syzbot

==================================================================
BUG: KCSAN: data-race in wq_worker_tick / wq_worker_tick

read-write to 0xffff8881000c5ed8 of 8 bytes by interrupt on cpu 0:
 wq_worker_tick+0x60/0x230 kernel/workqueue.c:1493
 sched_tick+0xda/0x210 kernel/sched/core.c:5585
 update_process_times+0x15e/0x190 kernel/time/timer.c:2479
 tick_sched_handle kernel/time/tick-sched.c:298 [inline]
 tick_nohz_handler+0x275/0x3d0 kernel/time/tick-sched.c:319
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x218/0x4f0 kernel/time/hrtimer.c:1849
 hrtimer_interrupt+0x269/0x810 kernel/time/hrtimer.c:1911
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
 __sysvec_apic_timer_interrupt+0x5f/0x1f0 arch/x86/kernel/apic/apic.c:1062
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x32/0x80 arch/x86/kernel/apic/apic.c:1056
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 find_watchpoint kernel/kcsan/core.c:120 [inline]
 check_access kernel/kcsan/core.c:737 [inline]
 __tsan_read8+0x20/0x190 kernel/kcsan/core.c:1025
 ip6_mc_input+0x33/0x470 net/ipv6/ip6_input.c:511
 dst_input include/net/dst.h:480 [inline]
 ip6_rcv_finish+0x31f/0x330 net/ipv6/ip6_input.c:79
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ipv6_rcv+0x72/0x170 net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core net/core/dev.c:6164 [inline]
 __netif_receive_skb net/core/dev.c:6277 [inline]
 netif_receive_skb_internal net/core/dev.c:6363 [inline]
 netif_receive_skb+0xc5/0x530 net/core/dev.c:6422
 br_netif_receive_skb net/bridge/br_input.c:30 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_pass_frame_up+0x23b/0x330 net/bridge/br_input.c:70
 br_handle_frame_finish+0xdd7/0xfd0 net/bridge/br_input.c:-1
 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline]
 br_handle_frame+0x452/0xa60 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x5b1/0x1980 net/core/dev.c:6051
 __netif_receive_skb_one_core net/core/dev.c:6162 [inline]
 __netif_receive_skb net/core/dev.c:6277 [inline]
 process_backlog+0x25b/0x670 net/core/dev.c:6628
 __napi_poll+0x61/0x330 net/core/dev.c:7692
 napi_poll net/core/dev.c:7755 [inline]
 net_rx_action+0x452/0x930 net/core/dev.c:7912
 handle_softirqs+0xb9/0x2a0 kernel/softirq.c:622
 do_softirq+0x45/0x60 kernel/softirq.c:523
 __local_bh_enable_ip+0x70/0x80 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 __alloc_skb+0x2b6/0x690 net/core/skbuff.c:697
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
 nsim_dev_trap_report_work+0x18a/0x630 drivers/net/netdevsim/dev.c:922
 process_one_work kernel/workqueue.c:3275 [inline]
 process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358
 worker_thread+0x581/0x770 kernel/workqueue.c:3439
 kthread+0x22a/0x280 kernel/kthread.c:436
 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

read-write to 0xffff8881000c5ed8 of 8 bytes by interrupt on cpu 1:
 wq_worker_tick+0x60/0x230 kernel/workqueue.c:1493
 sched_tick+0xda/0x210 kernel/sched/core.c:5585
 update_process_times+0x15e/0x190 kernel/time/timer.c:2479
 tick_sched_handle kernel/time/tick-sched.c:298 [inline]
 tick_nohz_handler+0x275/0x3d0 kernel/time/tick-sched.c:319
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x218/0x4f0 kernel/time/hrtimer.c:1849
 hrtimer_interrupt+0x269/0x810 kernel/time/hrtimer.c:1911
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
 __sysvec_apic_timer_interrupt+0x5f/0x1f0 arch/x86/kernel/apic/apic.c:1062
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x32/0x80 arch/x86/kernel/apic/apic.c:1056
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 kcsan_setup_watchpoint+0x404/0x410 kernel/kcsan/core.c:705
 ndisc_recv_na+0x245/0x8f0 net/ipv6/ndisc.c:1030
 ndisc_rcv+0x307/0x400 net/ipv6/ndisc.c:1833
 icmpv6_rcv+0xe66/0x1300 net/ipv6/icmp.c:1193
 ip6_protocol_deliver_rcu+0xb37/0x10f0 net/ipv6/ip6_input.c:438
 ip6_input_finish+0xf0/0x1c0 net/ipv6/ip6_input.c:489
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_input+0x5e/0x160 net/ipv6/ip6_input.c:500
 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
 dst_input include/net/dst.h:480 [inline]
 ip6_rcv_finish+0x31f/0x330 net/ipv6/ip6_input.c:79
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ipv6_rcv+0x72/0x170 net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core net/core/dev.c:6164 [inline]
 __netif_receive_skb net/core/dev.c:6277 [inline]
 netif_receive_skb_internal net/core/dev.c:6363 [inline]
 netif_receive_skb+0xc5/0x530 net/core/dev.c:6422
 br_netif_receive_skb net/bridge/br_input.c:30 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_pass_frame_up+0x23b/0x330 net/bridge/br_input.c:70
 br_handle_frame_finish+0xdd7/0xfd0 net/bridge/br_input.c:-1
 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline]
 br_handle_frame+0x452/0xa60 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x5b1/0x1980 net/core/dev.c:6051
 __netif_receive_skb_one_core net/core/dev.c:6162 [inline]
 __netif_receive_skb net/core/dev.c:6277 [inline]
 process_backlog+0x25b/0x670 net/core/dev.c:6628
 __napi_poll+0x61/0x330 net/core/dev.c:7692
 napi_poll net/core/dev.c:7755 [inline]
 net_rx_action+0x452/0x930 net/core/dev.c:7912
 handle_softirqs+0xb9/0x2a0 kernel/softirq.c:622
 do_softirq+0x45/0x60 kernel/softirq.c:523
 __local_bh_enable_ip+0x70/0x80 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 __alloc_skb+0x658/0x690 net/core/skbuff.c:697
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
 nsim_dev_trap_report_work+0x18a/0x630 drivers/net/netdevsim/dev.c:922
 process_one_work kernel/workqueue.c:3275 [inline]
 process_scheduled_works+0x4de/0x9e0 kernel/workqueue.c:3358
 worker_thread+0x581/0x770 kernel/workqueue.c:3439
 kthread+0x22a/0x280 kernel/kthread.c:436
 ret_from_fork+0x150/0x360 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

value changed: 0x000000000106e8b0 -> 0x0000000001070fc0

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 16747 Comm: kworker/u8:25 Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: events_unbound nsim_dev_trap_report_work
==================================================================
net_ratelimit: 156025 callbacks suppressed
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
net_ratelimit: 165524 callbacks suppressed
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
ICMPv6: NA: aa:aa:aa:aa:aa:0c advertised our address fe80::a8aa:aaff:feaa:aa0c on vlan4!