User: X-HE-Tag: 1728381674-185193 X-HE-Meta: U2FsdGVkX18CT+HcFZxPRRnzqA9c5YWN6yqoD8d8auK2LKiZ/Og/rucWEO3y8sbeAFT+yLVyYxZH+k3QNTGfeK2HtWK+ais6LHuQ1C9Mh0pCby8Zqs5SuFI+DFPygMhRJoEQ9gN2Y+X8PIB/vtJV+YBZY816cK5ioii5L63LIZlckAzf4j5lH7WYmvtEzO5hB/10XoMoW4eiYzu8Ch9pN1NEbD4CFsVZureua0QUF0+J+D/2esA91izleTLwHPZ7FWQ2zvhKcomgZeuAWR6z4kXEujjyuuJv4r441YCjbwQerV4TUYmldkiSD4nl79y86r0Ou3dds4RIAXBS1SSV3FID7uimSOH0ixnlyQiLoX2Lv9FePyoOxcJx5Vt/lmO0ilSmnlMPQWi1I1yYLX+jNDQPkMi15s9O9iMA6I9aIV8b2ylqBc9eySFkkUVJKIt6WRyodLjeniz8RW8qeBhhudmfLPGt+zUmvJcblPzz6gXQbMs5AtO7fvkN9KoxLzTNmGmpDcJsk6PpQGdBzGmbxJw/Lbz6V0rWnLKCzG8d+O1zhwDf2sMNuaGEzMH2CiUp+OFiHM3hIBNpqVyj34TbamcUoYjgmA9qHK7mB0BxoVq1rCG3lg6J5xIscuelVEiMcliKFVIPBvqqrFmUNJMW8YIbzvxuTKfHmSUPeuqAgoQ/F0ZculfHbTE4AszoLTiJXol1A33/EBx03rs87QuQFNjMVTV9eq5PCdeE9hKFY0895tsNa0vr2HsbaywxpxHMXkzmjs+gNLgePPDKim5dmx78BkMR7INpmdeTIBS82GYThRf7BDzI59zgNwcQ/edBjssurg/uSyobFmHbeSqGBZl7SWUCP1A67StpghI0Tlzq6fEUruMDkAZOMUnrLrupp+g4s0pgGGsgvUXow7xNKKFexYLeXc+mfg+wWsMwJbyE+CxlkzG8Ad6/jXKcIXESrIZu103doOEEeiR5YWN zSi3z0ZH mO69z4EyZDa0d3As7bI9xe5melba2AVDIaZqbBi3CDVTgs697e5sb3O608Dy861oNYus6S4INbJGxPitaMZDLWeNXwiOpwAS7S8fIqWo2cYE7kBggcsdVbsdhEHrAZrHHjt1O47GJ6huN516LNW57hgMUIR0OC30qY1RkulbcLZJhrZWpSEdaPLxhqq3JyXz7bysLWYqW2AEtbW3fW5SZAdsVwq+rX2eN66rf+L0g9gKJ3wybfFJNZTJr5CXXzQAGNSBQjqoBljZU6crMm+CLKXawo8rGJPvk2DGFRzsC9nyg/UgsGQYK+aTpCpVD879CHVNczNL30PGx+Ul97cIYyLAJLwwkcptG28CLvDn5mx7Nrgaaarog5ptMoH3Jx/ChG6mmh8i1FH4wGOsxhdDpFBU2PkVrIisQVmnlxT01ZxiGrOXRYHqiUZNcyIEA9BtP8avwCJA/NoNGy17FHoCzsUAn0hJvFIvKnG/VBdm+myiZTW/1zRUsP5Lzi0CJkNMDJcK+kgi4AYxnofFMdSmfmcjcCQ7UrWS08L4hOb5UghmAmgP3dfb6BXnkAaSh7/w4ISuTjJQPvF3DLeCX6dOvuLxgZMiRQ/L1+qLmc/Y6WYQbcdfkGJ6UhFNDZqqNFbJQos2eXnyfvAaj9/z7bSC0i9nfNfJeLyupWgYbKDdoX1hW9t+NqTL/MjzvS9s96DC4dj1GYzc6AT8b9+ScQwZDaYwX+HwfbVkR057XdOBp42pMkrpY/tDe5ioVLMak2+OEZjYqxpDp/SwLdbZ9cVxh7/vzOgk2oIsLh5zNnjucaH/WLTwGMj8EIy+5Ih3vYTKsZPxngZLAs1Kc+4GWn6f0pe7Y5cEJMfwyAqY+x0AcFEyI520= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 10/8/24 11:41, Eduard Zingerman wrote: > On Tue, 2024-10-08 at 01:43 -0700, syzbot wrote: >> syzbot has bisected this issue to: >> >> commit d0a38fad51cc70ab3dd3c59b54d8079ac19220b9 >> Author: Feng Tang >> Date: Wed Sep 11 06:45:34 2024 +0000 >> >> mm/slub: Improve redzone check and zeroing for krealloc() >> >> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11ddbb80580000 >> start commit: c02d24a5af66 Add linux-next specific files for 20241003 >> git tree: linux-next >> final oops: https://syzkaller.appspot.com/x/report.txt?x=13ddbb80580000 >> console output: https://syzkaller.appspot.com/x/log.txt?x=15ddbb80580000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=94f9caf16c0af42d >> dashboard link: https://syzkaller.appspot.com/bug?extid=7e46cdef14bf496a3ab4 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b82707980000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f4c327980000 >> >> Reported-by: syzbot+7e46cdef14bf496a3ab4@syzkaller.appspotmail.com >> Fixes: d0a38fad51cc ("mm/slub: Improve redzone check and zeroing for krealloc()") >> >> For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > There are two issues demonstrated by this repro: > - one is mm/slub related; > - another one is verification taking forever. > > About the mm/slub related. Applying the following patch with > additional logging on top of commit d0a38fad51cc identified by syzbot: The slab one is known from other reports and the problematic commit was removed from -next since then. > > ------- 8< ------------------------------------------------------------ > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 9a7ed527e47e..c1582a6d1d33 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3494,7 +3494,9 @@ static int push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_st > > cnt++; > alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p))); > + printk("push_jmp_history: #1 cur->jmp_history=%p\n", cur->jmp_history); > p = krealloc(cur->jmp_history, alloc_size, GFP_USER); > + printk("push_jmp_history: #2 cur->jmp_history=%p\n", p); > if (!p) > return -ENOMEM; > cur->jmp_history = p; > diff --git a/mm/slub.c b/mm/slub.c > index e0fb0a26c796..3f5b080ac1f5 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -4627,7 +4627,7 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) > struct slab *slab; > > slab = virt_to_slab(obj); > - if (WARN_ONCE(!slab, "%s: Object is not a Slab page!\n", __func__)) > + if (WARN_ONCE(!slab, "%s: Object %p is not a Slab page!\n", __func__, obj)) > return NULL; > return slab->slab_cache; > } > ------------------------------------------------------------ >8 ------- > > Produces the following log: > > l1: [ 2.942120] push_jmp_history: #2 cur->jmp_history=00000000a0f6f503 > l2: [ 2.944445] push_jmp_history: #1 cur->jmp_history=00000000a0f6f503 > l3: [ 2.944560] ------------[ cut here ]------------ > l4: [ 2.944647] virt_to_cache: Object 00000000a0f6f503 is not a Slab page! > l5: [ 2.944765] WARNING: CPU: 0 PID: 145 at mm/slub.c:4630 krealloc_noprof (mm/slub.c:4630 mm/slub.c:4728 mm/slub.c:4813) > l6: [ 2.944906] Modules linked in: > l7: [ 2.945134] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 > l8: [ 2.945285] RIP: 0010:krealloc_noprof (mm/slub.c:4630 mm/slub.c:4728 mm/slub.c:4813) > ... > l9: [ 2.952088] BUG: kernel NULL pointer dereference, address: 000000000000001c > l10: [ 2.952171] #PF: supervisor read access in kernel mode > l11: [ 2.952240] #PF: error_code(0x0000) - not-present page > l12: [ 2.952309] PGD 105d51067 P4D 105d51067 PUD 1013d0067 PMD 0 > l13: [ 2.952402] Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI > l14: [ 2.952611] Tainted: [W]=WARN > l15: [ 2.952664] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 > l16: [ 2.952794] RIP: 0010:krealloc_noprof (mm/slub.c:0 mm/slub.c:4729 mm/slub.c:4813) > > Lines l{1,2,4} show that address 0xa0f6f503 was first allocated by > krealloc and then krealloc failed to recognize it as such. > > The warning at l3 is reported by virt_to_cache() called from > __do_krealloc(): > > > 4715 static __always_inline __realloc_size(2) void * > 4716 __do_krealloc(const void *p, size_t new_size, gfp_t flags) > 4717 { > 4718 void *ret; > 4719 size_t ks; > 4720 int orig_size = 0; > 4721 struct kmem_cache *s; > 4722 > 4723 /* Check for double-free. */ > 4724 if (likely(!ZERO_OR_NULL_PTR(p))) { > 4725 if (!kasan_check_byte(p)) > 4726 return NULL; > 4727 > 4728 s = virt_to_cache(p); > 4729 orig_size = get_orig_size(s, (void *)p); > 4730 ks = s->object_size; > > When virt_to_cache() reports the warning it returns NULL. > Hence variable 's' at line 4728 is NULL and this causes null pointer > dereference at line 4730, reported at l9. > > Lines 4725-4730 were changed by commit d0a38fad51cc identified by syzbot, > previously 'ks' was identified using other means. > > Feng, this issue seem unrelated to BPF verifier, could you please take a look? > > Best regards, > Eduard >