bpf: Fix NULL deref in __list_del_clearprev for flush_node

DLpang · Kernel Patches Daemon · commit 514c41ac83e3 · 2025-12-15T19:53:59.000-08:00
#syz test Hi, This patch fixes a NULL pointer dereference in the BPF subsystem that occurs when __list_del_clearprev() is called on an already-cleared flush_node list_head. The fix includes two parts: 1. Properly initialize the flush_node list_head during per-CPU bulk queue allocation using INIT_LIST_HEAD(&bq->flush_node) 2. Add defensive checks before calling __list_del_clearprev() to ensure the node is actually in the list by checking if (bq->flush_node.prev) According to the __list_del_clearprev documentation in include/linux/list.h, 'The code that uses this needs to check the node 'prev' pointer instead of calling list_empty()'. This patch fixes the following syzbot-reported issue: https://syzkaller.appspot.com/bug?extid=2b3391f44313b3983e91 Reported-by: syzbot+2b3391f44313b3983e91@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2b3391f44313b3983e91 Signed-off-by: DLpang <donglaipang@126.com> Reported-by: syzbot+2b3391f44313b3983e91@syzkaller.appspotmail.com Tested-by: syzbot+2b3391f44313b3983e91@syzkaller.appspotmail.com
diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
@@ -450,6 +450,7 @@ __cpu_map_entry_alloc(struct bpf_map *map, struct bpf_cpumap_val *value,
 
 	for_each_possible_cpu(i) {
 		bq = per_cpu_ptr(rcpu->bulkq, i);
+		INIT_LIST_HEAD(&bq->flush_node);
 		bq->obj = rcpu;
 	}
 
@@ -742,7 +743,8 @@ static void bq_flush_to_queue(struct xdp_bulk_queue *bq)
 	bq->count = 0;
 	spin_unlock(&q->producer_lock);
 
-	__list_del_clearprev(&bq->flush_node);
+	if (bq->flush_node.prev)
+		__list_del_clearprev(&bq->flush_node);
 
 	/* Feedback loop via tracepoints */
 	trace_xdp_cpumap_enqueue(rcpu->map_id, processed, drops, to_cpu);
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
@@ -428,7 +428,8 @@ void __dev_flush(struct list_head *flush_list)
 		bq_xmit_all(bq, XDP_XMIT_FLUSH);
 		bq->dev_rx = NULL;
 		bq->xdp_prog = NULL;
-		__list_del_clearprev(&bq->flush_node);
+		if (bq->flush_node.prev)
+			__list_del_clearprev(&bq->flush_node);
 	}
 }
 
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
@@ -406,7 +406,8 @@ void __xsk_map_flush(struct list_head *flush_list)
 
 	list_for_each_entry_safe(xs, tmp, flush_list, flush_node) {
 		xsk_flush(xs);
-		__list_del_clearprev(&xs->flush_node);
+		if (xs->flush_node.prev)
+			__list_del_clearprev(&xs->flush_node);
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -428,7 +428,8 @@ void __dev_flush(struct list_head *flush_list)`
`428`	`428`	`bq_xmit_all(bq, XDP_XMIT_FLUSH);`
`429`	`429`	`bq->dev_rx = NULL;`
`430`	`430`	`bq->xdp_prog = NULL;`
`431`		`- __list_del_clearprev(&bq->flush_node);`
	`431`	`+ if (bq->flush_node.prev)`
	`432`	`+ __list_del_clearprev(&bq->flush_node);`
`432`	`433`	`}`
`433`	`434`	`}`
`434`	`435`
Original file line number	Diff line number	Diff line change
`@@ -406,7 +406,8 @@ void __xsk_map_flush(struct list_head *flush_list)`
`406`	`406`
`407`	`407`	`list_for_each_entry_safe(xs, tmp, flush_list, flush_node) {`
`408`	`408`	`xsk_flush(xs);`
`409`		`- __list_del_clearprev(&xs->flush_node);`
	`409`	`+ if (xs->flush_node.prev)`
	`410`	`+ __list_del_clearprev(&xs->flush_node);`
`410`	`411`	`}`
`411`	`412`	`}`
`412`	`413`