On Fri, 2025-06-13 at 00:12 -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 1c66f4a3612c bpf: Fix state use-after-free on push_stack().. > git tree: bpf-next > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1346ed70580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=73696606574e3967 > dashboard link: https://syzkaller.appspot.com/bug?extid=a36aac327960ff474804 > compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1392610c580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a9ee0c580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/2ddb1df1c757/disk-1c66f4a3.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/6a318fc92af0/vmlinux-1c66f4a3.xz > kernel image: https://storage.googleapis.com/syzbot-assets/76c58dddcb6c/bzImage-1c66f4a3.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+a36aac327960ff474804@xxxxxxxxxxxxxxxxxxxxxxxxx > > ------------[ cut here ]------------ Fwiw, here is a repro converted to selftest. I'll take detailed look on Friday: SEC("socket") __naked void syzbot_repro(void) { asm volatile ( "r8 = 0xff80;" "r1 = 0xff110001085a0800 ll;" "r2 = 20;" "r3 = 0;" "call %[bpf_ktime_get_ns];" "1:" "w9 = w10;" "if r9 >= 0xff4ad400 goto 2f;" "may_goto +13;" "r2 = 0;" "*(u8 *)(r10 -16) = r9;" "2:" "if r9 s< 0x1004 goto 3f;" "lock *(u32 *)(r10 -16) += r10;" "r6 = r8;" "r8 += -8;" "r4 = r10;" "3:" "r6 += -16;" "r2 = 8;" "r2 = 0xff110001085a05d8 ll;" "r5 = 8;" "if w8 & 0x76 goto 1b;" "r8 = r9;" "if w8 != 0x0 goto +0;" "call %[bpf_get_prandom_u32];" "r0 = 0;" "exit;" : : __imm(bpf_get_prandom_u32), __imm(bpf_ktime_get_ns) : __clobber_all); } [...]
