==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6c9/0x920 kernel/bpf/stackmap.c:274
Write of size 80 at addr ffff88805a6ac510 by task syz.2.82/4604
CPU: 1 PID: 4604 Comm: syz.2.82 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:420
kasan_report+0x10b/0x140 mm/kasan/report.c:524
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x235/0x290 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
__bpf_get_stackid+0x6c9/0x920 kernel/bpf/stackmap.c:274
____bpf_get_stackid_pe kernel/bpf/stackmap.c:365 [inline]
bpf_get_stackid_pe+0x33f/0x400 kernel/bpf/stackmap.c:334
bpf_prog_e587bf28c6f21b72+0x21/0x39
bpf_dispatcher_nop_func include/linux/bpf.h:1012 [inline]
__bpf_prog_run include/linux/filter.h:607 [inline]
bpf_prog_run include/linux/filter.h:614 [inline]
bpf_overflow_handler+0x50b/0x790 kernel/events/core.c:10321
__perf_event_overflow+0x457/0x630 kernel/events/core.c:9496
perf_event_overflow kernel/events/core.c:9517 [inline]
perf_swevent_hrtimer+0x472/0x630 kernel/events/core.c:10967
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x4e7/0xc90 kernel/time/hrtimer.c:1815
hrtimer_interrupt+0x399/0x980 kernel/time/hrtimer.c:1877
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1107 [inline]
__sysvec_apic_timer_interrupt+0x153/0x5a0 arch/x86/kernel/apic/apic.c:1124
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0x9b/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:finish_task_switch+0x267/0x8e0 kernel/sched/core.c:5124
Code: d1 08 85 c0 0f 84 38 01 00 00 48 85 db 0f 85 57 01 00 00 0f 1f 44 00 00 4c 89 e7 e8 33 6f db 08 e8 ae 05 2f 00 fb 4c 8b 65 b8 <49> 8d bc 24 f8 15 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0
RSP: 0018:ffffc9000517f900 EFLAGS: 00000286
RAX: d19eb64bcfe48400 RBX: 0000000000000000 RCX: d19eb64bcfe48400
RDX: dffffc0000000000 RSI: ffffffff8a8c17a0 RDI: ffffffff8adee1a0
RBP: ffffc9000517f950 R08: ffff8880b8f3ad03 R09: 1ffff110171e75a0
R10: dffffc0000000000 R11: ffffed10171e75a1 R12: ffff888054fdda00
R13: 1ffff110171e76fa R14: dffffc0000000000 R15: ffff8880b8f3b7d0
context_switch kernel/sched/core.c:5248 [inline]
__schedule+0x1087/0x4030 kernel/sched/core.c:6562
schedule+0xb9/0x180 kernel/sched/core.c:6638
futex_wait_queue+0x134/0x1b0 kernel/futex/waitwake.c:355
futex_wait+0x1e5/0x5c0 kernel/futex/waitwake.c:656
do_futex+0x310/0x320 kernel/futex/syscalls.c:134
__do_sys_futex kernel/futex/syscalls.c:211 [inline]
__se_sys_futex+0x381/0x410 kernel/futex/syscalls.c:192
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f736e19de59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f736c3f60e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f736e426188 RCX: 00007f736e19de59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f736e426188
RBP: 00007f736e426180 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f736e426218 R14: 00007ffda92af6d0 R15: 00007ffda92af7b8
Allocated by task 4604:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:936 [inline]
__kmalloc_node+0xb2/0x240 mm/slab_common.c:943
kmalloc_node include/linux/slab.h:589 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:328 [inline]
bpf_map_area_alloc+0x47/0xe0 kernel/bpf/syscall.c:341
prealloc_elems_and_freelist+0x86/0x1c0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x386/0x510 kernel/bpf/stackmap.c:117
find_and_alloc_map kernel/bpf/syscall.c:133 [inline]
map_create+0x524/0xff0 kernel/bpf/syscall.c:1149
__sys_bpf+0x38b/0x780 kernel/bpf/syscall.c:5013
__do_sys_bpf kernel/bpf/syscall.c:5135 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5133 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5133
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Last potentially related work creation:
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
call_rcu+0x14f/0x950 kernel/rcu/tree.c:2849
nf_hook_entries_free net/netfilter/core.c:88 [inline]
__nf_register_net_hook+0x787/0x910 net/netfilter/core.c:445
nf_register_net_hook+0xae/0x190 net/netfilter/core.c:566
nf_register_net_hooks+0x40/0x1a0 net/netfilter/core.c:582
ebt_register_table+0xcdc/0x1050 net/bridge/netfilter/ebtables.c:1274
find_inlist_lock_noload+0x16a/0x250 net/bridge/netfilter/ebtables.c:343
find_inlist_lock net/bridge/netfilter/ebtables.c:371 [inline]
find_table_lock net/bridge/netfilter/ebtables.c:379 [inline]
do_ebt_get_ctl+0x2c7/0x1d00 net/bridge/netfilter/ebtables.c:2498
nf_getsockopt+0x25e/0x280 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x19b/0x230 net/ipv4/ip_sockglue.c:1826
__sys_getsockopt+0x1b0/0x230 net/socket.c:2332
__do_sys_getsockopt net/socket.c:2347 [inline]
__se_sys_getsockopt net/socket.c:2344 [inline]
__x64_sys_getsockopt+0xb1/0xc0 net/socket.c:2344
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88805a6ac500
which belongs to the cache kmalloc-cg-64 of size 64
The buggy address is located 16 bytes inside of
64-byte region [ffff88805a6ac500, ffff88805a6ac540)
The buggy address belongs to the physical page:
page:ffffea000169ab00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a6ac
memcg:ffff888027a1ce01
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888017442780
raw: 0000000000000000 0000000080200020 00000001ffffffff ffff888027a1ce01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4284, tgid 4284 (syz-executor), ts 79858721169, free_ts 25637392722
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2560
prep_new_page mm/page_alloc.c:2567 [inline]
get_page_from_freelist+0x206b/0x2180 mm/page_alloc.c:4358
__alloc_pages+0x1ec/0x4f0 mm/page_alloc.c:5658
alloc_slab_page+0x5d/0x180 mm/slub.c:1799
allocate_slab mm/slub.c:1944 [inline]
new_slab+0x87/0x2d0 mm/slub.c:1997
___slab_alloc+0xbc5/0x1240 mm/slub.c:3154
__slab_alloc mm/slub.c:3240 [inline]
slab_alloc_node mm/slub.c:3325 [inline]
__kmem_cache_alloc_node+0x126/0x270 mm/slub.c:3398
__do_kmalloc_node mm/slab_common.c:935 [inline]
__kmalloc_node+0xa2/0x240 mm/slab_common.c:943
kmalloc_node include/linux/slab.h:589 [inline]
kvmalloc_node+0x6c/0x180 mm/util.c:581
kvmalloc include/linux/slab.h:716 [inline]
kvzalloc include/linux/slab.h:724 [inline]
allocate_hook_entries_size net/netfilter/core.c:61 [inline]
nf_hook_entries_grow+0x31a/0x760 net/netfilter/core.c:128
__nf_register_net_hook+0x2c9/0x910 net/netfilter/core.c:423
nf_register_net_hook+0xae/0x190 net/netfilter/core.c:566
nf_register_net_hooks+0x40/0x1a0 net/netfilter/core.c:582
nf_defrag_ipv6_enable+0x83/0x110 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:146
nf_ct_netns_do_get+0x1e4/0x5b0 net/netfilter/nf_conntrack_proto.c:494
nf_ct_netns_inet_get+0x3b/0x150 net/netfilter/nf_conntrack_proto.c:595
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1487 [inline]
free_pcp_prepare mm/page_alloc.c:1537 [inline]
free_unref_page_prepare+0x8e5/0x9e0 mm/page_alloc.c:3414
free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3509
free_contig_range+0x9d/0x150 mm/page_alloc.c:9626
destroy_args+0xef/0xa0e mm/debug_vm_pgtable.c:1031
debug_vm_pgtable+0x33c/0x38e mm/debug_vm_pgtable.c:1359
do_one_initcall+0x257/0x800 init/main.c:1309
do_initcall_level+0x13d/0x1ed init/main.c:1382
do_initcalls+0x4b/0x8a init/main.c:1398
kernel_init_freeable+0x401/0x5ab init/main.c:1637
kernel_init+0x19/0x1b0 init/main.c:1525
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffff88805a6ac400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88805a6ac480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88805a6ac500: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff88805a6ac580: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff88805a6ac600: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: d1 08 rorl $1,(%rax)
2: 85 c0 test %eax,%eax
4: 0f 84 38 01 00 00 je 0x142
a: 48 85 db test %rbx,%rbx
d: 0f 85 57 01 00 00 jne 0x16a
13: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
18: 4c 89 e7 mov %r12,%rdi
1b: e8 33 6f db 08 call 0x8db6f53
20: e8 ae 05 2f 00 call 0x2f05d3
25: fb sti
26: 4c 8b 65 b8 mov -0x48(%rbp),%r12
* 2a: 49 8d bc 24 f8 15 00 lea 0x15f8(%r12),%rdi <-- trapping instruction
31: 00
32: 48 89 f8 mov %rdi,%rax
35: 48 c1 e8 03 shr $0x3,%rax
39: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax
3e: 84 c0 test %al,%al