syzbot

 sign-in | mailing list | source | docs
🐞 Open [1032] Subsystems 🐞 Fixed [5263] 🐞 Invalid [12582] Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one (2)

Status: auto-closed as invalid on 2022/05/02 01:04
Subsystems: can
[Documentation on labels]
Reported-by: syzbot+416ef4a2288867b76017@syzkaller.appspotmail.com
First crash: 783d, last: 771d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one (3) can 3 586d 613d 0/26 auto-obsoleted due to no activity on 2022/11/02 20:30
upstream KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one (4) can 1 542d 542d 0/26 auto-obsoleted due to no activity on 2022/12/17 00:46
upstream KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one can 2 1561d 1585d 0/26 auto-closed as invalid on 2020/04/06 17:55

Sample crash report:
vcan0: j1939_xtp_rx_dat_one: 0xffff88812a638c00: last 00
vcan0: j1939_xtp_rx_dat: no rx connection found
==================================================================
BUG: KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one

write to 0xffff88812b4af6ac of 4 bytes by interrupt on cpu 1:
 j1939_xtp_rx_dat_one+0x889/0x1040 net/can/j1939/transport.c:1875
 j1939_xtp_rx_dat net/can/j1939/transport.c:1939 [inline]
 j1939_tp_recv+0x2b8/0xa20 net/can/j1939/transport.c:2123
 j1939_can_recv+0x3f9/0x4e0 net/can/j1939/main.c:108
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x254/0x520 net/can/af_can.c:608
 can_receive+0x1a2/0x220 net/can/af_can.c:665
 can_rcv+0x9e/0x170 net/can/af_can.c:696
 __netif_receive_skb_one_core net/core/dev.c:5405 [inline]
 __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5519
 process_backlog+0x23f/0x3c0 net/core/dev.c:5847
 __napi_poll+0x65/0x3f0 net/core/dev.c:6413
 napi_poll net/core/dev.c:6480 [inline]
 net_rx_action+0x29e/0x650 net/core/dev.c:6567
 __do_softirq+0x158/0x2de kernel/softirq.c:558
 run_ksoftirqd+0x1f/0x30 kernel/softirq.c:921
 smpboot_thread_fn+0x308/0x4a0 kernel/smpboot.c:164
 kthread+0x1bf/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

read to 0xffff88812b4af6ac of 4 bytes by interrupt on cpu 0:
 j1939_xtp_rx_dat_one+0x857/0x1040 net/can/j1939/transport.c:1874
 j1939_xtp_rx_dat net/can/j1939/transport.c:1939 [inline]
 j1939_tp_recv+0x2b8/0xa20 net/can/j1939/transport.c:2123
 j1939_can_recv+0x3f9/0x4e0 net/can/j1939/main.c:108
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x254/0x520 net/can/af_can.c:608
 can_receive+0x1a2/0x220 net/can/af_can.c:665
 can_rcv+0x9e/0x170 net/can/af_can.c:696
 __netif_receive_skb_one_core net/core/dev.c:5405 [inline]
 __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5519
 process_backlog+0x23f/0x3c0 net/core/dev.c:5847
 __napi_poll+0x65/0x3f0 net/core/dev.c:6413
 napi_poll net/core/dev.c:6480 [inline]
 net_rx_action+0x29e/0x650 net/core/dev.c:6567
 __do_softirq+0x158/0x2de kernel/softirq.c:558
 run_ksoftirqd+0x1f/0x30 kernel/softirq.c:921
 smpboot_thread_fn+0x308/0x4a0 kernel/smpboot.c:164
 kthread+0x1bf/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

value changed: 0x00000133 -> 0x00000134

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G        W         5.17.0-syzkaller-11406-gf82da161ea75-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_dat_one: 0xffff88812b19b400: no skb found
vcan0: j1939_xtp_rx_abort_one: 0xffff88812b19b400: 0x00000: (5) Maximal retransmit request limit reached
vcan0: j1939_xtp_rx_abort_one: 0xffff88812a04c200: 0x00000: (5) Maximal retransmit request limit reached
vcan0: j1939_tp_rxtimer: 0xffff88812b151a00: rx timeout, send abort
vcan0: j1939_xtp_rx_abort_one: 0xffff888129f1f400: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_xtp_rx_abort_one: 0xffff888129f1f200: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_xtp_rx_abort_one: 0xffff888129f1f000: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_tp_rxtimer: 0xffff88812b151a00: abort rx timeout. Force session deactivation
vcan0: j1939_tp_rxtimer: 0xffff88812a17b600: rx timeout, send abort
vcan0: j1939_tp_rxtimer: 0xffff88812b66b600: rx timeout, send abort
vcan0: j1939_xtp_rx_abort_one: 0xffff88812a17b600: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_xtp_rx_abort_one: 0xffff88812b66b600: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/03/28 01:03 upstream f82da161ea75 89bc8608 .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one
2022/03/15 19:25 upstream 56e337f2cf13 9e8eaa75 .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in j1939_xtp_rx_dat_one / j1939_xtp_rx_dat_one
* Struck through repros no longer work on HEAD.