syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1347]
Subsystems
🐞 Fixed [7091]
🐞 Invalid [18734]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KCSAN: data-race in copy_mm / percpu_counter_add_batch

Status: upstream: reported on 2026/03/31 19:19
Subsystems: net
Labels: race:benign prio:low
[Documentation on labels]
Reported-by: syzbot+648f94dd38904eae4be7@syzkaller.appspotmail.com
First crash: 47d, last: 47d
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
4c2ce8b0-f24e-4726-9bc3-a9bdd02acba2 assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌ KCSAN: data-race in copy_mm / percpu_counter_add_batch 2026/05/18 00:20 2026/05/18 00:20 2026/05/18 00:58 de5aae85e5f28e2fa1c7deefcc24fe286abe5140
c386c44f-45ba-422d-9c70-94a448563bac assessment-kcsan Benign: ✅ Confident: ✅ KCSAN: data-race in copy_mm / percpu_counter_add_batch 2026/03/31 09:53 2026/03/31 09:53 2026/03/31 10:17 d0af506ef4609d1bffbbbbae776b857a63d84b20
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] KCSAN: data-race in copy_mm / percpu_counter_add_batch 0 (1) 2026/03/31 19:19

Sample crash report:
==================================================================
BUG: KCSAN: data-race in copy_mm / percpu_counter_add_batch

read-write to 0xffff88812b22d5c8 of 8 bytes by task 26440 on cpu 0:
 percpu_counter_add_batch+0x105/0x130 lib/percpu_counter.c:107
 percpu_counter_add include/linux/percpu_counter.h:71 [inline]
 percpu_counter_inc include/linux/percpu_counter.h:267 [inline]
 inc_mm_counter include/linux/mm.h:3084 [inline]
 wp_page_copy mm/memory.c:3825 [inline]
 do_wp_page+0x1416/0x2590 mm/memory.c:4241
 handle_pte_fault mm/memory.c:6333 [inline]
 __handle_mm_fault mm/memory.c:6455 [inline]
 handle_mm_fault+0x8cb/0x3020 mm/memory.c:6624
 do_user_addr_fault+0x3fd/0x1050 arch/x86/mm/fault.c:1385
 handle_page_fault arch/x86/mm/fault.c:1474 [inline]
 exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
 rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:68
 copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
 copy_to_user_iter lib/iov_iter.c:25 [inline]
 iterate_ubuf include/linux/iov_iter.h:30 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
 iterate_and_advance include/linux/iov_iter.h:330 [inline]
 _copy_to_iter+0x141/0xea0 lib/iov_iter.c:197
 copy_to_iter include/linux/uio.h:220 [inline]
 simple_copy_to_iter net/core/datagram.c:521 [inline]
 __skb_datagram_iter+0x2f4/0x680 net/core/datagram.c:435
 skb_copy_datagram_iter+0x3f/0x120 net/core/datagram.c:535
 skb_copy_datagram_msg include/linux/skbuff.h:4218 [inline]
 unix_stream_read_actor+0x43/0x70 net/unix/af_unix.c:3109
 unix_stream_read_generic+0x6e9/0x1630 net/unix/af_unix.c:3029
 unix_stream_recvmsg+0xff/0x130 net/unix/af_unix.c:3146
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0xf5/0x120 net/socket.c:1100
 ____sys_recvmsg+0xf5/0x280 net/socket.c:2812
 ___sys_recvmsg+0x11f/0x3b0 net/socket.c:2854
 __sys_recvmsg net/socket.c:2887 [inline]
 __do_sys_recvmsg net/socket.c:2893 [inline]
 __se_sys_recvmsg net/socket.c:2890 [inline]
 __x64_sys_recvmsg+0xd1/0x160 net/socket.c:2890
 x64_sys_call+0x2b1a/0x3020 arch/x86/include/generated/asm/syscalls_64.h:48
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88812b22d100 of 1664 bytes by task 26447 on cpu 1:
 dup_mm kernel/fork.c:1525 [inline]
 copy_mm+0xe1/0x370 kernel/fork.c:1583
 copy_process+0xe22/0x20b0 kernel/fork.c:2223
 kernel_clone+0x16b/0x5d0 kernel/fork.c:2653
 __do_sys_clone kernel/fork.c:2794 [inline]
 __se_sys_clone kernel/fork.c:2778 [inline]
 __x64_sys_clone+0x143/0x180 kernel/fork.c:2778
 x64_sys_call+0x1222/0x3020 arch/x86/include/generated/asm/syscalls_64.h:57
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 26447 Comm: syz.1.8317 Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
==================================================================
Q6`Ҙ speed is unknown, defaulting to 1000

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/03/31 09:53 upstream d0c3bcd5b897 aeea1c72 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in copy_mm / percpu_counter_add_batch
* Struck through repros no longer work on HEAD.