syzbot

 sign-in | mailing list | source | docs
🐞 Open [1449]
Subsystems
🐞 Fixed [6940]
🐞 Invalid [18082]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (6)

Status: moderation: reported on 2026/02/18 04:23
Subsystems: batman
Labels: race:benign
[Documentation on labels]
Reported-by: syzbot+a0069e9acb78619de13e@syzkaller.appspotmail.com
First crash: 31d, last: 31d
✨ AI Jobs (3)
ID Workflow Result Correct Bug Created Started Finished Revision Error
17418469-fff5-40d3-9ee1-b4baf2ab015d assessment-kcsan Benign: ✅  Confident: ✅  KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (6) 2026/01/25 07:42 2026/01/25 07:46 2026/01/25 07:48 252831309f92afe40cc8f6407200c6b12176b8f4
975534a8-3a2e-4d45-8ab7-70a1eabe8129 assessment-kcsan 💥 KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (6) 2026/01/25 07:41 2026/01/25 07:41 2026/01/25 07:41 6dc4179c52dcf953184c0afeb014ccdc89f64484 labels parameter is not supported in Gemini API
42f830d9-1fac-4b55-b917-47dd42d96676 assessment-kcsan 🏃 KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (6) 2026/01/25 07:32 2026/01/25 07:32 e1ce1868b1603c2c9b11f2c63dddad78c9668a7f
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (3) batman 6 2 480d 512d 0/29 auto-obsoleted due to no activity on 2024/12/28 07:27
upstream KCSAN: data-race in batadv_bla_tx / batadv_bla_tx batman 6 1 1515d 1499d 0/29 auto-closed as invalid on 2022/02/05 10:48
upstream KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (2) batman 6 1 1442d 1424d 0/29 auto-closed as invalid on 2022/04/19 23:52
upstream KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (5) batman 6 1 153d 153d 0/29 auto-obsoleted due to no activity on 2025/11/19 20:12
upstream KCSAN: data-race in batadv_bla_tx / batadv_bla_tx (4) batman 6 2 347d 360d 0/29 auto-obsoleted due to no activity on 2025/05/10 03:09

Sample crash report:
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
==================================================================
BUG: KCSAN: data-race in batadv_bla_tx / batadv_bla_tx

write to 0xffff88811bd5a1a0 of 8 bytes by interrupt on cpu 0:
 batadv_bla_update_own_backbone_gw net/batman-adv/bridge_loop_avoidance.c:577 [inline]
 batadv_bla_tx+0x7f4/0xc80 net/batman-adv/bridge_loop_avoidance.c:2104
 batadv_interface_tx+0x349/0xae0 net/batman-adv/mesh-interface.c:227
 __netdev_start_xmit include/linux/netdevice.h:5273 [inline]
 netdev_start_xmit include/linux/netdevice.h:5282 [inline]
 xmit_one net/core/dev.c:3866 [inline]
 dev_hard_start_xmit+0x125/0x3e0 net/core/dev.c:3882
 __dev_queue_xmit+0xdb1/0x1f20 net/core/dev.c:4832
 dev_queue_xmit include/linux/netdevice.h:3381 [inline]
 br_dev_queue_push_xmit+0x42d/0x4e0 net/bridge/br_forward.c:53
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_forward_finish+0x89/0x190 net/bridge/br_forward.c:66
 br_nf_hook_thresh net/bridge/br_netfilter_hooks.c:-1 [inline]
 br_nf_forward_finish+0x6ff/0x780 net/bridge/br_netfilter_hooks.c:662
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_forward_arp net/bridge/br_netfilter_hooks.c:752 [inline]
 br_nf_forward+0xae3/0xec0 net/bridge/br_netfilter_hooks.c:775
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0x78/0x180 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK include/linux/netfilter.h:316 [inline]
 __br_forward+0x282/0x360 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0x1b8/0x280 net/bridge/br_forward.c:191
 br_flood+0x21f/0x460 net/bridge/br_forward.c:238
 br_handle_frame_finish+0xd96/0xfc0 net/bridge/br_input.c:229
 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline]
 br_handle_frame+0x5f5/0xa30 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
 __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
 __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
 process_backlog+0x228/0x420 net/core/dev.c:6617
 __napi_poll+0x5f/0x300 net/core/dev.c:7681
 napi_poll net/core/dev.c:7744 [inline]
 net_rx_action+0x452/0x930 net/core/dev.c:7896
 handle_softirqs+0xb9/0x280 kernel/softirq.c:622
 do_softirq+0x45/0x60 kernel/softirq.c:523
 __local_bh_enable_ip+0x70/0x80 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 __alloc_skb+0x477/0x4b0 net/core/skbuff.c:674
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:818 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:875 [inline]
 nsim_dev_trap_report_work+0x18a/0x630 drivers/net/netdevsim/dev.c:921
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0x4cd/0x9d0 kernel/workqueue.c:3340
 worker_thread+0x581/0x770 kernel/workqueue.c:3421
 kthread+0x488/0x510 kernel/kthread.c:463
 ret_from_fork+0x148/0x280 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

write to 0xffff88811bd5a1a0 of 8 bytes by interrupt on cpu 1:
 batadv_bla_update_own_backbone_gw net/batman-adv/bridge_loop_avoidance.c:577 [inline]
 batadv_bla_tx+0x7f4/0xc80 net/batman-adv/bridge_loop_avoidance.c:2104
 batadv_interface_tx+0x349/0xae0 net/batman-adv/mesh-interface.c:227
 __netdev_start_xmit include/linux/netdevice.h:5273 [inline]
 netdev_start_xmit include/linux/netdevice.h:5282 [inline]
 xmit_one net/core/dev.c:3866 [inline]
 dev_hard_start_xmit+0x125/0x3e0 net/core/dev.c:3882
 __dev_queue_xmit+0xdb1/0x1f20 net/core/dev.c:4832
 dev_queue_xmit include/linux/netdevice.h:3381 [inline]
 br_dev_queue_push_xmit+0x42d/0x4e0 net/bridge/br_forward.c:53
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_forward_finish+0x89/0x190 net/bridge/br_forward.c:66
 br_nf_hook_thresh net/bridge/br_netfilter_hooks.c:-1 [inline]
 br_nf_forward_finish+0x6ff/0x780 net/bridge/br_netfilter_hooks.c:662
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_forward_arp net/bridge/br_netfilter_hooks.c:752 [inline]
 br_nf_forward+0xae3/0xec0 net/bridge/br_netfilter_hooks.c:775
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0x78/0x180 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK include/linux/netfilter.h:316 [inline]
 __br_forward+0x282/0x360 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0x1b8/0x280 net/bridge/br_forward.c:191
 br_flood+0x21f/0x460 net/bridge/br_forward.c:238
 br_handle_frame_finish+0xd96/0xfc0 net/bridge/br_input.c:229
 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline]
 br_handle_frame+0x5f5/0xa30 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
 __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
 __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
 process_backlog+0x228/0x420 net/core/dev.c:6617
 __napi_poll+0x5f/0x300 net/core/dev.c:7681
 napi_poll net/core/dev.c:7744 [inline]
 net_rx_action+0x452/0x930 net/core/dev.c:7896
 handle_softirqs+0xb9/0x280 kernel/softirq.c:622
 do_softirq+0x45/0x60 kernel/softirq.c:523
 __local_bh_enable_ip+0x70/0x80 kernel/softirq.c:450
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock_bh+0x18/0x20 kernel/locking/spinlock.c:210
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 batadv_tt_global_purge net/batman-adv/translation-table.c:2250 [inline]
 batadv_tt_purge+0x2cd/0x610 net/batman-adv/translation-table.c:3510
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0x4cd/0x9d0 kernel/workqueue.c:3340
 worker_thread+0x581/0x770 kernel/workqueue.c:3421
 kthread+0x488/0x510 kernel/kthread.c:463
 ret_from_fork+0x148/0x280 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

value changed: 0x00000000ffffe174 -> 0x00000000ffffe175

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 2270 Comm: kworker/u8:12 Tainted: G        W           syzkaller #0 PREEMPT(voluntary) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: bat_events batadv_tt_purge
==================================================================
net_ratelimit: 8016 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
net_ratelimit: 8570 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:1)

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/24 20:10 upstream 62085877ae65 40acda8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in batadv_bla_tx / batadv_bla_tx
* Struck through repros no longer work on HEAD.