syzbot

 sign-in | mailing list | source | docs
🐞 Open [1021] Subsystems 🐞 Fixed [5251] 🐞 Invalid [12565] Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KCSAN: data-race in __d_lookup / __d_rehash (8)

Status: moderation: reported on 2024/04/20 12:09
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+da75324df105e629d3e7@syzkaller.appspotmail.com
First crash: 13d, last: 13d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in __d_lookup / __d_rehash (6) fs 1 252d 252d 0/26 auto-obsoleted due to no activity on 2023/09/29 22:29
upstream KCSAN: data-race in __d_lookup / __d_rehash (4) ext4 1 369d 369d 0/26 auto-obsoleted due to no activity on 2023/06/04 03:50
upstream KCSAN: data-race in __d_lookup / __d_rehash fs 1 1631d 1631d 0/26 auto-closed as invalid on 2020/01/24 17:56
upstream KCSAN: data-race in __d_lookup / __d_rehash (3) fs 1 541d 541d 0/26 auto-obsoleted due to no activity on 2022/12/14 23:50
upstream KCSAN: data-race in __d_lookup / __d_rehash (2) fs 1 734d 734d 0/26 auto-closed as invalid on 2022/06/04 08:25
upstream KCSAN: data-race in __d_lookup / __d_rehash (5) ext4 2 310d 311d 0/26 auto-obsoleted due to no activity on 2023/08/02 16:55
upstream KCSAN: data-race in __d_lookup / __d_rehash (7) ext4 1 205d 205d 0/26 auto-obsoleted due to no activity on 2023/11/15 16:47

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __d_lookup / __d_rehash

write to 0xffff88810790b490 of 8 bytes by task 3093 on cpu 1:
 hlist_bl_add_head_rcu include/linux/rculist_bl.h:81 [inline]
 __d_rehash+0xc4/0x220 fs/dcache.c:2403
 __d_add+0x36d/0x4a0 fs/dcache.c:2618
 d_splice_alias+0xd6/0x270 fs/dcache.c:3009
 proc_sys_lookup+0x386/0x440 fs/proc/proc_sysctl.c:539
 lookup_open fs/namei.c:3475 [inline]
 open_last_lookups fs/namei.c:3566 [inline]
 path_openat+0xc85/0x1d80 fs/namei.c:3796
 do_filp_open+0xf7/0x200 fs/namei.c:3826
 do_sys_openat2+0xab/0x120 fs/open.c:1406
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0xf3/0x120 fs/open.c:1432
 x64_sys_call+0x2cad/0x2d30 arch/x86/include/generated/asm/syscalls_64.h:258
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88810790b490 of 8 bytes by task 3097 on cpu 0:
 hlist_bl_unhashed include/linux/list_bl.h:54 [inline]
 d_unhashed include/linux/dcache.h:347 [inline]
 __d_lookup+0x10e/0x390 fs/dcache.c:2315
 lookup_fast+0x4c/0x2a0 fs/namei.c:1650
 open_last_lookups fs/namei.c:3534 [inline]
 path_openat+0x44c/0x1d80 fs/namei.c:3796
 do_filp_open+0xf7/0x200 fs/namei.c:3826
 do_sys_openat2+0xab/0x120 fs/open.c:1406
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0xf3/0x120 fs/open.c:1432
 x64_sys_call+0x2cad/0x2d30 arch/x86/include/generated/asm/syscalls_64.h:258
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0xffff8882377191a0 -> 0xffff88810781d248

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 3097 Comm: syz-executor.0 Not tainted 6.9.0-rc4-syzkaller-00214-g13a2e429f644 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
==================================================================
chnl_net:caif_netlink_parms(): no params data found
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered disabled state
bridge_slave_0: entered allmulticast mode
bridge_slave_0: entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered disabled state
bridge_slave_1: entered allmulticast mode
bridge_slave_1: entered promiscuous mode
bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
team0: Port device team_slave_0 added
team0: Port device team_slave_1 added
batman_adv: batadv0: Adding interface: batadv_slave_0
batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
batman_adv: batadv0: Adding interface: batadv_slave_1
batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
hsr_slave_0: entered promiscuous mode
hsr_slave_1: entered promiscuous mode
debugfs: Directory 'hsr0' with parent 'hsr' already present!
Cannot create hsr debugfs directory
netdevsim netdevsim0 netdevsim0: renamed from eth0
netdevsim netdevsim0 netdevsim1: renamed from eth1
netdevsim netdevsim0 netdevsim2: renamed from eth2
netdevsim netdevsim0 netdevsim3: renamed from eth3
8021q: adding VLAN 0 to HW filter on device bond0
8021q: adding VLAN 0 to HW filter on device team0
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
8021q: adding VLAN 0 to HW filter on device batadv0
veth0_vlan: entered promiscuous mode
veth1_vlan: entered promiscuous mode
veth0_macvtap: entered promiscuous mode
veth1_macvtap: entered promiscuous mode
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
syz-executor.0 (3097) used greatest stack depth: 10488 bytes left

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/20 12:08 upstream 13a2e429f644 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __d_lookup / __d_rehash
* Struck through repros no longer work on HEAD.