syzbot

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
d5fc201b-2ef9-40b5-bd2c-eac20e2901b1	repro		❓	KCSAN: data-race in kick_pool / wq_worker_running	2026/03/07 08:34	2026/03/07 08:34	2026/03/07 08:37	31e9c887f7dc24e04b3ca70d0d54fc34141844b0

repro

❓

KCSAN: data-race in kick_pool / wq_worker_running

2026/03/07 08:34

2026/03/07 08:37

31e9c887f7dc24e04b3ca70d0d54fc34141844b0

r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/sys/bus/netdevsim/new_device\x00', 0x2, 0x0) write(r0, &(0x7f0000000040)='10 1', 0x4) r1 = socket(0x10, 0x3, 0x0) sendmsg$create_wg(r1, &(0x7f0000000100)={0x0, 0x0, {&(0x7f0000000120)={&(0x7f0000000140)={0x3c, 0x10, 0x605, 0x0, 0x0}, 0x3c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) r2 = socket(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id(&(0x7f0000000200)='wireguard\x00', 0xffffffffffffffff) sendmsg$conf_wg(r2, &(0x7f0000001000)={0x0, 0x0, {&(0x7f0000001020)={&(0x7f0000001040)={0x90, r3, 0x1, 0x0, 0x0, "\x00\x01\x00\x00\x08\x00\x01\x00wg0\x00\x24\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x4c\x00\x07\x00\x48\x00\x00\x00\x24\x00\x01\x00\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\x20\x00\x09\x00\x1c\x00\x00\x00\x06\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\xc0\xa8\x00\x02\x05\x00\x03\x00\x20\x00\x00\x00"}, 0x90}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendmsg$up(r1, &(0x7f0000000400)={0x0, 0x0, {&(0x7f0000000420)={&(0x7f0000000440)={0x20, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x1, 0x1000, 0x0, 0x0, {{0x8, 0x3, "wg0\x00"}}}}, 0x20}}, 0x1, 0x0, 0x0, 0x0}, 0x0) r4 = socket(0x2, 0x2, 0x0) ioctl$set_addr(r4, 0x8916, &(0x7f0000000500)={'wg0\x00', {0x2, 0x0, 0x0, @local={192, 168, 0, 1}}}) ioctl$get_ifindex(r4, 0x8933, &(0x7f0000000600)={'wg0\x00'}) r5 = *(0x7f0000000610) sendmsg$route1(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr1={10, 0, 0, 1}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route2(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr2={10, 0, 0, 2}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route3(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr3={10, 0, 0, 3}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route4(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr4={10, 0, 0, 4}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)

================================================================== BUG: KCSAN: data-race in kick_pool / wq_worker_running read-write to 0xffff888237c2a8a4 of 4 bytes by task 3490 on cpu 0: wq_worker_running+0x95/0x120 kernel/workqueue.c:1419 schedule_timeout+0xca/0x180 kernel/time/sleep_timeout.c:99 schedule_timeout_uninterruptible kernel/time/sleep_timeout.c:158 [inline] msleep+0x4f/0x90 kernel/time/sleep_timeout.c:318 nsim_fib4_rt_add drivers/net/netdevsim/fib.c:369 [inline] nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:432 [inline] nsim_fib4_event drivers/net/netdevsim/fib.c:464 [inline] nsim_fib_event+0x3e32/0x4d70 drivers/net/netdevsim/fib.c:884 nsim_fib_event_work+0x13d/0x210 drivers/net/netdevsim/fib.c:1493 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358 worker_thread+0x581/0x770 kernel/workqueue.c:3439 kthread+0x22a/0x280 kernel/kthread.c:436 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 read to 0xffff888237c2a8a4 of 4 bytes by task 23 on cpu 1: need_more_worker kernel/workqueue.c:937 [inline] kick_pool+0x49/0x2d0 kernel/workqueue.c:1259 __queue_work+0x896/0xaf0 kernel/workqueue.c:2355 queue_work_on+0xa9/0x140 kernel/workqueue.c:2405 wg_queue_enqueue_per_peer_tx drivers/net/wireguard/queueing.h:183 [inline] wg_packet_encrypt_worker+0xbdd/0xde0 drivers/net/wireguard/send.c:305 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358 worker_thread+0x581/0x770 kernel/workqueue.c:3439 kthread+0x22a/0x280 kernel/kthread.c:436 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 23 Comm: kworker/1:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: wg-crypt-wg0 wg_packet_encrypt_worker ==================================================================

Trajectory:
Seq	Timestamp	Type	Name	Duration
0/0	2026/03/07 08:34	flow	repro	3m Results: map[ReproOpts:threaded=true ReproSyz:r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/sys/bus/netdevsim/new_device\x00', 0x2, 0x0) write(r0, &(0x7f0000000040)='10 1', 0x4) r1 = socket(0x10, 0x3, 0x0) sendmsg$create_wg(r1, &(0x7f0000000100)={0x0, 0x0, {&(0x7f0000000120)={&(0x7f0000000140)={0x3c, 0x10, 0x605, 0x0, 0x0}, 0x3c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) r2 = socket(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id(&(0x7f0000000200)='wireguard\x00', 0xffffffffffffffff) sendmsg$conf_wg(r2, &(0x7f0000001000)={0x0, 0x0, {&(0x7f0000001020)={&(0x7f0000001040)={0x90, r3, 0x1, 0x0, 0x0, "\x00\x01\x00\x00\x08\x00\x01\x00wg0\x00\x24\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x4c\x00\x07\x00\x48\x00\x00\x00\x24\x00\x01\x00\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\x20\x00\x09\x00\x1c\x00\x00\x00\x06\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\xc0\xa8\x00\x02\x05\x00\x03\x00\x20\x00\x00\x00"}, 0x90}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendmsg$up(r1, &(0x7f0000000400)={0x0, 0x0, {&(0x7f0000000420)={&(0x7f0000000440)={0x20, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x1, 0x1000, 0x0, 0x0, {{0x8, 0x3, "wg0\x00"}}}}, 0x20}}, 0x1, 0x0, 0x0, 0x0}, 0x0) r4 = socket(0x2, 0x2, 0x0) ioctl$set_addr(r4, 0x8916, &(0x7f0000000500)={'wg0\x00', {0x2, 0x0, 0x0, @local={192, 168, 0, 1}}}) ioctl$get_ifindex(r4, 0x8933, &(0x7f0000000600)={'wg0\x00'}) r5 = *(0x7f0000000610) sendmsg$route1(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr1={10, 0, 0, 1}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route2(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr2={10, 0, 0, 2}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route3(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr3={10, 0, 0, 3}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route4(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr4={10, 0, 0, 4}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]
1/1	2026/03/07 08:34	action	provide-var	0m Results: map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]
2/1	2026/03/07 08:34	action	kernel-checkouter	0m Results: map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/ec9e25b392423d2a117ee1d291abb801b14e649f]
3/1	2026/03/07 08:34	action	kernel-builder	0m Results: map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/0fc06b791fdc481cc2c430878c0d2566cf03f0d3]
4/1	2026/03/07 08:34	agent	crash-repro-finder	3m Model: gemini-3-pro-preview Results: map[ReproOpts:threaded=true] Instruction: You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug. Print only the syz program that could be executed directly, without backticks. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: Bug Title: KCSAN: data-race in kick_pool / wq_worker_running Original Crash Report: ================================================================== BUG: KCSAN: data-race in kick_pool / wq_worker_running read-write to 0xffff888237c2a8a4 of 4 bytes by task 3490 on cpu 0: wq_worker_running+0x95/0x120 kernel/workqueue.c:1419 schedule_timeout+0xca/0x180 kernel/time/sleep_timeout.c:99 schedule_timeout_uninterruptible kernel/time/sleep_timeout.c:158 [inline] msleep+0x4f/0x90 kernel/time/sleep_timeout.c:318 nsim_fib4_rt_add drivers/net/netdevsim/fib.c:369 [inline] nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:432 [inline] nsim_fib4_event drivers/net/netdevsim/fib.c:464 [inline] nsim_fib_event+0x3e32/0x4d70 drivers/net/netdevsim/fib.c:884 nsim_fib_event_work+0x13d/0x210 drivers/net/netdevsim/fib.c:1493 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358 worker_thread+0x581/0x770 kernel/workqueue.c:3439 kthread+0x22a/0x280 kernel/kthread.c:436 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 read to 0xffff888237c2a8a4 of 4 bytes by task 23 on cpu 1: need_more_worker kernel/workqueue.c:937 [inline] kick_pool+0x49/0x2d0 kernel/workqueue.c:1259 __queue_work+0x896/0xaf0 kernel/workqueue.c:2355 queue_work_on+0xa9/0x140 kernel/workqueue.c:2405 wg_queue_enqueue_per_peer_tx drivers/net/wireguard/queueing.h:183 [inline] wg_packet_encrypt_worker+0xbdd/0xde0 drivers/net/wireguard/send.c:305 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358 worker_thread+0x581/0x770 kernel/workqueue.c:3439 kthread+0x22a/0x280 kernel/kthread.c:436 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 23 Comm: kworker/1:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: wg-crypt-wg0 wg_packet_encrypt_worker ================================================================== The list of existing description files: acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt Reply: r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/sys/bus/netdevsim/new_device\x00', 0x2, 0x0) write(r0, &(0x7f0000000040)='10 1', 0x4) r1 = socket(0x10, 0x3, 0x0) sendmsg$create_wg(r1, &(0x7f0000000100)={0x0, 0x0, {&(0x7f0000000120)={&(0x7f0000000140)={0x3c, 0x10, 0x605, 0x0, 0x0}, 0x3c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) r2 = socket(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id(&(0x7f0000000200)='wireguard\x00', 0xffffffffffffffff) sendmsg$conf_wg(r2, &(0x7f0000001000)={0x0, 0x0, {&(0x7f0000001020)={&(0x7f0000001040)={0x90, r3, 0x1, 0x0, 0x0, "\x00\x01\x00\x00\x08\x00\x01\x00wg0\x00\x24\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x4c\x00\x07\x00\x48\x00\x00\x00\x24\x00\x01\x00\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\x20\x00\x09\x00\x1c\x00\x00\x00\x06\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\xc0\xa8\x00\x02\x05\x00\x03\x00\x20\x00\x00\x00"}, 0x90}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendmsg$up(r1, &(0x7f0000000400)={0x0, 0x0, {&(0x7f0000000420)={&(0x7f0000000440)={0x20, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x1, 0x1000, 0x0, 0x0, {{0x8, 0x3, "wg0\x00"}}}}, 0x20}}, 0x1, 0x0, 0x0, 0x0}, 0x0) r4 = socket(0x2, 0x2, 0x0) ioctl$set_addr(r4, 0x8916, &(0x7f0000000500)={'wg0\x00', {0x2, 0x0, 0x0, @local={192, 168, 0, 1}}}) ioctl$get_ifindex(r4, 0x8933, &(0x7f0000000600)={'wg0\x00'}) r5 = *(0x7f0000000610) sendmsg$route1(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr1={10, 0, 0, 1}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route2(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr2={10, 0, 0, 2}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route3(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr3={10, 0, 0, 3}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10) sendmsg$route4(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr4={10, 0, 0, 4}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0) sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
5/2	2026/03/07 08:34	llm	crash-repro-finder	2m Model: gemini-3-pro-preview Tokens: input: 2862 output: 20 thoughts: 20235 Thoughts: Reproducing the KCSAN Data Race in `kick_pool` / `wq_worker_running` Alright, let's break this down. The target is a nasty data race between `kick_pool` (which is writing) and `wq_worker_running` (which is reading), likely triggered by the interaction between `netdevsim` and `wireguard` drivers. My strategy will be to create a syzkaller program that consistently throws these guys together in a way that tickles this race condition. First, the crash report tells us it's FIB-related in the `netdevsim` context, especially around route additions and workqueue operations. On the `wireguard` side, we’re looking at outgoing packet processing and also the workqueue. So, I need to force them to interact. Essentially, I need the `netdevsim` part, which involves FIB events (specifically route adds, which then leads to calls like `nsim_fib_event_work` that might go to sleep in `msleep`, that calls `wq_worker_running`), to coincide exactly with `wireguard`’s packet processing, specifically sending packets which results in calling `kick_pool`. Now, the syzkaller setup: 1. Netdevsim: Ideally, I'd want to create a `netdevsim` device and feed it route adds (like adding IPv4 routes) via Netlink. Syzkaller might auto-initialize, or I might need to explicitly `open` and write to `/sys/bus/netdevsim/new_device`. I need to ensure that when I add routes, they go through `netdevsim` and therefore the `nsim_fib_event_work` workqueue is triggered (as part of the FIB notification). It's essentially the trigger for the data race by causing the `msleep`. If I can't create `netdevsim`, then I will try to use the approach of spamming route additions, because it seems likely the code path is still exercised with a default configuration with a running `netdevsim` instance. 2. Wireguard: I have to create a WireGuard interface, configure it (private key, peer, allowed IPs), bring it up, and then pump traffic through it. This part is crucial because the race involves `kick_pool`, and that is invoked by the `wireguard` code. Sending packets through the WG interface triggers the encryption path (`wg_packet_encrypt_worker`), which calls `kick_pool`. I will use Netlink for all of this, using the appropriate family and commands. I need to make sure the target has a valid peer configured (and the peer's allowed IPs). 3. The Race: The core of the reproduction is running these two operations concurrently. I'm going to set up two loops: one adding routes repeatedly (triggering the `netdevsim` side, with sleeps) and another sending UDP packets through WireGuard (the `kick_pool` side), hopefully, at just the right timing. I'm thinking that I should use `sendto` calls and `RTM_NEWROUTE`. With syzkaller, I will need to construct netlink messages, which is tedious with raw bytes. I can use the provided description files (e.g., `socket_netlink_generic_wireguard.txt`) to build the necessary structs as cleanly as possible when constructing the WireGuard configuration. The most important points of the syzkaller code are: * Initialization of `netdevsim` (best effort). * Initialization of `wireguard` with valid config (including private key and peer with allowed IPs). * Add IP addresses, bring the interface `UP`. * A loop, where Thread 1 adds random routes or triggers `nsim_fib_event_work` workqueue, and Thread 2 sends UDP packets. In the end, I need to create a small, self-contained syzkaller program that has the minimal code to trigger this race in a reproducible way. And I hope to do so by maximizing concurrency between these workqueues.
6/2	2026/03/07 08:37	tool	set-results	0m Args: map[ReproOpts:threaded=true] Results: map[ReproOpts:threaded=true]
7/2	2026/03/07 08:37	llm	crash-repro-finder	0m Model: gemini-3-pro-preview Tokens: input: 24025 output: 2499 thoughts: 0

Trajectory:

Seq

Timestamp

Type

Name

Duration

0/0

2026/03/07 08:34

flow

repro

Results:

map[ReproOpts:threaded=true ReproSyz:r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/sys/bus/netdevsim/new_device\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='10 1', 0x4)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$create_wg(r1, &(0x7f0000000100)={0x0, 0x0, {&(0x7f0000000120)={&(0x7f0000000140)={0x3c, 0x10, 0x605, 0x0, 0x0}, 0x3c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id(&(0x7f0000000200)='wireguard\x00', 0xffffffffffffffff)
sendmsg$conf_wg(r2, &(0x7f0000001000)={0x0, 0x0, {&(0x7f0000001020)={&(0x7f0000001040)={0x90, r3, 0x1, 0x0, 0x0, "\x00\x01\x00\x00\x08\x00\x01\x00wg0\x00\x24\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x4c\x00\x07\x00\x48\x00\x00\x00\x24\x00\x01\x00\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\x20\x00\x09\x00\x1c\x00\x00\x00\x06\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\xc0\xa8\x00\x02\x05\x00\x03\x00\x20\x00\x00\x00"}, 0x90}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendmsg$up(r1, &(0x7f0000000400)={0x0, 0x0, {&(0x7f0000000420)={&(0x7f0000000440)={0x20, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x1, 0x1000, 0x0, 0x0, {{0x8, 0x3, "wg0\x00"}}}}, 0x20}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
r4 = socket(0x2, 0x2, 0x0)
ioctl$set_addr(r4, 0x8916, &(0x7f0000000500)={'wg0\x00', {0x2, 0x0, 0x0, @local={192, 168, 0, 1}}})
ioctl$get_ifindex(r4, 0x8933, &(0x7f0000000600)={'wg0\x00'})
r5 = *(0x7f0000000610)
sendmsg$route1(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr1={10, 0, 0, 1}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
sendmsg$route2(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr2={10, 0, 0, 2}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
sendmsg$route3(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr3={10, 0, 0, 3}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
sendmsg$route4(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr4={10, 0, 0, 4}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
 SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

1/1

2026/03/07 08:34

action

provide-var

Results:

map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

2/1

2026/03/07 08:34

action

kernel-checkouter

Results:

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/ec9e25b392423d2a117ee1d291abb801b14e649f]

3/1

2026/03/07 08:34

action

kernel-builder

Results:

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/0fc06b791fdc481cc2c430878c0d2566cf03f0d3]

4/1

2026/03/07 08:34

agent

crash-repro-finder

Model:

gemini-3-pro-preview

Results:

map[ReproOpts:threaded=true]

Instruction:

You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug.
Print only the syz program that could be executed directly, without backticks.




Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Prompt:

Bug Title: KCSAN: data-race in kick_pool / wq_worker_running

Original Crash Report:
==================================================================
BUG: KCSAN: data-race in kick_pool / wq_worker_running

read-write to 0xffff888237c2a8a4 of 4 bytes by task 3490 on cpu 0:
 wq_worker_running+0x95/0x120 kernel/workqueue.c:1419
 schedule_timeout+0xca/0x180 kernel/time/sleep_timeout.c:99
 schedule_timeout_uninterruptible kernel/time/sleep_timeout.c:158 [inline]
 msleep+0x4f/0x90 kernel/time/sleep_timeout.c:318
 nsim_fib4_rt_add drivers/net/netdevsim/fib.c:369 [inline]
 nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:432 [inline]
 nsim_fib4_event drivers/net/netdevsim/fib.c:464 [inline]
 nsim_fib_event+0x3e32/0x4d70 drivers/net/netdevsim/fib.c:884
 nsim_fib_event_work+0x13d/0x210 drivers/net/netdevsim/fib.c:1493
 process_one_work kernel/workqueue.c:3275 [inline]
 process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358
 worker_thread+0x581/0x770 kernel/workqueue.c:3439
 kthread+0x22a/0x280 kernel/kthread.c:436
 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

read to 0xffff888237c2a8a4 of 4 bytes by task 23 on cpu 1:
 need_more_worker kernel/workqueue.c:937 [inline]
 kick_pool+0x49/0x2d0 kernel/workqueue.c:1259
 __queue_work+0x896/0xaf0 kernel/workqueue.c:2355
 queue_work_on+0xa9/0x140 kernel/workqueue.c:2405
 wg_queue_enqueue_per_peer_tx drivers/net/wireguard/queueing.h:183 [inline]
 wg_packet_encrypt_worker+0xbdd/0xde0 drivers/net/wireguard/send.c:305
 process_one_work kernel/workqueue.c:3275 [inline]
 process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358
 worker_thread+0x581/0x770 kernel/workqueue.c:3439
 kthread+0x22a/0x280 kernel/kthread.c:436
 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

value changed: 0x00000000 -> 0x00000001

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 23 Comm: kworker/1:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: wg-crypt-wg0 wg_packet_encrypt_worker
==================================================================


The list of existing description files:
acpi_thermal_rel.txt
aio.txt
auto.txt
binfmt.txt
bpf.txt
bpf_prog.txt
bpf_trace.txt
cgroup.txt
damon.txt
dev_ashmem.txt
dev_bifrost.txt
dev_binder.txt
dev_binderfs.txt
dev_block.txt
dev_bsg.txt
dev_bus_usb.txt
dev_camx.txt
dev_cdrom.txt
dev_cec.txt
dev_char_usb.txt
dev_comedi.txt
dev_dma_heap.txt
dev_dri.txt
dev_dsp.txt
dev_dvb_demux.txt
dev_dvb_dvr.txt
dev_dvb_frontend.txt
dev_fb.txt
dev_floppy.txt
dev_hidraw.txt
dev_i2c.txt
dev_i915.txt
dev_img_rogue.txt
dev_infiniband_rdma.txt
dev_infiniband_rdma_cm.txt
dev_input.txt
dev_iommu.txt
dev_kvm.txt
dev_kvm_amd64.txt
dev_kvm_arm64.txt
dev_kvm_extra.txt
dev_kvm_riscv64.txt
dev_loop.txt
dev_mali.txt
dev_media.txt
dev_msm.txt
dev_msr.txt
dev_nbd.txt
dev_net_tun.txt
dev_panthor.txt
dev_ppp.txt
dev_ptmx.txt
dev_ptp.txt
dev_qat_adf_ctl.txt
dev_qrtr_tun.txt
dev_random.txt
dev_rfkill.txt
dev_rtc.txt
dev_sequencer.txt
dev_sg.txt
dev_snapshot.txt
dev_snd_control.txt
dev_snd_hw.txt
dev_snd_midi.txt
dev_snd_pcm.txt
dev_snd_seq.txt
dev_snd_timer.txt
dev_sr.txt
dev_sw_sync.txt
dev_tlk_device.txt
dev_trusty.txt
dev_udmabuf.txt
dev_uhid.txt
dev_uinput.txt
dev_usb_hiddev.txt
dev_usbmon.txt
dev_userio.txt
dev_vfio.txt
dev_vga_arbiter.txt
dev_vhci.txt
dev_video4linux.txt
dev_video4linux_vim2m.txt
dev_virtual_nci.txt
dev_vtpm.txt
fanotify.txt
filesystem.txt
fs_9p.txt
fs_fuse.txt
fs_incfs.txt
fs_ioctl.txt
fs_ioctl_autofs.txt
fs_ioctl_btrfs.txt
fs_ioctl_ext4.txt
fs_ioctl_f2fs.txt
fs_ioctl_fat.txt
fs_ioctl_fscrypt.txt
fs_ioctl_fsverity.txt
fs_ioctl_xfs.txt
futex.txt
hafnium.txt
inotify.txt
io_uring.txt
ipc.txt
key.txt
kfuzztest.txt
l2cap.txt
landlock.txt
lsm.txt
namespaces.txt
net_80211.txt
netfilter.txt
netfilter_arp.txt
netfilter_bridge.txt
netfilter_ipv4.txt
netfilter_ipv6.txt
netfilter_ipvs.txt
netfilter_targets.txt
pagemap_ioctl.txt
perf.txt
prctl.txt
quotactl.txt
seccomp.txt
security_apparmor.txt
security_selinux.txt
security_smack.txt
socket.txt
socket_alg.txt
socket_ax25.txt
socket_bluetooth.txt
socket_caif.txt
socket_can.txt
socket_ieee802154.txt
socket_inet.txt
socket_inet6.txt
socket_inet_dccp.txt
socket_inet_icmp.txt
socket_inet_igmp.txt
socket_inet_l2tp.txt
socket_inet_sctp.txt
socket_inet_tcp.txt
socket_inet_udp.txt
socket_ip_tunnel.txt
socket_isdn.txt
socket_kcm.txt
socket_key.txt
socket_llc.txt
socket_netlink.txt
socket_netlink_audit.txt
socket_netlink_crypto.txt
socket_netlink_generic.txt
socket_netlink_generic_80211.txt
socket_netlink_generic_batadv.txt
socket_netlink_generic_devlink.txt
socket_netlink_generic_ethtool.txt
socket_netlink_generic_fou.txt
socket_netlink_generic_gtp.txt
socket_netlink_generic_mptcp.txt
socket_netlink_generic_net_dm.txt
socket_netlink_generic_netlabel.txt
socket_netlink_generic_nfc.txt
socket_netlink_generic_seg6.txt
socket_netlink_generic_smc.txt
socket_netlink_generic_team.txt
socket_netlink_generic_wireguard.txt
socket_netlink_netfilter.txt
socket_netlink_netfilter_acct.txt
socket_netlink_netfilter_conntrack.txt
socket_netlink_netfilter_conntrack_exp.txt
socket_netlink_netfilter_conntrack_helper.txt
socket_netlink_netfilter_ipset.txt
socket_netlink_netfilter_log.txt
socket_netlink_netfilter_nft_compat.txt
socket_netlink_netfilter_nftables.txt
socket_netlink_netfilter_osf.txt
socket_netlink_netfilter_queue.txt
socket_netlink_netfilter_timeout.txt
socket_netlink_rdma.txt
socket_netlink_route.txt
socket_netlink_route_sched.txt
socket_netlink_route_sched_retired.txt
socket_netlink_sock_diag.txt
socket_netlink_xfrm.txt
socket_netrom.txt
socket_nfc.txt
socket_nvme_of_tcp.txt
socket_packet.txt
socket_phonet.txt
socket_pppox.txt
socket_qipcrtr.txt
socket_rds.txt
socket_rose.txt
socket_rxrpc.txt
socket_tipc.txt
socket_tipc_netlink.txt
socket_unix.txt
socket_vnet.txt
socket_x25.txt
socket_xdp.txt
sys.txt
uffd.txt
usbip.txt
vmw_vmci.txt
vnet.txt
vnet_mptcp.txt
vusb.txt
watch_queue.txt
xattr.txt

Reply:

r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/sys/bus/netdevsim/new_device\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='10 1', 0x4)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$create_wg(r1, &(0x7f0000000100)={0x0, 0x0, {&(0x7f0000000120)={&(0x7f0000000140)={0x3c, 0x10, 0x605, 0x0, 0x0}, 0x3c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id(&(0x7f0000000200)='wireguard\x00', 0xffffffffffffffff)
sendmsg$conf_wg(r2, &(0x7f0000001000)={0x0, 0x0, {&(0x7f0000001020)={&(0x7f0000001040)={0x90, r3, 0x1, 0x0, 0x0, "\x00\x01\x00\x00\x08\x00\x01\x00wg0\x00\x24\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x4c\x00\x07\x00\x48\x00\x00\x00\x24\x00\x01\x00\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\x20\x00\x09\x00\x1c\x00\x00\x00\x06\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\xc0\xa8\x00\x02\x05\x00\x03\x00\x20\x00\x00\x00"}, 0x90}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendmsg$up(r1, &(0x7f0000000400)={0x0, 0x0, {&(0x7f0000000420)={&(0x7f0000000440)={0x20, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x1, 0x1000, 0x0, 0x0, {{0x8, 0x3, "wg0\x00"}}}}, 0x20}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
r4 = socket(0x2, 0x2, 0x0)
ioctl$set_addr(r4, 0x8916, &(0x7f0000000500)={'wg0\x00', {0x2, 0x0, 0x0, @local={192, 168, 0, 1}}})
ioctl$get_ifindex(r4, 0x8933, &(0x7f0000000600)={'wg0\x00'})
r5 = *(0x7f0000000610)
sendmsg$route1(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr1={10, 0, 0, 1}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
sendmsg$route2(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr2={10, 0, 0, 2}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
sendmsg$route3(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr3={10, 0, 0, 3}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)
sendmsg$route4(r1, &(0x7f0000002000)={0x0, 0x0, {&(0x7f0000002020)={&(0x7f0000002040)={0x2c, 0x18, 0x601, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0xfe, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x1, @addr4={10, 0, 0, 4}}, {0x8, 0x4, r5}}}, 0x2c}}, 0x1, 0x0, 0x0, 0x0}, 0x0)
sendto$udp(r4, &(0x7f0000004000)='ABC', 0x3, 0x0, &(0x7f0000003000)={0x2, 0x0, 0x0, @remote={192, 168, 0, 2}}, 0x10)

5/2

2026/03/07 08:34

llm

crash-repro-finder

Model:

gemini-3-pro-preview

Tokens:

							input: 2862
							output: 20
							thoughts: 20235

Thoughts:

**Reproducing the KCSAN Data Race in `kick_pool` / `wq_worker_running`**

Alright, let's break this down. The target is a nasty data race between `kick_pool` (which is writing) and `wq_worker_running` (which is reading), likely triggered by the interaction between `netdevsim` and `wireguard` drivers. My strategy will be to create a syzkaller program that consistently throws these guys together in a way that tickles this race condition.

First, the crash report tells us it's FIB-related in the `netdevsim` context, especially around route additions and workqueue operations. On the `wireguard` side, we’re looking at outgoing packet processing and also the workqueue. So, I need to force them to interact. Essentially, I need the `netdevsim` part, which involves FIB events (specifically route adds, which then leads to calls like `nsim_fib_event_work` that might go to sleep in `msleep`, that calls `wq_worker_running`), to coincide *exactly* with `wireguard`’s packet processing, specifically sending packets which results in calling `kick_pool`.

Now, the syzkaller setup:

1. **Netdevsim:** Ideally, I'd want to create a `netdevsim` device and feed it route adds (like adding IPv4 routes) via Netlink. Syzkaller might auto-initialize, or I might need to explicitly `open` and write to `/sys/bus/netdevsim/new_device`. I need to ensure that when I add routes, they go through `netdevsim` and therefore the `nsim_fib_event_work` workqueue is triggered (as part of the FIB notification). It's essentially the *trigger* for the data race by causing the `msleep`. If I can't create `netdevsim`, then I will try to use the approach of spamming route additions, because it seems likely the code path is still exercised with a default configuration with a running `netdevsim` instance.

2. **Wireguard:** I *have* to create a WireGuard interface, configure it (private key, peer, allowed IPs), bring it up, and then pump traffic through it. This part is crucial because the race involves `kick_pool`, and that is invoked by the `wireguard` code. Sending packets through the WG interface triggers the encryption path (`wg_packet_encrypt_worker`), which calls `kick_pool`. I will use Netlink for all of this, using the appropriate family and commands. I need to make sure the target has a valid peer configured (and the peer's allowed IPs).

3. **The Race:** The core of the reproduction is running these two operations concurrently. I'm going to set up two loops: one adding routes repeatedly (triggering the `netdevsim` side, with sleeps) and another sending UDP packets through WireGuard (the `kick_pool` side), hopefully, at just the right timing.

I'm thinking that I should use `sendto` calls and `RTM_NEWROUTE`.

With syzkaller, I will need to construct netlink messages, which is tedious with raw bytes. I can use the provided description files (e.g., `socket_netlink_generic_wireguard.txt`) to build the necessary structs as cleanly as possible when constructing the WireGuard configuration.

The most important points of the syzkaller code are:

* Initialization of `netdevsim` (best effort).
* Initialization of `wireguard` with valid config (including private key and peer with allowed IPs).
* Add IP addresses, bring the interface `UP`.
* A loop, where Thread 1 adds random routes or triggers `nsim_fib_event_work` workqueue, and Thread 2 sends UDP packets.

In the end, I need to create a small, self-contained syzkaller program that has the *minimal* code to trigger this race in a reproducible way. And I hope to do so by maximizing concurrency between these workqueues.

6/2

2026/03/07 08:37

tool

set-results

Args:

map[ReproOpts:threaded=true]

Results:

map[ReproOpts:threaded=true]

7/2

2026/03/07 08:37

llm

crash-repro-finder

Model:

gemini-3-pro-preview

Tokens:

							input: 24025
							output: 2499
							thoughts: 0