syzbot

 sign-in | mailing list | source | docs
🐞 Open [1605]
Subsystems
🐞 Fixed [6300]
🐞 Invalid [16050]
Missing Backports [190]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KCSAN: data-race in __bpf_get_stackid / bcmp

Status: moderation: reported on 2025/06/18 12:38
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+505324320caac3303e6f@syzkaller.appspotmail.com
First crash: 12h30m, last: 12h30m

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __bpf_get_stackid / bcmp

write to 0xffff88811c5a8228 of 160 bytes by task 3646 on cpu 1:
 __bpf_get_stackid+0x761/0x800 kernel/bpf/stackmap.c:288
 ____bpf_get_stackid kernel/bpf/stackmap.c:324 [inline]
 bpf_get_stackid+0xee/0x120 kernel/bpf/stackmap.c:300
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1811 [inline]
 bpf_get_stackid_raw_tp+0xf6/0x120 kernel/trace/bpf_trace.c:1800
 bpf_prog_e6fc920cfeff8120+0x2a/0x32
 bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2258 [inline]
 bpf_trace_run3+0x10f/0x1d0 kernel/trace/bpf_trace.c:2300
 __do_trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
 trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
 kmem_cache_free+0x257/0x300 mm/slub.c:4744
 skb_kfree_head net/core/skbuff.c:1046 [inline]
 skb_free_head+0x87/0x150 net/core/skbuff.c:1060
 skb_release_data+0x33b/0x370 net/core/skbuff.c:1087
 skb_release_all net/core/skbuff.c:1152 [inline]
 __kfree_skb+0x44/0x150 net/core/skbuff.c:1166
 sk_skb_reason_drop+0xbd/0x270 net/core/skbuff.c:1204
 kfree_skb_reason include/linux/skbuff.h:1275 [inline]
 __skb_queue_purge_reason include/linux/skbuff.h:3355 [inline]
 __skb_queue_purge include/linux/skbuff.h:3360 [inline]
 tipc_mcast_xmit+0x806/0xcb0 net/tipc/bcast.c:428
 tipc_send_group_bcast+0x5d9/0x6c0 net/tipc/socket.c:1130
 __tipc_sendmsg+0x186/0x1b00 net/tipc/socket.c:-1
 tipc_sendmsg+0x3e/0x60 net/tipc/socket.c:1399
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x142/0x180 net/socket.c:727
 ____sys_sendmsg+0x345/0x4e0 net/socket.c:2566
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2620
 __sys_sendmmsg+0x178/0x300 net/socket.c:2709
 __do_sys_sendmmsg net/socket.c:2736 [inline]
 __se_sys_sendmmsg net/socket.c:2733 [inline]
 __x64_sys_sendmmsg+0x57/0x70 net/socket.c:2733
 x64_sys_call+0x2f2f/0x2fb0 arch/x86/include/generated/asm/syscalls_64.h:308
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88811c5a8258 of 8 bytes by task 3656 on cpu 0:
 memcmp lib/string.c:683 [inline]
 bcmp+0x23/0x90 lib/string.c:715
 memcmp include/linux/fortify-string.h:727 [inline]
 __bpf_get_stackid+0x371/0x800 kernel/bpf/stackmap.c:279
 ____bpf_get_stackid kernel/bpf/stackmap.c:324 [inline]
 bpf_get_stackid+0xee/0x120 kernel/bpf/stackmap.c:300
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1811 [inline]
 bpf_get_stackid_raw_tp+0xf6/0x120 kernel/trace/bpf_trace.c:1800
 bpf_prog_e6fc920cfeff8120+0x2a/0x32
 bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2258 [inline]
 bpf_trace_run3+0x10f/0x1d0 kernel/trace/bpf_trace.c:2300
 __do_trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
 trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
 kmem_cache_free+0x257/0x300 mm/slub.c:4744
 __d_free fs/dcache.c:345 [inline]
 dentry_free fs/dcache.c:440 [inline]
 __dentry_kill+0x3d1/0x4b0 fs/dcache.c:688
 dput+0x5e/0xd0 fs/dcache.c:911
 __fput+0x444/0x650 fs/file_table.c:473
 ____fput+0x1c/0x30 fs/file_table.c:493
 task_work_run+0x12e/0x1a0 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xe4/0x100 kernel/entry/common.c:114
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x1d6/0x200 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0xffffffff8191e014 -> 0xffffffff8445d7b4

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 3656 Comm: syz.1.76 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/18 12:37 upstream 52da431bf03b ca631f70 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __bpf_get_stackid / bcmp
* Struck through repros no longer work on HEAD.