[BUG] bpf: warn_free_bad_obj in bpf_prog_test_run_skb - slab cross-cache confusion in skb_free_head

From: antonius

Date: Mon Mar 30 2026 - 01:53:06 EST

Hello,

I found a slab cache confusion bug in bpf_prog_test_run_skb() on Linux
7.0.0-rc5, triggered via BPF_PROG_TEST_RUN with BPF_PROG_TYPE_SCHED_CLS.

The issue was originally discovered by syzkaller during a fuzzing campaign
targeting io_uring BPF filter and BPF test_run subsystems.

REPORTER
Antonius / Blue Dragon Security
https://bluedragonsec.com
https://github.com/bluedragonsecurity

Bug Description

bpf_test_init() allocates skb->head using kzalloc() with size:
data_size_in + NET_SKB_PAD + NET_IP_ALIGN = 284 + 32 + 2 = 318 bytes

SLUB rounds this up to the kmalloc-1k cache (704 bytes as reported by
KFENCE). However, skb_free_head() subsequently calls:
kmem_cache_free(skbuff_small_head_cache, head)

This is the wrong cache — the object belongs to kmalloc-1k, not
skbuff_small_head. SLUB detects this mismatch and fires warn_free_bad_obj(),
followed by a KFENCE out-of-bounds read in print_track().

Affected Code

net/bpf/test_run.c: bpf_test_init()
net/core/skbuff.c: skb_free_head()

The root cause is a mismatch between the allocation cache used by
bpf_test_init() and the cache assumed by skb_free_head() when determining
how to free skb->head for test skbs.

Kernel Version

7.0.0-rc5 (commit: confirmed on rc5 tag)
Also tested: Lubuntu 25.10 (kernel 7.0.0-rc5, CONFIG_KFENCE=y)
Debian Trixie syzkaller VM (kernel 7.0.0-rc5, CONFIG_KFENCE=y)

Privilege Required

CAP_BPF or root. BPF_PROG_TYPE_SCHED_CLS requires bpf_capable().

Reproducer

Minimal C reproducer (2 syscalls):

n.b : I have attacher the reproducer file (repro_bpf.c)

Build: gcc -O0 -o repro_bpf repro_bpf.c
Run:
for i in $(seq 1 1000); do
sudo ./repro_bpf
dmesg | grep -q "warn_free\|KFENCE\|cut here" && { echo "CRASH at iter $i!"; dmesg; break; }
echo -n "."
done
sudo dmesg | grep warn_free_bad_obj

Kernel Output

[ 761.069607] ------------[ cut here ]------------
[ 761.069623] kmem_cache_free(skbuff_small_head, ffff888186dfac00): object belongs to different cache kmalloc-1k
[ 761.069638] WARNING: mm/slub.c:6258 at warn_free_bad_obj+0x91/0xc0, CPU#0: repro/1513
[ 761.069670] Modules linked in:
[ 761.069690] CPU: 0 UID: 0 PID: 1513 Comm: repro Not tainted 7.0.0-rc5 #1
[ 761.069716] RIP: 0010:warn_free_bad_obj+0x98/0xc0
[ 761.069882] Call Trace:
[ 761.069888] <TASK>
[ 761.069899] skb_free_head+0x1ec/0x290
[ 761.069918] skb_release_data+0x7a6/0x9d0
[ 761.069970] bpf_prog_test_run_skb+0x14f8/0x3410
[ 761.070190] __sys_bpf+0x769/0x4b60
[ 761.070422] do_syscall_64+0x111/0x690
[ 761.070456] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 761.070610] </TASK>
[ 761.073682] ==================================================================
[ 761.073736] BUG: KFENCE: out-of-bounds read in print_track+0x0/0x50
[ 761.073790] Out-of-bounds read at 0xffff888186dfb010 (1040B right of kfence-#252):
[ 761.074117] kfence-#252: 0xffff888186dfac00-0xffff888186dfaebf, size=704, cache=kmalloc-1k
[ 761.074168] allocated by task 1513 on cpu 0 at 761.069452s:
[ 761.074198] bpf_test_init.isra.0+0xf9/0x1e0
[ 761.074218] bpf_prog_test_run_skb+0x489/0x3410

Security Impact

This bug causes heap corruption via slab cross-cache confusion. An object
from kmalloc-1k is placed into the freelist of skbuff_small_head cache.
Subsequent alloc_skb() calls can reclaim this chunk, potentially leading to:
- Information leak (stale kernel data readable via new skb->head)
- Heap corruption if controlled data written before reclaim
- Denial of service (kernel WARNING, system instability)

Full exploitation to LPE would require chaining with additional primitives
(KASLR bypass, heap spray). Bug is not directly exploitable for LPE without
further primitives.

CVSS v3.1 estimate: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 6.7 (Medium)

Fix Suggestion

In bpf_test_init() (net/bpf/test_run.c), the skb->head allocation should
either:
1. Use skb_head_from_pool() or kmalloc_reserve() to ensure the allocation
lands in the cache that skb_free_head() expects, or
2. Set skb->head_frag = 0 and clear the relevant flags so skb_free_head()
takes the kfree() path instead of kmem_cache_free() path.

Alternatively, skb_free_head() should verify the slab cache before calling
kmem_cache_free().

---
Reported-by: Antonius <antonius@xxxxxxxxxxxxxxxxx>
Please use this tag in the fix commit:
Reported-by: Antonius <antonius@xxxxxxxxxxxxxxxxx>
---

If this is a known issue or already fixed, please point me to the
relevant commit. I was unable to find a matching LKML/syzbot entry
for this specific issue

Thanks,
Antonius
Blue Dragon Security
https://bluedragonsec.com

[ 3065.322973] ------------[ cut here ]------------
[ 3065.322990] kmem_cache_free(skbuff_small_head, ffff888186d6e000): object belongs to different cache kmalloc-1k
[ 3065.323005] WARNING: mm/slub.c:6258 at warn_free_bad_obj+0x91/0xc0, CPU#0: repro_bpf/2167
[ 3065.323038] Modules linked in:
[ 3065.323061] CPU: 0 UID: 0 PID: 2167 Comm: repro_bpf Not tainted 7.0.0-rc5 #1 PREEMPT(lazy)
[ 3065.323077] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 3065.323098] RIP: 0010:warn_free_bad_obj+0x98/0xc0
[ 3065.323115] Code: 67 48 0f b9 3a 5b 5d c3 cc cc cc cc 48 c7 c1 c5 88 7c 87 48 85 ed 74 04 48 8b 4d 58 48 8d 3d 2f fa 9f 07 48 8b 72 58 48 89 da <67> 48 0f b9 3a 48 85 ed 74 b7 48 89 de 48 89 ef 5b 5d e9 01 eb ff
[ 3065.323128] RSP: 0018:ffffc90003e279d0 EFLAGS: 00010286
[ 3065.323142] RAX: ffffea00061b5b80 RBX: ffff888186d6e000 RCX: ffffffff877c6c5e
[ 3065.323161] RDX: ffff888186d6e000 RSI: ffffffff87068bc0 RDI: ffffffff8985e370
[ 3065.323170] RBP: ffff8881000421c0 R08: 0000000000000005 R09: 0000000000000180
[ 3065.323180] R10: 0000000000000180 R11: ffff8881060939c0 R12: 0000000000000000
[ 3065.323189] R13: 0000000000000000 R14: ffff888186d6e1b0 R15: 0000000000000000
[ 3065.323198] FS: 00007fbd28700780(0000) GS:ffff8881fc6a5000(0000) knlGS:0000000000000000
[ 3065.323211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3065.323221] CR2: 000055919b946080 CR3: 000000010b7d4006 CR4: 0000000000370ef0
[ 3065.323231] Call Trace:
[ 3065.323237] <TASK>
[ 3065.323247] skb_free_head+0x1ec/0x290
[ 3065.323267] skb_release_data+0x7a6/0x9d0
[ 3065.323285] ? __pfx_bpf_ctx_finish.isra.0+0x10/0x10
[ 3065.323308] ? bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.323322] sk_skb_reason_drop+0x142/0x550
[ 3065.323343] bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.323356] ? __lock_acquire+0x466/0x2270
[ 3065.323373] ? lock_is_held_type+0x8f/0x100
[ 3065.323388] ? lock_is_held_type+0x8f/0x100
[ 3065.323414] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.323427] ? lock_release+0xc8/0x2a0
[ 3065.323441] ? bpf_check_uarg_tail_zero+0x127/0x1b0
[ 3065.323457] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 3065.323473] ? fdget+0x17a/0x210
[ 3065.323495] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.323510] __sys_bpf+0x769/0x4b60
[ 3065.323530] ? __pfx___sys_bpf+0x10/0x10
[ 3065.323551] ? find_held_lock+0x2b/0x80
[ 3065.323581] ? finish_task_switch.isra.0+0x120/0x5d0
[ 3065.323598] ? lock_release+0xc8/0x2a0
[ 3065.323616] ? trace_hardirqs_on+0x18/0x170
[ 3065.323631] ? finish_task_switch.isra.0+0x1af/0x5d0
[ 3065.323646] ? __switch_to+0x7a0/0x1130
[ 3065.323662] ? __switch_to_asm+0x33/0x70
[ 3065.323734] ? exit_to_user_mode_loop+0xae/0x460
[ 3065.323763] __x64_sys_bpf+0x78/0xc0
[ 3065.323780] ? trace_hardirqs_on+0x18/0x170
[ 3065.323794] do_syscall_64+0x111/0x690
[ 3065.323813] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3065.323827] RIP: 0033:0x7fbd2883790d
[ 3065.323844] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d3 f4 0f 00 f7 d8 64 89 01 48
[ 3065.323857] RSP: 002b:00007ffe05c1edd8 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
[ 3065.323872] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd2883790d
[ 3065.323881] RDX: 0000000000000050 RSI: 00007ffe05c1ee00 RDI: 000000000000000a
[ 3065.323891] RBP: 00007ffe05c1ee60 R08: 0000000000000000 R09: 0000000000000000
[ 3065.323900] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffe05c1efa8
[ 3065.323909] R13: 0000000000000001 R14: 00007fbd289a3000 R15: 00005614a0f75d80
[ 3065.323932] </TASK>
[ 3065.323938] irq event stamp: 4563
[ 3065.323945] hardirqs last enabled at (4569): [<ffffffff8164e686>] __up_console_sem+0x76/0x80
[ 3065.323963] hardirqs last disabled at (4574): [<ffffffff8164e66b>] __up_console_sem+0x5b/0x80
[ 3065.323979] softirqs last enabled at (4198): [<ffffffff85800328>] bpf_test_run+0x388/0xc20
[ 3065.324000] softirqs last disabled at (4196): [<ffffffff8580037e>] bpf_test_run+0x3de/0xc20
[ 3065.324020] ---[ end trace 0000000000000000 ]---
[ 3065.329750] Allocated in 0xadacafaea9a8abaa age=5932173448745943461 cpu=2913775534 pid=-1448563798
[ 3065.329797] ------------[ cut here ]------------
[ 3065.329804] pool index 43945 out of bounds (431) for stack id a9a8abaa
[ 3065.329814] WARNING: lib/stackdepot.c:506 at depot_fetch_stack+0x83/0xb0, CPU#0: repro_bpf/2167
[ 3065.329838] Modules linked in:
[ 3065.329853] CPU: 0 UID: 0 PID: 2167 Comm: repro_bpf Tainted: G W 7.0.0-rc5 #1 PREEMPT(lazy)
[ 3065.329871] Tainted: [W]=WARN
[ 3065.329877] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 3065.329886] RIP: 0010:depot_fetch_stack+0x8a/0xb0
[ 3065.329905] Code: be ff ff ff ff 48 c7 c7 58 c1 df 88 e8 6f a1 aa 02 83 f8 01 75 bd 90 0f 0b 90 eb b7 48 8d 3d 0d 4d d6 05 89 e9 44 89 ea 89 de <67> 48 0f b9 3a 31 c0 eb c2 90 0f 0b 90 31 c0 eb ba 90 0f 0b 90 31
[ 3065.329918] RSP: 0018:ffffc90003e27988 EFLAGS: 00010216
[ 3065.329931] RAX: 0000000000000000 RBX: 000000000000aba9 RCX: 00000000a9a8abaa
[ 3065.329940] RDX: 00000000000001af RSI: 000000000000aba9 RDI: ffffffff898838d0
[ 3065.329950] RBP: 00000000a9a8abaa R08: 0000000000000001 R09: 0000000000000000
[ 3065.329959] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000d40
[ 3065.329968] R13: 00000000000001af R14: ffff888186d6e1b0 R15: 0000000000000000
[ 3065.329977] FS: 00007fbd28700780(0000) GS:ffff8881fc6a5000(0000) knlGS:0000000000000000
[ 3065.329991] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3065.330001] CR2: 00007fadb5c80560 CR3: 000000010b7d4002 CR4: 0000000000370ef0
[ 3065.330010] Call Trace:
[ 3065.330017] <TASK>
[ 3065.330026] stack_depot_print+0x30/0x60
[ 3065.330045] print_tracking+0x3a/0x70
[ 3065.330061] skb_free_head+0x1ec/0x290
[ 3065.330078] skb_release_data+0x7a6/0x9d0
[ 3065.330106] ? __pfx_bpf_ctx_finish.isra.0+0x10/0x10
[ 3065.330130] ? bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.330153] sk_skb_reason_drop+0x142/0x550
[ 3065.330173] bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.330187] ? __lock_acquire+0x466/0x2270
[ 3065.330204] ? lock_is_held_type+0x8f/0x100
[ 3065.330218] ? lock_is_held_type+0x8f/0x100
[ 3065.330244] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.330258] ? lock_release+0xc8/0x2a0
[ 3065.330271] ? bpf_check_uarg_tail_zero+0x127/0x1b0
[ 3065.330287] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 3065.330303] ? fdget+0x17a/0x210
[ 3065.330325] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.330341] __sys_bpf+0x769/0x4b60
[ 3065.330361] ? __pfx___sys_bpf+0x10/0x10
[ 3065.330381] ? find_held_lock+0x2b/0x80
[ 3065.330400] ? finish_task_switch.isra.0+0x120/0x5d0
[ 3065.330416] ? lock_release+0xc8/0x2a0
[ 3065.330434] ? trace_hardirqs_on+0x18/0x170
[ 3065.330449] ? finish_task_switch.isra.0+0x1af/0x5d0
[ 3065.330463] ? __switch_to+0x7a0/0x1130
[ 3065.330478] ? __switch_to_asm+0x33/0x70
[ 3065.330513] ? exit_to_user_mode_loop+0xae/0x460
[ 3065.330531] __x64_sys_bpf+0x78/0xc0
[ 3065.330548] ? trace_hardirqs_on+0x18/0x170
[ 3065.330573] do_syscall_64+0x111/0x690
[ 3065.330593] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3065.330608] RIP: 0033:0x7fbd2883790d
[ 3065.330629] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d3 f4 0f 00 f7 d8 64 89 01 48
[ 3065.330642] RSP: 002b:00007ffe05c1edd8 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
[ 3065.330656] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd2883790d
[ 3065.330665] RDX: 0000000000000050 RSI: 00007ffe05c1ee00 RDI: 000000000000000a
[ 3065.330674] RBP: 00007ffe05c1ee60 R08: 0000000000000000 R09: 0000000000000000
[ 3065.330683] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffe05c1efa8
[ 3065.330693] R13: 0000000000000001 R14: 00007fbd289a3000 R15: 00005614a0f75d80
[ 3065.330747] </TASK>
[ 3065.330755] irq event stamp: 4989
[ 3065.330761] hardirqs last enabled at (4995): [<ffffffff8164e686>] __up_console_sem+0x76/0x80
[ 3065.330779] hardirqs last disabled at (5000): [<ffffffff8164e66b>] __up_console_sem+0x5b/0x80
[ 3065.330796] softirqs last enabled at (4198): [<ffffffff85800328>] bpf_test_run+0x388/0xc20
[ 3065.330816] softirqs last disabled at (4196): [<ffffffff8580037e>] bpf_test_run+0x3de/0xc20
[ 3065.330837] ---[ end trace 0000000000000000 ]---
[ 3065.331246] ------------[ cut here ]------------
[ 3065.331254] corrupt handle or use after stack_depot_put()
[ 3065.331259] WARNING: lib/stackdepot.c:780 at stack_depot_print+0x55/0x60, CPU#0: repro_bpf/2167
[ 3065.331285] Modules linked in:
[ 3065.331298] CPU: 0 UID: 0 PID: 2167 Comm: repro_bpf Tainted: G W 7.0.0-rc5 #1 PREEMPT(lazy)
[ 3065.331315] Tainted: [W]=WARN
[ 3065.331322] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 3065.331330] RIP: 0010:stack_depot_print+0x55/0x60
[ 3065.331349] Code: e8 c0 f9 ff ff 48 85 c0 74 19 8b 70 14 48 8d 78 20 85 f6 74 e2 5b 31 d2 5d e9 b7 ed c0 fd c3 cc cc cc cc 48 8d 3d 8b 47 d6 05 <67> 48 0f b9 3a eb c6 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90
[ 3065.331362] RSP: 0018:ffffc90003e279b0 EFLAGS: 00010246
[ 3065.331374] RAX: 0000000000000000 RBX: 00000000a9a8abaa RCX: 00000000a9a8abaa
[ 3065.331384] RDX: 00000000000001af RSI: 000000000000aba9 RDI: ffffffff89883930
[ 3065.331393] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[ 3065.331402] R10: 0000000000000000 R11: 0000000000000001 R12: 00000001002a2d4f
[ 3065.331411] R13: 0000000000000000 R14: ffff888186d6e1b0 R15: 0000000000000000
[ 3065.331420] FS: 00007fbd28700780(0000) GS:ffff8881fc6a5000(0000) knlGS:0000000000000000
[ 3065.331433] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3065.331443] CR2: 00007fadb5c80560 CR3: 000000010b7d4002 CR4: 0000000000370ef0
[ 3065.331453] Call Trace:
[ 3065.331459] <TASK>
[ 3065.331467] print_tracking+0x3a/0x70
[ 3065.331482] skb_free_head+0x1ec/0x290
[ 3065.331499] skb_release_data+0x7a6/0x9d0
[ 3065.331516] ? __pfx_bpf_ctx_finish.isra.0+0x10/0x10
[ 3065.331539] ? bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.331564] sk_skb_reason_drop+0x142/0x550
[ 3065.331585] bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.331599] ? __lock_acquire+0x466/0x2270
[ 3065.331623] ? lock_is_held_type+0x8f/0x100
[ 3065.331638] ? lock_is_held_type+0x8f/0x100
[ 3065.331664] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.331701] ? lock_release+0xc8/0x2a0
[ 3065.331717] ? bpf_check_uarg_tail_zero+0x127/0x1b0
[ 3065.331733] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 3065.331750] ? fdget+0x17a/0x210
[ 3065.331771] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.331787] __sys_bpf+0x769/0x4b60
[ 3065.331807] ? __pfx___sys_bpf+0x10/0x10
[ 3065.331827] ? find_held_lock+0x2b/0x80
[ 3065.331846] ? finish_task_switch.isra.0+0x120/0x5d0
[ 3065.331862] ? lock_release+0xc8/0x2a0
[ 3065.331879] ? trace_hardirqs_on+0x18/0x170
[ 3065.331894] ? finish_task_switch.isra.0+0x1af/0x5d0
[ 3065.331908] ? __switch_to+0x7a0/0x1130
[ 3065.331923] ? __switch_to_asm+0x33/0x70
[ 3065.331958] ? exit_to_user_mode_loop+0xae/0x460
[ 3065.331976] __x64_sys_bpf+0x78/0xc0
[ 3065.331993] ? trace_hardirqs_on+0x18/0x170
[ 3065.332007] do_syscall_64+0x111/0x690
[ 3065.332026] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3065.332040] RIP: 0033:0x7fbd2883790d
[ 3065.332051] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d3 f4 0f 00 f7 d8 64 89 01 48
[ 3065.332064] RSP: 002b:00007ffe05c1edd8 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
[ 3065.332079] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd2883790d
[ 3065.332099] RDX: 0000000000000050 RSI: 00007ffe05c1ee00 RDI: 000000000000000a
[ 3065.332108] RBP: 00007ffe05c1ee60 R08: 0000000000000000 R09: 0000000000000000
[ 3065.332118] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffe05c1efa8
[ 3065.332127] R13: 0000000000000001 R14: 00007fbd289a3000 R15: 00005614a0f75d80
[ 3065.332159] </TASK>
[ 3065.332165] irq event stamp: 5401
[ 3065.332171] hardirqs last enabled at (5407): [<ffffffff8164e686>] __up_console_sem+0x76/0x80
[ 3065.332188] hardirqs last disabled at (5412): [<ffffffff8164e66b>] __up_console_sem+0x5b/0x80
[ 3065.332205] softirqs last enabled at (4198): [<ffffffff85800328>] bpf_test_run+0x388/0xc20
[ 3065.332225] softirqs last disabled at (4196): [<ffffffff8580037e>] bpf_test_run+0x3de/0xc20
[ 3065.332246] ---[ end trace 0000000000000000 ]---
[ 3065.337724] Freed in 0xadacafaea9a8abaa age=5932173448745943461 cpu=2913775534 pid=-1448563798
[ 3065.337767] ------------[ cut here ]------------
[ 3065.337775] pool index 43945 out of bounds (431) for stack id a9a8abaa
[ 3065.337785] WARNING: lib/stackdepot.c:506 at depot_fetch_stack+0x83/0xb0, CPU#0: repro_bpf/2167
[ 3065.337811] Modules linked in:
[ 3065.337826] CPU: 0 UID: 0 PID: 2167 Comm: repro_bpf Tainted: G W 7.0.0-rc5 #1 PREEMPT(lazy)
[ 3065.337844] Tainted: [W]=WARN
[ 3065.337850] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 3065.337860] RIP: 0010:depot_fetch_stack+0x8a/0xb0
[ 3065.337879] Code: be ff ff ff ff 48 c7 c7 58 c1 df 88 e8 6f a1 aa 02 83 f8 01 75 bd 90 0f 0b 90 eb b7 48 8d 3d 0d 4d d6 05 89 e9 44 89 ea 89 de <67> 48 0f b9 3a 31 c0 eb c2 90 0f 0b 90 31 c0 eb ba 90 0f 0b 90 31
[ 3065.337892] RSP: 0018:ffffc90003e279a8 EFLAGS: 00010216
[ 3065.337906] RAX: 0000000000000000 RBX: 000000000000aba9 RCX: 00000000a9a8abaa
[ 3065.337916] RDX: 00000000000001af RSI: 000000000000aba9 RDI: ffffffff898838d0
[ 3065.337926] RBP: 00000000a9a8abaa R08: 0000000000000001 R09: 0000000000000000
[ 3065.337935] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000d40
[ 3065.337945] R13: 00000000000001af R14: ffff888186d6e1b0 R15: 0000000000000000
[ 3065.337954] FS: 00007fbd28700780(0000) GS:ffff8881fc6a5000(0000) knlGS:0000000000000000
[ 3065.337968] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3065.337978] CR2: 00007fadb5a9d9a0 CR3: 000000010b7d4002 CR4: 0000000000370ef0
[ 3065.337988] Call Trace:
[ 3065.337995] <TASK>
[ 3065.338004] stack_depot_print+0x30/0x60
[ 3065.338024] skb_free_head+0x1ec/0x290
[ 3065.338042] skb_release_data+0x7a6/0x9d0
[ 3065.338060] ? __pfx_bpf_ctx_finish.isra.0+0x10/0x10
[ 3065.338085] ? bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.338100] sk_skb_reason_drop+0x142/0x550
[ 3065.338121] bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.338136] ? __lock_acquire+0x466/0x2270
[ 3065.338153] ? lock_is_held_type+0x8f/0x100
[ 3065.338168] ? lock_is_held_type+0x8f/0x100
[ 3065.338195] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.338209] ? lock_release+0xc8/0x2a0
[ 3065.338223] ? bpf_check_uarg_tail_zero+0x127/0x1b0
[ 3065.338239] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 3065.338256] ? fdget+0x17a/0x210
[ 3065.338279] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.338295] __sys_bpf+0x769/0x4b60
[ 3065.338316] ? __pfx___sys_bpf+0x10/0x10
[ 3065.338337] ? find_held_lock+0x2b/0x80
[ 3065.338356] ? finish_task_switch.isra.0+0x120/0x5d0
[ 3065.338373] ? lock_release+0xc8/0x2a0
[ 3065.338391] ? trace_hardirqs_on+0x18/0x170
[ 3065.338406] ? finish_task_switch.isra.0+0x1af/0x5d0
[ 3065.338421] ? __switch_to+0x7a0/0x1130
[ 3065.338438] ? __switch_to_asm+0x33/0x70
[ 3065.338473] ? exit_to_user_mode_loop+0xae/0x460
[ 3065.338492] __x64_sys_bpf+0x78/0xc0
[ 3065.338510] ? trace_hardirqs_on+0x18/0x170
[ 3065.338524] do_syscall_64+0x111/0x690
[ 3065.338544] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3065.338567] RIP: 0033:0x7fbd2883790d
[ 3065.338589] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d3 f4 0f 00 f7 d8 64 89 01 48
[ 3065.338603] RSP: 002b:00007ffe05c1edd8 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
[ 3065.338618] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd2883790d
[ 3065.338628] RDX: 0000000000000050 RSI: 00007ffe05c1ee00 RDI: 000000000000000a
[ 3065.338638] RBP: 00007ffe05c1ee60 R08: 0000000000000000 R09: 0000000000000000
[ 3065.338647] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffe05c1efa8
[ 3065.338656] R13: 0000000000000001 R14: 00007fbd289a3000 R15: 00005614a0f75d80
[ 3065.338715] </TASK>
[ 3065.338723] irq event stamp: 5821
[ 3065.338730] hardirqs last enabled at (5827): [<ffffffff8164e686>] __up_console_sem+0x76/0x80
[ 3065.338749] hardirqs last disabled at (5832): [<ffffffff8164e66b>] __up_console_sem+0x5b/0x80
[ 3065.338766] softirqs last enabled at (4198): [<ffffffff85800328>] bpf_test_run+0x388/0xc20
[ 3065.338788] softirqs last disabled at (4196): [<ffffffff8580037e>] bpf_test_run+0x3de/0xc20
[ 3065.338809] ---[ end trace 0000000000000000 ]---
[ 3065.339970] ------------[ cut here ]------------
[ 3065.339981] corrupt handle or use after stack_depot_put()
[ 3065.339986] WARNING: lib/stackdepot.c:780 at stack_depot_print+0x55/0x60, CPU#0: repro_bpf/2167
[ 3065.340013] Modules linked in:
[ 3065.340027] CPU: 0 UID: 0 PID: 2167 Comm: repro_bpf Tainted: G W 7.0.0-rc5 #1 PREEMPT(lazy)
[ 3065.340045] Tainted: [W]=WARN
[ 3065.340051] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 3065.340060] RIP: 0010:stack_depot_print+0x55/0x60
[ 3065.340078] Code: e8 c0 f9 ff ff 48 85 c0 74 19 8b 70 14 48 8d 78 20 85 f6 74 e2 5b 31 d2 5d e9 b7 ed c0 fd c3 cc cc cc cc 48 8d 3d 8b 47 d6 05 <67> 48 0f b9 3a eb c6 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90
[ 3065.340102] RSP: 0018:ffffc90003e279d0 EFLAGS: 00010246
[ 3065.340115] RAX: 0000000000000000 RBX: 00000000a9a8abaa RCX: 00000000a9a8abaa
[ 3065.340125] RDX: 00000000000001af RSI: 000000000000aba9 RDI: ffffffff89883930
[ 3065.340135] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[ 3065.340144] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[ 3065.340161] R13: 0000000000000000 R14: ffff888186d6e1b0 R15: 0000000000000000
[ 3065.340171] FS: 00007fbd28700780(0000) GS:ffff8881fc6a5000(0000) knlGS:0000000000000000
[ 3065.340184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3065.340194] CR2: 00007fadb5e73e70 CR3: 000000010b7d4002 CR4: 0000000000370ef0
[ 3065.340203] Call Trace:
[ 3065.340210] <TASK>
[ 3065.340218] skb_free_head+0x1ec/0x290
[ 3065.340235] skb_release_data+0x7a6/0x9d0
[ 3065.340253] ? __pfx_bpf_ctx_finish.isra.0+0x10/0x10
[ 3065.340276] ? bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.340290] sk_skb_reason_drop+0x142/0x550
[ 3065.340310] bpf_prog_test_run_skb+0x14f8/0x3410
[ 3065.340324] ? __lock_acquire+0x466/0x2270
[ 3065.340340] ? lock_is_held_type+0x8f/0x100
[ 3065.340354] ? lock_is_held_type+0x8f/0x100
[ 3065.340380] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.340394] ? lock_release+0xc8/0x2a0
[ 3065.340407] ? bpf_check_uarg_tail_zero+0x127/0x1b0
[ 3065.340423] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 3065.340439] ? fdget+0x17a/0x210
[ 3065.340461] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 3065.340476] __sys_bpf+0x769/0x4b60
[ 3065.340496] ? __pfx___sys_bpf+0x10/0x10
[ 3065.340517] ? find_held_lock+0x2b/0x80
[ 3065.340535] ? finish_task_switch.isra.0+0x120/0x5d0
[ 3065.340555] ? lock_release+0xc8/0x2a0
[ 3065.340588] ? trace_hardirqs_on+0x18/0x170
[ 3065.340604] ? finish_task_switch.isra.0+0x1af/0x5d0
[ 3065.340618] ? __switch_to+0x7a0/0x1130
[ 3065.340634] ? __switch_to_asm+0x33/0x70
[ 3065.340699] ? exit_to_user_mode_loop+0xae/0x460
[ 3065.340721] __x64_sys_bpf+0x78/0xc0
[ 3065.340738] ? trace_hardirqs_on+0x18/0x170
[ 3065.340752] do_syscall_64+0x111/0x690
[ 3065.340771] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3065.340785] RIP: 0033:0x7fbd2883790d
[ 3065.340797] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d3 f4 0f 00 f7 d8 64 89 01 48
[ 3065.340810] RSP: 002b:00007ffe05c1edd8 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
[ 3065.340825] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd2883790d
[ 3065.340834] RDX: 0000000000000050 RSI: 00007ffe05c1ee00 RDI: 000000000000000a
[ 3065.340843] RBP: 00007ffe05c1ee60 R08: 0000000000000000 R09: 0000000000000000
[ 3065.340852] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffe05c1efa8
[ 3065.340862] R13: 0000000000000001 R14: 00007fbd289a3000 R15: 00005614a0f75d80
[ 3065.340896] </TASK>
[ 3065.340918] irq event stamp: 6227
[ 3065.340925] hardirqs last enabled at (6233): [<ffffffff8164e686>] __up_console_sem+0x76/0x80
[ 3065.340943] hardirqs last disabled at (6238): [<ffffffff8164e66b>] __up_console_sem+0x5b/0x80
[ 3065.340961] softirqs last enabled at (4198): [<ffffffff85800328>] bpf_test_run+0x388/0xc20
[ 3065.340987] softirqs last disabled at (4196): [<ffffffff8580037e>] bpf_test_run+0x3de/0xc20
[ 3065.341022] ---[ end trace 0000000000000000 ]---
#define _GNU_SOURCE
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

/* BPF insns: ld_imm64(r0,0) + exit — 3 insns = 24 bytes */
static uint8_t bpf_prog_bytes[] = {
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};

/* Data 284 bytes persis dari syzkaller repro.cprog — confirmed crash */
static uint8_t syz_data[284] = {
0x60,0xdc,0x24,0x19,0xdd,0x5e,0x95,0xd4,0x73,0x79,0xd5,0x04,0xef,0x23,0xc1,0x79,
0x45,0x52,0xaa,0x7b,0x7d,0x1d,0x56,0xfa,0xba,0x28,0x2e,0x46,0xc9,0x45,0x81,0x3d,
0x60,0x90,0xa3,0x11,0x47,0xc0,0x7f,0x95,0xf2,0x71,0x69,0xcb,0x54,0xbe,0x67,0x59,
0x79,0x28,0x85,0xcb,0x60,0xfa,0x32,0x80,0x61,0xa0,0xc9,0x05,0xc3,0xaa,0x1e,0x4c,
0x7b,0x82,0xf5,0x74,0x69,0x25,0x10,0x83,0xa0,0x12,0x8e,0x50,0xde,0xb0,0x10,0x72,
0xd9,0xc4,0x7a,0x94,0xca,0x02,0xb3,0xf7,0x4a,0xf9,0xba,0xcf,0xb5,0xf7,0x06,0x13,
0x36,0x1b,0x48,0x01,0xbe,0xd2,0x6b,0x41,0x30,0xf9,0x68,0x1e,0xd2,0xa7,0xc6,0x93,
0xff,0x8e,0xd1,0xea,0xf8,0x20,0xc0,0x60,0x13,0x33,0xe5,0xed,0x3f,0xd2,0xdc,0x8a,
0x5d,0xea,0xbe,0xeb,0x37,0xaf,0x12,0x0a,0x72,0xe5,0x00,0x8f,0xea,0xf8,0xae,0x0f,
0x59,0x9d,0xc1,0x86,0xc5,0xd5,0x8c,0x54,0x4a,0x1e,0xc8,0x83,0xf4,0xbc,0x04,0x6e,
0xd9,0x7a,0xf6,0x39,0x06,0xc0,0x12,0xab,0x0b,0xa6,0xa6,0x6e,0x06,0xcc,0x06,0x17,
0x78,0xe5,0x95,0x13,0x1c,0x15,0xcd,0xdf,0x7c,0x57,0x75,0xe3,0xaa,0x3d,0x8a,0x14,
0x13,0x97,0xed,0x95,0x93,0x90,0x27,0x81,0xf2,0xa1,0x64,0x32,0x5f,0x30,0x4c,0xba,
0x56,0x6f,0xa5,0x7e,0xef,0xff,0xa7,0x9e,0xa5,0xbb,0x08,0x71,0xd9,0x9f,0x3e,0xbb,
0x4c,0x46,0xed,0x51,0xc9,0x55,0x2b,0xda,0x25,0xa8,0x12,0x85,0xdc,0x0b,0x06,0x4a,
0xa7,0xfc,0xfb,0x00,0xf7,0x8a,0x33,0x24,0x8e,0x4d,0xf8,0x87,0xf2,0xe6,0x09,0x5c,
0x05,0xc9,0x97,0x20,0x96,0x66,0xf9,0xb5,0xad,0x2f,0xed,0x68,0x41,0xfa,0xb9,0x93,
0x28,0x88,0x5b,0x45,0x5e,0x61,0x6f,0x62,0x94,0xaa,0x17,0x68,
};

static int bpf_load(void)
{
uint8_t attr[0x94];
memset(attr, 0, sizeof(attr));
*(uint32_t*)(attr+0x00) = 3; /* SCHED_CLS */
*(uint32_t*)(attr+0x04) = 3; /* insn_cnt */
*(uint64_t*)(attr+0x08) = (uint64_t)bpf_prog_bytes;
*(uint64_t*)(attr+0x10) = (uint64_t)"GPL";
return (int)syscall(__NR_bpf, 5, attr, 0x94);
}

static long bpf_run(int fd, void *data, uint32_t sz,
uint32_t repeat, uint32_t flags)
{
uint8_t attr[0x50];
memset(attr, 0, sizeof(attr));
*(uint32_t*)(attr+0x00) = (uint32_t)fd;
*(uint32_t*)(attr+0x08) = sz;
*(uint64_t*)(attr+0x10) = (uint64_t)data;
*(uint32_t*)(attr+0x20) = repeat;
*(uint32_t*)(attr+0x40) = flags; /* BPF_F_TEST_RUN_ON_CPU = 4 */
*(uint32_t*)(attr+0x44) = 0; /* cpu = 0 */
return syscall(__NR_bpf, 10, attr, 0x50);
}

int main(void)
{
printf("repro2 — warn_free_bad_obj (syzkaller exact data)\n");
printf("uid=%d euid=%d\n", getuid(), geteuid());

/* Setup mmap persis seperti syzkaller */
syscall(__NR_mmap, 0x1ffffffff000ul, 0x1000ul,
0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x200000000000ul, 0x1000000ul,
7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x200001000000ul, 0x1000ul,
0ul, 0x32ul, -1, 0ul);

int fd = bpf_load();
if (fd < 0) {
printf("[-] BPF_PROG_LOAD: %s\n", strerror(errno));
return 1;
}
printf("[+] prog fd=%d\n", fd);

printf("[*] Trigger: syz_data=284B flags=4 repeat=4\n");
long ret = bpf_run(fd, syz_data, 284, 4, 4);
printf("[*] ret=%ld\n", ret);

/* Loop untuk reliability */
for (int i = 0; i < 50; i++)
bpf_run(fd, syz_data, 284, 4, 4);

printf("[+] Done — cek: dmesg | grep warn_free\n");
close(fd);
return 0;
}

Attachment: dmesg.png
Description: PNG image