Skip to content

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

Pull request for series with
subject: bpf: avoid sleeping in invalid context during sock_map_delete_elem path
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 39e9d5f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 39e9d5f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 48a97ff
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 27aab47
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 48a97ff
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 48a97ff
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 48a97ff
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865
version: 2

The syzkaller report exposed a BUG: “sleeping function called from
invalid context” in sock_map_delete_elem, which happens when
`bpf_test_timer_enter()` disables preemption but the delete path later
invokes a sleeping function while still in that context. Specifically:

- The crash trace shows `bpf_test_timer_enter()` acquiring a
  preempt_disable path (via t->mode == NO_PREEMPT), but the symmetric
  release path always calls migrate_enable(), mismatching the earlier
  disable.
- As a result, preemption remains disabled across the
  sock_map_delete_elem path, leading to a sleeping call under an invalid
  context. :contentReference[oaicite:0]{index=0}

To fix this, normalize the disable/enable pairing: always use
migrate_disable()/migrate_enable() regardless of t->mode. This ensures
that we never remain with preemption disabled unintentionally when
entering the delete path, and avoids invalid-context sleeping.

Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=1f1fbecb9413cdbfbef8
Suggested-by: Yonghong Song <[email protected]>
Suggested-by: Menglong Dong <[email protected]>
Co-authored-by: Sahil Chandna <[email protected]>
Signed-off-by: Brahmajit Das <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1010865 expired. Closing PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants