From nobody Fri Dec 19 10:42:19 2025 Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B49CE29D266; Mon, 13 Oct 2025 17:11:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.241.56.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760375511; cv=none; b=cSiR9s72t3V5rqp0TvkpXsVNxLpIOMBHoo30/ML21Vhhn9sSUNcrmvsyUNZTx++ApRvusNEPqE3JyBj5uUT0Hp1HjghyhLmhH/5YtaKHSxDAQovKOZVkmD7CgvZrOx3eYkJEo0Of7y2MxuYKEGxkYdYzBW312EvRy2R2tWHIf6o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760375511; c=relaxed/simple; bh=40CFjh9kzA9585REHD+cA2lYowQDDOU8sCgEpVNrgYM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=LDy+U6Uci1J51TIhNCGlbyHNdOYF/BBkxQozU7FPLXfYlxl8kRxlvHu9ulp5eKa84diXXtlxsjWEN869fiHVaM+XuXWl/ZBg0krj3XVtMXGpzCwxAWrwxD/tajc0hgb6AvRy7dGF9w03esoW1cSdS6Iz/cVfZC1qJ8/5AWHO9u0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=listout.xyz; spf=pass smtp.mailfrom=listout.xyz; dkim=pass (2048-bit key) header.d=listout.xyz header.i=@listout.xyz header.b=eyLEq8e0; arc=none smtp.client-ip=80.241.56.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=listout.xyz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=listout.xyz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=listout.xyz header.i=@listout.xyz header.b="eyLEq8e0" Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4clkQy4k8Tz9tQS; Mon, 13 Oct 2025 19:11:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=listout.xyz; s=MBO0001; t=1760375498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3wOr6yUFCcqirizRFMqUeU95gmF6JtVB3tD/YiBrl5s=; b=eyLEq8e0zwq7q1RjPRySRc4b6mZTc5fcaHVaUopkm66qJlDOVuYfLay8kf71/Dm/iNFgHu cHkuYBMF3DlzMUS8Q3lHvEs5vB6XDzyra4rQnyUFSGQRO6S1AyY7dfoWvbnsRlxkzlS5G4 zgzDghCo87CXTvOQztMSVt12BoxU7ddMq2BMiJkN9IG0WBWs7q+aIL/4xIi3lLmcknRnBL ZbvpzuVVmvqpYZ2NhZ421WmGDDQRBdDll4iH2ueourg4dIfqWBKxkeYurftTR6NqfjhlIn BotItPmc9oKj8yzYimBbUqBIQoloBbytVsvXJ52wOU65UkGY+NaJSZChnF01Tw== From: Brahmajit Das To: syzbot+1f1fbecb9413cdbfbef8@syzkaller.appspotmail.com Cc: listout@listout.xyz, andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net, eddyz87@gmail.com, edumazet@google.com, haoluo@google.com, horms@kernel.org, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, martin.lau@linux.dev, netdev@vger.kernel.org, pabeni@redhat.com, sdf@fomichev.me, song@kernel.org, syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev, Menglong Dong , Sahil Chandna Subject: [PATCH v2] bpf: avoid sleeping in invalid context during sock_map_delete_elem path Date: Mon, 13 Oct 2025 22:41:22 +0530 Message-ID: <20251013171122.1403859-1-listout@listout.xyz> In-Reply-To: <68af9b2b.a00a0220.2929dc.0008.GAE@google.com> References: <68af9b2b.a00a0220.2929dc.0008.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The syzkaller report exposed a BUG: =E2=80=9Csleeping function called from invalid context=E2=80=9D in sock_map_delete_elem, which happens when `bpf_test_timer_enter()` disables preemption but the delete path later invokes a sleeping function while still in that context. Specifically: - The crash trace shows `bpf_test_timer_enter()` acquiring a preempt_disable path (via t->mode =3D=3D NO_PREEMPT), but the symmetric release path always calls migrate_enable(), mismatching the earlier disable. - As a result, preemption remains disabled across the sock_map_delete_elem path, leading to a sleeping call under an invalid context. :contentReference[oaicite:0]{index=3D0} To fix this, normalize the disable/enable pairing: always use migrate_disable()/migrate_enable() regardless of t->mode. This ensures that we never remain with preemption disabled unintentionally when entering the delete path, and avoids invalid-context sleeping. Reported-by: syzbot+1f1fbecb9413cdbfbef8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D1f1fbecb9413cdbfbef8 Suggested-by: Yonghong Song Suggested-by: Menglong Dong Co-authored-by: Sahil Chandna Signed-off-by: Brahmajit Das --- Changes in v2: - remove enum { NO_PREEMPT, NO_MIGRATE } mode - Using rcu_read_lock_dont_migrate/rcu_read_unlock_migrate Changes in v1: - Changes on top of Sahil's initial work based on feedback from Yonghong's. i.e. remove NO_PREEMPT/NO_MIGRATE in test_run.c and use migrate_disable()/migrate_enable() universally. Link: https://lore.kernel.org/all/d0fdced7-a9a5-473e-991f-4f5e4c13f= 616@linux.dev/ Please also find Sahil's v2 patch: Link: https://lore.kernel.org/all/20251010075923.408195-1-chandna.l= inuxkernel@gmail.com/T/ --- net/bpf/test_run.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index dfb03ee0bb62..83f97ee34419 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -29,7 +29,6 @@ #include =20 struct bpf_test_timer { - enum { NO_PREEMPT, NO_MIGRATE } mode; u32 i; u64 time_start, time_spent; }; @@ -37,11 +36,7 @@ struct bpf_test_timer { static void bpf_test_timer_enter(struct bpf_test_timer *t) __acquires(rcu) { - rcu_read_lock(); - if (t->mode =3D=3D NO_PREEMPT) - preempt_disable(); - else - migrate_disable(); + rcu_read_lock_dont_migrate(); =20 t->time_start =3D ktime_get_ns(); } @@ -51,11 +46,7 @@ static void bpf_test_timer_leave(struct bpf_test_timer *= t) { t->time_start =3D 0; =20 - if (t->mode =3D=3D NO_PREEMPT) - preempt_enable(); - else - migrate_enable(); - rcu_read_unlock(); + rcu_read_unlock_migrate(); } =20 static bool bpf_test_timer_continue(struct bpf_test_timer *t, int iteratio= ns, @@ -374,7 +365,7 @@ static int bpf_test_run_xdp_live(struct bpf_prog *prog,= struct xdp_buff *ctx, =20 { struct xdp_test_data xdp =3D { .batch_size =3D batch_size }; - struct bpf_test_timer t =3D { .mode =3D NO_MIGRATE }; + struct bpf_test_timer t =3D {}; int ret; =20 if (!repeat) @@ -404,7 +395,7 @@ static int bpf_test_run(struct bpf_prog *prog, void *ct= x, u32 repeat, struct bpf_prog_array_item item =3D {.prog =3D prog}; struct bpf_run_ctx *old_ctx; struct bpf_cg_run_ctx run_ctx; - struct bpf_test_timer t =3D { NO_MIGRATE }; + struct bpf_test_timer t =3D {}; enum bpf_cgroup_storage_type stype; int ret; =20 @@ -1377,7 +1368,7 @@ int bpf_prog_test_run_flow_dissector(struct bpf_prog = *prog, const union bpf_attr *kattr, union bpf_attr __user *uattr) { - struct bpf_test_timer t =3D { NO_PREEMPT }; + struct bpf_test_timer t =3D {}; u32 size =3D kattr->test.data_size_in; struct bpf_flow_dissector ctx =3D {}; u32 repeat =3D kattr->test.repeat; @@ -1445,7 +1436,7 @@ int bpf_prog_test_run_flow_dissector(struct bpf_prog = *prog, int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_att= r *kattr, union bpf_attr __user *uattr) { - struct bpf_test_timer t =3D { NO_PREEMPT }; + struct bpf_test_timer t =3D {}; struct bpf_prog_array *progs =3D NULL; struct bpf_sk_lookup_kern ctx =3D {}; u32 repeat =3D kattr->test.repeat; --=20 2.51.0