syzbot

 sign-in | mailing list | source | docs
🐞 Open [1672]
Subsystems
🐞 Fixed [6050]
🐞 Invalid [15011]
Missing Backports [149]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KCSAN: data-race in __perf_event_overflow / perf_event_attach_bpf_prog

Status: moderation: reported on 2025/02/15 23:45
Subsystems: bpf trace
[Documentation on labels]
Reported-by: syzbot+4b33342ce006dc3459d8@syzkaller.appspotmail.com
First crash: 5d05h, last: 5d05h

Sample crash report:
netlink: 'syz.1.5971': attribute type 13 has an invalid length.
bridge0: port 2(bridge_slave_1) entered disabled state
bridge0: port 1(bridge_slave_0) entered disabled state
==================================================================
BUG: KCSAN: data-race in __perf_event_overflow / perf_event_attach_bpf_prog

write to 0xffff8881191366d0 of 8 bytes by task 19809 on cpu 0:
 perf_event_attach_bpf_prog+0x138/0x1d0 kernel/trace/bpf_trace.c:2235
 perf_event_set_bpf_prog+0x469/0x490 kernel/events/core.c:10829
 bpf_perf_link_attach+0x185/0x260 kernel/bpf/syscall.c:3907
 link_create+0x3eb/0x660
 __sys_bpf+0x430/0x7a0 kernel/bpf/syscall.c:5864
 __do_sys_bpf kernel/bpf/syscall.c:5901 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5899 [inline]
 __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5899
 x64_sys_call+0x2914/0x2dc0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff8881191366d0 of 8 bytes by task 19801 on cpu 1:
 __perf_event_overflow+0xe0/0x6f0 kernel/events/core.c:9912
 perf_swevent_overflow kernel/events/core.c:10045 [inline]
 perf_swevent_event+0x3f8/0x4a0 kernel/events/core.c:10083
 perf_tp_event+0x2de/0xa00 kernel/events/core.c:10590
 perf_trace_run_bpf_submit+0xb0/0x110 kernel/events/core.c:10514
 do_perf_trace_kmalloc include/trace/events/kmem.h:54 [inline]
 perf_trace_kmalloc+0xe2/0x110 include/trace/events/kmem.h:54
 __do_trace_kmalloc include/trace/events/kmem.h:54 [inline]
 trace_kmalloc include/trace/events/kmem.h:54 [inline]
 __kmalloc_cache_noprof+0x28c/0x320 mm/slub.c:4323
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 ref_tracker_alloc+0xe3/0x2f0 lib/ref_tracker.c:203
 __netns_tracker_alloc include/net/net_namespace.h:343 [inline]
 netns_tracker_alloc include/net/net_namespace.h:352 [inline]
 nf_nat_masq_schedule+0x209/0x360 net/netfilter/nf_nat_masquerade.c:126
 masq_inet6_event+0xac/0xe0 net/netfilter/nf_nat_masquerade.c:295
 notifier_call_chain kernel/notifier.c:85 [inline]
 atomic_notifier_call_chain+0x76/0x1d0 kernel/notifier.c:223
 inet6addr_notifier_call_chain+0x24/0x30 net/ipv6/addrconf_core.c:109
 addrconf_ifdown+0x901/0xed0 net/ipv6/addrconf.c:3974
 addrconf_notify+0x2ff/0x950
 notifier_call_chain kernel/notifier.c:85 [inline]
 raw_notifier_call_chain+0x6f/0x1d0 kernel/notifier.c:453
 call_netdevice_notifiers_info+0xae/0x100 net/core/dev.c:2141
 __dev_notify_flags+0xff/0x1a0
 dev_change_flags+0xab/0xd0 net/core/dev.c:9249
 do_setlink+0x7a1/0x2370 net/core/rtnetlink.c:3118
 rtnl_group_changelink net/core/rtnetlink.c:3747 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3894 [inline]
 rtnl_newlink+0xcf9/0x1250 net/core/rtnetlink.c:4022
 rtnetlink_rcv_msg+0x651/0x710 net/core/rtnetlink.c:6912
 netlink_rcv_skb+0x12c/0x230 net/netlink/af_netlink.c:2543
 rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:6939
 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
 netlink_unicast+0x599/0x670 net/netlink/af_netlink.c:1348
 netlink_sendmsg+0x5cc/0x6e0 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x140/0x180 net/socket.c:733
 ____sys_sendmsg+0x326/0x4b0 net/socket.c:2573
 ___sys_sendmsg net/socket.c:2627 [inline]
 __sys_sendmsg+0x19d/0x230 net/socket.c:2659
 __do_sys_sendmsg net/socket.c:2664 [inline]
 __se_sys_sendmsg net/socket.c:2662 [inline]
 __x64_sys_sendmsg+0x46/0x50 net/socket.c:2662
 x64_sys_call+0x2734/0x2dc0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x0000000000000000 -> 0xffffc900018d3000

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 19801 Comm: syz.1.5971 Not tainted 6.14.0-rc2-syzkaller-00281-g496659003dac #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
==================================================================
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
netdevsim netdevsim1 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/15 23:44 upstream 496659003dac 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __perf_event_overflow / perf_event_attach_bpf_prog
* Struck through repros no longer work on HEAD.