syzbot |
sign-in | mailing list | source | docs | 🏰 |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| 1fc03653-f781-4f9b-88b9-0764266a73d2 | repro | ❓ | KCSAN: data-race in __dentry_kill / __dentry_kill (7) | 2026/03/07 03:29 | 2026/03/07 03:29 | 2026/03/07 03:37 | 31e9c887f7dc24e04b3ca70d0d54fc34141844b0 |
{ "procs": 8, "repeat": true, "threaded": true, "collide": true }r0 = syz_clone(0x10f00) r1 = syz_clone(0x10f00) r2 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/task\x00', 0x0, 0x0) getdents64(r2, &(0x7f0000000100), 0x2000) r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/stat\x00', 0x0, 0x0) exit_group(0x0)
31e9c887f7dc24e04b3ca70d0d54fc34141844b0
kexec: Could not allocate control_code_buffer ================================================================== BUG: KCSAN: data-race in __dentry_kill / __dentry_kill write to 0xffff88811aea6e40 of 4 bytes by task 3310 on cpu 1: d_lru_del fs/dcache.c:504 [inline] __dentry_kill+0xa8/0x460 fs/dcache.c:665 finish_dput+0x2b/0x200 fs/dcache.c:879 dput+0x52/0x60 fs/dcache.c:928 proc_invalidate_siblings_dcache+0x1d0/0x2b0 fs/proc/inode.c:143 proc_flush_pid+0x1d/0x30 fs/proc/base.c:3481 release_task+0x988/0xb60 kernel/exit.c:291 wait_task_zombie kernel/exit.c:1280 [inline] wait_consider_task+0x1160/0x1670 kernel/exit.c:1507 do_wait_thread kernel/exit.c:1570 [inline] __do_wait+0xf9/0x510 kernel/exit.c:1688 do_wait+0xb6/0x260 kernel/exit.c:1722 kernel_wait4+0x19f/0x210 kernel/exit.c:1881 __do_sys_wait4 kernel/exit.c:1909 [inline] __se_sys_wait4 kernel/exit.c:1905 [inline] __x64_sys_wait4+0x91/0x120 kernel/exit.c:1905 x64_sys_call+0x2aee/0x3020 arch/x86/include/generated/asm/syscalls_64.h:62 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88811aea6e40 of 4 bytes by task 6340 on cpu 0: dentry_unlist fs/dcache.c:640 [inline] __dentry_kill+0x25c/0x460 fs/dcache.c:684 finish_dput+0x2b/0x200 fs/dcache.c:879 dput+0x52/0x60 fs/dcache.c:928 proc_invalidate_siblings_dcache+0x1d0/0x2b0 fs/proc/inode.c:143 proc_flush_pid+0x1d/0x30 fs/proc/base.c:3481 release_task+0x988/0xb60 kernel/exit.c:291 exit_notify kernel/exit.c:777 [inline] do_exit+0xda4/0x1600 kernel/exit.c:988 do_group_exit+0xfe/0x140 kernel/exit.c:1118 get_signal+0xe54/0xf60 kernel/signal.c:3034 arch_do_signal_or_restart+0x96/0x450 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x6a/0x6f0 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x249/0x370 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x0014000c -> 0x0000000c Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 6340 Comm: syz.1.16064 Tainted: G W syzkaller #0 PREEMPT(full) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 ==================================================================
| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/03/07 03:29 | flow | repro |
7mResults:map[ReproOpts:{ "procs": 8, "repeat": true, "threaded": true, "collide": true } ReproSyz:r0 = syz_clone(0x10f00)
r1 = syz_clone(0x10f00)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/task\x00', 0x0, 0x0)
getdents64(r2, &(0x7f0000000100), 0x2000)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/stat\x00', 0x0, 0x0)
exit_group(0x0) SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 1/1 | 2026/03/07 03:29 | action | provide-var |
0mResults:map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 2/1 | 2026/03/07 03:29 | action | kernel-checkouter |
0mResults:map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/ec9e25b392423d2a117ee1d291abb801b14e649f] |
| 3/1 | 2026/03/07 03:29 | action | kernel-builder |
3mResults:map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/0fc06b791fdc481cc2c430878c0d2566cf03f0d3] |
| 4/1 | 2026/03/07 03:33 | agent | crash-repro-finder |
3mModel:gemini-3-pro-preview Results: map[ReproOpts:{ "procs": 8, "repeat": true, "threaded": true, "collide": true }]Instruction: You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug. Print only the syz program that could be executed directly, without backticks. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: Bug Title: KCSAN: data-race in __dentry_kill / __dentry_kill Original Crash Report: kexec: Could not allocate control_code_buffer ================================================================== BUG: KCSAN: data-race in __dentry_kill / __dentry_kill write to 0xffff88811aea6e40 of 4 bytes by task 3310 on cpu 1: d_lru_del fs/dcache.c:504 [inline] __dentry_kill+0xa8/0x460 fs/dcache.c:665 finish_dput+0x2b/0x200 fs/dcache.c:879 dput+0x52/0x60 fs/dcache.c:928 proc_invalidate_siblings_dcache+0x1d0/0x2b0 fs/proc/inode.c:143 proc_flush_pid+0x1d/0x30 fs/proc/base.c:3481 release_task+0x988/0xb60 kernel/exit.c:291 wait_task_zombie kernel/exit.c:1280 [inline] wait_consider_task+0x1160/0x1670 kernel/exit.c:1507 do_wait_thread kernel/exit.c:1570 [inline] __do_wait+0xf9/0x510 kernel/exit.c:1688 do_wait+0xb6/0x260 kernel/exit.c:1722 kernel_wait4+0x19f/0x210 kernel/exit.c:1881 __do_sys_wait4 kernel/exit.c:1909 [inline] __se_sys_wait4 kernel/exit.c:1905 [inline] __x64_sys_wait4+0x91/0x120 kernel/exit.c:1905 x64_sys_call+0x2aee/0x3020 arch/x86/include/generated/asm/syscalls_64.h:62 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88811aea6e40 of 4 bytes by task 6340 on cpu 0: dentry_unlist fs/dcache.c:640 [inline] __dentry_kill+0x25c/0x460 fs/dcache.c:684 finish_dput+0x2b/0x200 fs/dcache.c:879 dput+0x52/0x60 fs/dcache.c:928 proc_invalidate_siblings_dcache+0x1d0/0x2b0 fs/proc/inode.c:143 proc_flush_pid+0x1d/0x30 fs/proc/base.c:3481 release_task+0x988/0xb60 kernel/exit.c:291 exit_notify kernel/exit.c:777 [inline] do_exit+0xda4/0x1600 kernel/exit.c:988 do_group_exit+0xfe/0x140 kernel/exit.c:1118 get_signal+0xe54/0xf60 kernel/signal.c:3034 arch_do_signal_or_restart+0x96/0x450 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x6a/0x6f0 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x249/0x370 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x0014000c -> 0x0000000c Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 6340 Comm: syz.1.16064 Tainted: G W syzkaller #0 PREEMPT(full) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 ================================================================== The list of existing description files: acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt Reply: r0 = syz_clone(0x10f00) r1 = syz_clone(0x10f00) r2 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/task\x00', 0x0, 0x0) getdents64(r2, &(0x7f0000000100), 0x2000) r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/stat\x00', 0x0, 0x0) exit_group(0x0) |
| 5/2 | 2026/03/07 03:33 | llm | crash-repro-finder |
3mModel:gemini-3-pro-preview Tokens: input: 3153 output: 40 thoughts: 22215 Thoughts: **Analysis and Syzkaller Program for Data Race in `__dentry_kill`**
Alright, based on the crash report, I believe I've pinpointed a data race within `__dentry_kill`, specifically involving the interaction of `d_lru_del` (a write) and `dentry_unlist` (a read). The crash report suggests two tasks, likely stemming from concurrent process exits or reaps, are stepping on each other in this function, leading to a memory corruption due to a faulty refcount or improper locking of a `dentry`.
The core issue seems to be the process of cleaning up `/proc` entries related to exiting or reaped processes, especially when dealing with threads. Specifically, the race involves a `dentry` related to a PID, and the crash report is indicating a potential race in `/proc/<pid>/task` directories, which is happening due to two tasks calling `proc_flush_pid`.
One key part is when a thread exits via `exit_notify` and `release_task` calls `proc_flush_pid` and another process (or the same process, another thread) calls `wait4` on a thread and that will also lead to `release_task` called, in this process, `proc_flush_pid` is then called.
In order to trigger this, I've constructed a scenario where a parent process creates multiple threads using `syz_clone`, then accesses relevant `/proc` entries to populate the dcache with those dentries. Then, to trigger the race condition, the threads and the parent process need to terminate concurrently, so the executor process waits for the parent and all threads are autorespawned by the executor process.
Therefore, the following syzkaller program should expose the race:
```
r0 = syz_clone(0x10f00)
r1 = syz_clone(0x10f00)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/task\x00', 0x0, 0x0)
getdents64(r2, &(0x7f0000000100), 0x2000)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/stat\x00', 0x0, 0x0)
exit_group(0x0)
```
And these repro options should help: `{ "procs": 8, "repeat": true, "threaded": true, "collide": true }`
The key points are:
* The usage of `syz_clone` with `CLONE_THREAD` and a series of syz calls to populate the dcache will help us to expose this race.
* Making the threads exit at approximately the same time as the executor process.
* Calling `exit_group` which kills every thread.
By running this program repeatedly with sufficient concurrency and contention, the data race in `__dentry_kill` is expected to manifest, providing a reproducible trigger for the identified issue.
|
| 6/2 | 2026/03/07 03:37 | tool | set-results |
0mArgs:map[ReproOpts:{ "procs": 8, "repeat": true, "threaded": true, "collide": true }]Results: map[ReproOpts:{ "procs": 8, "repeat": true, "threaded": true, "collide": true }] |
| 7/2 | 2026/03/07 03:37 | llm | crash-repro-finder |
0mModel:gemini-3-pro-preview Tokens: input: 26151 output: 180 thoughts: 0 |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|