bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() access needs to be guarded against preemption. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis --- v1 -> v2: using guard against preemption v2 -> v3: replace get/put_cpu() to bpf_disable/enable_instrumentation() kernel/bpf/hashtab.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 9f394e1aa2e8..d3f2f8a379e8 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -3299,6 +3299,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, dst_val = values; total = 0; + bpf_disable_instrumentation(); rcu_read_lock(); /* @@ -3313,6 +3314,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, elem = rhtab_lookup_elem(map, cursor); if (!elem) { rcu_read_unlock(); + bpf_enable_instrumentation(); ret = -EAGAIN; goto free; } @@ -3350,6 +3352,7 @@ static int __rhtab_map_lookup_and_delete_batch(struct bpf_map *map, } rcu_read_unlock(); + bpf_enable_instrumentation(); if (total == 0) { ret = -ENOENT; -- 2.43.0