bpf_mem_cache_free_rcu() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: syz.0.17/5820 caller is bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 Call Trace: check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47 bpf_mem_cache_free_rcu+0x48/0xc0 kernel/bpf/memalloc.c:954 rhtab_delete_elem+0x185a/0x1b30 kernel/bpf/hashtab.c:2969 __rhtab_map_lookup_and_delete_batch+0x935/0xcb0 kernel/bpf/hashtab.c:3349 bpf_map_do_batch+0x445/0x630 kernel/bpf/syscall.c:-1 __sys_bpf+0x906/0xd90 kernel/bpf/syscall.c:-1 this_cpu_ptr() calls smp_processor_id() in a preemptible context. Fix by using per_cpu_ptr() with raw_smp_processor_id() instead. Fixes: 5af6807bdb10 ("bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu().") Reported-by: syzbot+fd7e415d891073b83e1f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fd7e415d891073b83e1f Signed-off-by: Edward Adam Davis --- kernel/bpf/memalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/memalloc.c b/kernel/bpf/memalloc.c index bd45dda9dc35..151d9c8183bc 100644 --- a/kernel/bpf/memalloc.c +++ b/kernel/bpf/memalloc.c @@ -957,7 +957,7 @@ void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr) if (!ptr) return; - unit_free_rcu(this_cpu_ptr(ma->cache), ptr); + unit_free_rcu(per_cpu_ptr(ma->cache, raw_smp_processor_id()), ptr); } /* Directly does a kfree() without putting 'ptr' back to the free_llist -- 2.43.0