syzbot

 sign-in | mailing list | source | docs
🐞 Open [1252]
Subsystems
🐞 Fixed [5698]
🐞 Invalid [13880]
Missing Backports [97]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KCSAN: data-race in __wb_writeout_add / writeout_period (5)

Status: moderation: reported on 2024/10/04 23:57
Subsystems: fs mm
[Documentation on labels]
Reported-by: syzbot+f53e14a30db777175a82@syzkaller.appspotmail.com
First crash: 18h25m, last: 18h25m
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in __wb_writeout_add / writeout_period (2) mm fs 2 824d 832d 0/28 auto-closed as invalid on 2022/08/08 01:40
upstream KCSAN: data-race in __wb_writeout_add / writeout_period mm fs 2 880d 906d 0/28 auto-closed as invalid on 2022/06/12 20:11
upstream KCSAN: data-race in __wb_writeout_add / writeout_period (4) fs mm 146 102d 302d 0/28 auto-obsoleted due to no activity on 2024/07/29 22:39
upstream KCSAN: data-race in __wb_writeout_add / writeout_period (3) fs mm 1 781d 781d 0/28 auto-closed as invalid on 2022/09/20 00:41

Sample crash report:
kworker/u8:6: attempt to access beyond end of device
loop4: rw=1048577, sector=3912, nr_sectors = 2048 limit=256
==================================================================
BUG: KCSAN: data-race in __wb_writeout_add / writeout_period

write to 0xffffffff88bdcdf0 of 8 bytes by interrupt on cpu 0:
 writeout_period+0xa6/0xe0 mm/page-writeback.c:638
 call_timer_fn+0x3a/0x300 kernel/time/timer.c:1794
 expire_timers kernel/time/timer.c:1845 [inline]
 __run_timers kernel/time/timer.c:2419 [inline]
 __run_timer_base+0x417/0x640 kernel/time/timer.c:2430
 run_timer_base kernel/time/timer.c:2439 [inline]
 run_timer_softirq+0x45/0x70 kernel/time/timer.c:2450
 handle_softirqs+0xbf/0x280 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0x3e/0x90 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
 sysvec_apic_timer_interrupt+0x73/0x80 arch/x86/kernel/apic/apic.c:1037
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
 __preempt_count_dec_and_test arch/x86/include/asm/preempt.h:94 [inline]
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
 _raw_spin_unlock_irqrestore+0x3d/0x60 kernel/locking/spinlock.c:194
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 pcpu_alloc_noprof+0x77a/0x10c0 mm/percpu.c:1867
 ipv4_mib_init_net+0x6f/0x340 net/ipv4/af_inet.c:1729
 ops_init+0x1c9/0x260 net/core/net_namespace.c:139
 setup_net+0x14d/0x600 net/core/net_namespace.c:356
 copy_net_ns+0x290/0x430 net/core/net_namespace.c:494
 create_new_namespaces+0x228/0x430 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xe6/0x120 kernel/nsproxy.c:228
 ksys_unshare+0x3c9/0x6e0 kernel/fork.c:3311
 __do_sys_unshare kernel/fork.c:3382 [inline]
 __se_sys_unshare kernel/fork.c:3380 [inline]
 __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3380
 x64_sys_call+0x2c8d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:273
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffffff88bdcdf0 of 8 bytes by task 740 on cpu 1:
 wb_domain_writeout_add mm/page-writeback.c:587 [inline]
 __wb_writeout_add+0x83/0x1d0 mm/page-writeback.c:608
 __folio_end_writeback+0x215/0x4a0 mm/page-writeback.c:3091
 folio_end_writeback+0x74/0x1f0 mm/filemap.c:1634
 mpage_write_end_io+0x27c/0x390 fs/mpage.c:65
 bio_endio+0x369/0x410 block/bio.c:1708
 submit_bio_noacct+0x61f/0x9a0 block/blk-core.c:861
 submit_bio+0x218/0x230 block/blk-core.c:896
 mpage_bio_submit_write fs/mpage.c:83 [inline]
 __mpage_writepage+0x978/0xe10 fs/mpage.c:612
 write_cache_pages+0x62/0x100 mm/page-writeback.c:2640
 mpage_writepages+0x72/0xf0 fs/mpage.c:666
 fat_writepages+0x24/0x30 fs/fat/inode.c:199
 do_writepages+0x1d8/0x480 mm/page-writeback.c:2683
 __writeback_single_inode+0x89/0x850 fs/fs-writeback.c:1658
 writeback_sb_inodes+0x461/0xa30 fs/fs-writeback.c:1954
 __writeback_inodes_wb+0x9a/0x1a0 fs/fs-writeback.c:2025
 wb_writeback+0x274/0x640 fs/fs-writeback.c:2136
 wb_check_background_flush fs/fs-writeback.c:2206 [inline]
 wb_do_writeback fs/fs-writeback.c:2294 [inline]
 wb_workfn+0x67f/0x940 fs/fs-writeback.c:2321
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310
 worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391
 kthread+0x1d1/0x210 kernel/kthread.c:389
 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

value changed: 0x00000000ffffdf74 -> 0x00000000ffffe0a0

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 740 Comm: kworker/u8:6 Tainted: G        W          6.12.0-rc1-syzkaller-00257-g2f91ff27b0ee #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: writeback wb_workfn (flush-7:4)
==================================================================
kworker/u8:6: attempt to access beyond end of device
loop4: rw=1048577, sector=5960, nr_sectors = 2048 limit=256
kworker/u8:6: attempt to access beyond end of device
loop4: rw=1048577, sector=8008, nr_sectors = 1440 limit=256

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/04 23:56 upstream 2f91ff27b0ee d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __wb_writeout_add / writeout_period
* Struck through repros no longer work on HEAD.