================================================================== BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6c9/0x920 kernel/bpf/stackmap.c:274 Write of size 80 at addr ffff88805a6ac510 by task syz.2.82/4604 CPU: 1 PID: 4604 Comm: syz.2.82 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0xa8/0x210 mm/kasan/report.c:420 kasan_report+0x10b/0x140 mm/kasan/report.c:524 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x235/0x290 mm/kasan/generic.c:189 memcpy+0x3c/0x60 mm/kasan/shadow.c:66 __bpf_get_stackid+0x6c9/0x920 kernel/bpf/stackmap.c:274 ____bpf_get_stackid_pe kernel/bpf/stackmap.c:365 [inline] bpf_get_stackid_pe+0x33f/0x400 kernel/bpf/stackmap.c:334 bpf_prog_e587bf28c6f21b72+0x21/0x39 bpf_dispatcher_nop_func include/linux/bpf.h:1012 [inline] __bpf_prog_run include/linux/filter.h:607 [inline] bpf_prog_run include/linux/filter.h:614 [inline] bpf_overflow_handler+0x50b/0x790 kernel/events/core.c:10321 __perf_event_overflow+0x457/0x630 kernel/events/core.c:9496 perf_event_overflow kernel/events/core.c:9517 [inline] perf_swevent_hrtimer+0x472/0x630 kernel/events/core.c:10967 __run_hrtimer kernel/time/hrtimer.c:1751 [inline] __hrtimer_run_queues+0x4e7/0xc90 kernel/time/hrtimer.c:1815 hrtimer_interrupt+0x399/0x980 kernel/time/hrtimer.c:1877 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1107 [inline] __sysvec_apic_timer_interrupt+0x153/0x5a0 arch/x86/kernel/apic/apic.c:1124 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0x9b/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691 RIP: 0010:finish_task_switch+0x267/0x8e0 kernel/sched/core.c:5124 Code: d1 08 85 c0 0f 84 38 01 00 00 48 85 db 0f 85 57 01 00 00 0f 1f 44 00 00 4c 89 e7 e8 33 6f db 08 e8 ae 05 2f 00 fb 4c 8b 65 b8 <49> 8d bc 24 f8 15 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 RSP: 0018:ffffc9000517f900 EFLAGS: 00000286 RAX: d19eb64bcfe48400 RBX: 0000000000000000 RCX: d19eb64bcfe48400 RDX: dffffc0000000000 RSI: ffffffff8a8c17a0 RDI: ffffffff8adee1a0 RBP: ffffc9000517f950 R08: ffff8880b8f3ad03 R09: 1ffff110171e75a0 R10: dffffc0000000000 R11: ffffed10171e75a1 R12: ffff888054fdda00 R13: 1ffff110171e76fa R14: dffffc0000000000 R15: ffff8880b8f3b7d0 context_switch kernel/sched/core.c:5248 [inline] __schedule+0x1087/0x4030 kernel/sched/core.c:6562 schedule+0xb9/0x180 kernel/sched/core.c:6638 futex_wait_queue+0x134/0x1b0 kernel/futex/waitwake.c:355 futex_wait+0x1e5/0x5c0 kernel/futex/waitwake.c:656 do_futex+0x310/0x320 kernel/futex/syscalls.c:134 __do_sys_futex kernel/futex/syscalls.c:211 [inline] __se_sys_futex+0x381/0x410 kernel/futex/syscalls.c:192 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f736e19de59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f736c3f60e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 00007f736e426188 RCX: 00007f736e19de59 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f736e426188 RBP: 00007f736e426180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f736e426218 R14: 00007ffda92af6d0 R15: 00007ffda92af7b8 Allocated by task 4604: kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:53 ____kasan_kmalloc mm/kasan/common.c:375 [inline] __kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:384 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:936 [inline] __kmalloc_node+0xb2/0x240 mm/slab_common.c:943 kmalloc_node include/linux/slab.h:589 [inline] __bpf_map_area_alloc kernel/bpf/syscall.c:328 [inline] bpf_map_area_alloc+0x47/0xe0 kernel/bpf/syscall.c:341 prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51 stack_map_alloc+0x386/0x510 kernel/bpf/stackmap.c:117 find_and_alloc_map kernel/bpf/syscall.c:133 [inline] map_create+0x524/0xff0 kernel/bpf/syscall.c:1149 __sys_bpf+0x38b/0x780 kernel/bpf/syscall.c:5013 __do_sys_bpf kernel/bpf/syscall.c:5135 [inline] __se_sys_bpf kernel/bpf/syscall.c:5133 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5133 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Last potentially related work creation: kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46 __kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486 call_rcu+0x14f/0x950 kernel/rcu/tree.c:2849 nf_hook_entries_free net/netfilter/core.c:88 [inline] __nf_register_net_hook+0x787/0x910 net/netfilter/core.c:445 nf_register_net_hook+0xae/0x190 net/netfilter/core.c:566 nf_register_net_hooks+0x40/0x1a0 net/netfilter/core.c:582 ebt_register_table+0xcdc/0x1050 net/bridge/netfilter/ebtables.c:1274 find_inlist_lock_noload+0x16a/0x250 net/bridge/netfilter/ebtables.c:343 find_inlist_lock net/bridge/netfilter/ebtables.c:371 [inline] find_table_lock net/bridge/netfilter/ebtables.c:379 [inline] do_ebt_get_ctl+0x2c7/0x1d00 net/bridge/netfilter/ebtables.c:2498 nf_getsockopt+0x25e/0x280 net/netfilter/nf_sockopt.c:116 ip_getsockopt+0x19b/0x230 net/ipv4/ip_sockglue.c:1826 __sys_getsockopt+0x1b0/0x230 net/socket.c:2332 __do_sys_getsockopt net/socket.c:2347 [inline] __se_sys_getsockopt net/socket.c:2344 [inline] __x64_sys_getsockopt+0xb1/0xc0 net/socket.c:2344 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88805a6ac500 which belongs to the cache kmalloc-cg-64 of size 64 The buggy address is located 16 bytes inside of 64-byte region [ffff88805a6ac500, ffff88805a6ac540) The buggy address belongs to the physical page: page:ffffea000169ab00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a6ac memcg:ffff888027a1ce01 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888017442780 raw: 0000000000000000 0000000080200020 00000001ffffffff ffff888027a1ce01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4284, tgid 4284 (syz-executor), ts 79858721169, free_ts 25637392722 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2560 prep_new_page mm/page_alloc.c:2567 [inline] get_page_from_freelist+0x206b/0x2180 mm/page_alloc.c:4358 __alloc_pages+0x1ec/0x4f0 mm/page_alloc.c:5658 alloc_slab_page+0x5d/0x180 mm/slub.c:1799 allocate_slab mm/slub.c:1944 [inline] new_slab+0x87/0x2d0 mm/slub.c:1997 ___slab_alloc+0xbc5/0x1240 mm/slub.c:3154 __slab_alloc mm/slub.c:3240 [inline] slab_alloc_node mm/slub.c:3325 [inline] __kmem_cache_alloc_node+0x126/0x270 mm/slub.c:3398 __do_kmalloc_node mm/slab_common.c:935 [inline] __kmalloc_node+0xa2/0x240 mm/slab_common.c:943 kmalloc_node include/linux/slab.h:589 [inline] kvmalloc_node+0x6c/0x180 mm/util.c:581 kvmalloc include/linux/slab.h:716 [inline] kvzalloc include/linux/slab.h:724 [inline] allocate_hook_entries_size net/netfilter/core.c:61 [inline] nf_hook_entries_grow+0x31a/0x760 net/netfilter/core.c:128 __nf_register_net_hook+0x2c9/0x910 net/netfilter/core.c:423 nf_register_net_hook+0xae/0x190 net/netfilter/core.c:566 nf_register_net_hooks+0x40/0x1a0 net/netfilter/core.c:582 nf_defrag_ipv6_enable+0x83/0x110 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:146 nf_ct_netns_do_get+0x1e4/0x5b0 net/netfilter/nf_conntrack_proto.c:494 nf_ct_netns_inet_get+0x3b/0x150 net/netfilter/nf_conntrack_proto.c:595 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1487 [inline] free_pcp_prepare mm/page_alloc.c:1537 [inline] free_unref_page_prepare+0x8e5/0x9e0 mm/page_alloc.c:3414 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3509 free_contig_range+0x9d/0x150 mm/page_alloc.c:9626 destroy_args+0xef/0xa0e mm/debug_vm_pgtable.c:1031 debug_vm_pgtable+0x33c/0x38e mm/debug_vm_pgtable.c:1359 do_one_initcall+0x257/0x800 init/main.c:1309 do_initcall_level+0x13d/0x1ed init/main.c:1382 do_initcalls+0x4b/0x8a init/main.c:1398 kernel_init_freeable+0x401/0x5ab init/main.c:1637 kernel_init+0x19/0x1b0 init/main.c:1525 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88805a6ac400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88805a6ac480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88805a6ac500: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ^ ffff88805a6ac580: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff88805a6ac600: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ================================================================== ---------------- Code disassembly (best guess): 0: d1 08 rorl $1,(%rax) 2: 85 c0 test %eax,%eax 4: 0f 84 38 01 00 00 je 0x142 a: 48 85 db test %rbx,%rbx d: 0f 85 57 01 00 00 jne 0x16a 13: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 18: 4c 89 e7 mov %r12,%rdi 1b: e8 33 6f db 08 call 0x8db6f53 20: e8 ae 05 2f 00 call 0x2f05d3 25: fb sti 26: 4c 8b 65 b8 mov -0x48(%rbp),%r12 * 2a: 49 8d bc 24 f8 15 00 lea 0x15f8(%r12),%rdi <-- trapping instruction 31: 00 32: 48 89 f8 mov %rdi,%rax 35: 48 c1 e8 03 shr $0x3,%rax 39: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax 3e: 84 c0 test %al,%al