syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1353]
Subsystems
🐞 Fixed [7124]
🐞 Invalid [18846]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KCSAN: data-race in _copy_from_iter / bcm_can_tx

Status: upstream: reported on 2026/04/06 20:57
Subsystems: can
Labels: prio:low
[Documentation on labels]
Reported-by: syzbot+71cffbc1f77596292d08@syzkaller.appspotmail.com
First crash: 56d, last: 36d
✨ AI Jobs (4)
ID Workflow Result Correct Bug Created Started Finished Revision Error
2d04eae2-9bfc-40df-84c1-462b424ed9dd repro-c Reproduced: ✅ KCSAN: data-race in _copy_from_iter / bcm_can_tx 2026/05/19 12:52 2026/05/19 15:21 2026/05/19 15:28 1d9407ad5a662c921fc0d659cf022b438c0bde91
8f11f345-d851-4e6d-a826-7536b5780dd9 repro 💥 KCSAN: data-race in _copy_from_iter / bcm_can_tx 2026/05/19 12:52 2026/05/19 15:02 2026/05/19 15:21 1d9407ad5a662c921fc0d659cf022b438c0bde91 Basic kernel testing failed: KCSAN: data-race in clocksource_watchdog / watchdog_check_skew ================================================================== BUG: KCSAN: data-race in clocksource_watchdog / watchdog_check_skew write to 0xffff888277d2bff0 of 8 bytes by task 0 on cpu 1: watchdog_check_skew+0x188/0x2a0 kernel/time/clocksource.c:344 watchdog_check_skew_remote+0x2a/0x40 kernel/time/clocksource.c:364 csd_do_func kernel/smp.c:136 [inline] __flush_smp_call_function_queue+0x41b/0x810 kernel/smp.c:591 flush_smp_call_function_queue+0x40/0xb0 kernel/smp.c:635 do_idle+0x26e/0x2b0 kernel/sched/idle.c:380 cpu_startup_entry+0x24/0x30 kernel/sched/idle.c:451 start_secondary+0x95/0xa0 arch/x86/kernel/smpboot.c:312 common_startup_64+0x13e/0x147 read to 0xffff888277d2bfe8 of 16 bytes by interrupt on cpu 0: __watchdog_check_cpu_skew kernel/time/clocksource.c:419 [inline] watchdog_check_cpu_skew kernel/time/clocksource.c:438 [inline] clocksource_watchdog+0xc55/0xd80 kernel/time/clocksource.c:665 call_timer_fn+0x3b/0x240 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __run_timer_base+0x415/0x5f0 kernel/time/timer.c:2386 run_timer_base kernel/time/timer.c:2395 [inline] run_timer_softirq+0x1d/0x70 kernel/time/timer.c:2403 handle_softirqs+0xb9/0x280 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x42/0xd0 kernel/softirq.c:735 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:62 arch_safe_halt arch/x86/kernel/process.c:766 [inline] default_idle+0x9/0x20 arch/x86/kernel/process.c:767 default_idle_call+0x3b/0x60 kernel/sched/idle.c:122 cpuidle_idle_call kernel/sched/idle.c:199 [inline] do_idle+0x17f/0x2b0 kernel/sched/idle.c:352 cpu_startup_entry+0x24/0x30 kernel/sched/idle.c:451 rest_init+0xee/0xf0 init/main.c:762 start_kernel+0x49f/0x4d0 init/main.c:1220 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310 x86_64_start_kernel+0xfc/0x100 arch/x86/kernel/head64.c:291 common_startup_64+0x13e/0x147 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 ==================================================================
a20cf092-9add-4456-ae13-3ea12a8e5c0d assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ KCSAN: data-race in _copy_from_iter / bcm_can_tx 2026/05/16 03:25 2026/05/16 03:25 2026/05/16 03:29 efdaf0f9b8bfc56ea6d17bea15a64f4591cc712d
74442fb7-40d9-4e1e-8705-0fa53344aca5 assessment-kcsan Benign: ❌ Confident: ✅ KCSAN: data-race in _copy_from_iter / bcm_can_tx 2026/04/04 19:30 2026/04/04 19:30 2026/04/04 20:03 4440e7c2e964875f9e35dba6deda12c2195f19d3
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [can?] KCSAN: data-race in _copy_from_iter / bcm_can_tx 0 (1) 2026/04/06 20:57

Sample crash report:
==================================================================
BUG: KCSAN: data-race in _copy_from_iter / bcm_can_tx

read to 0xffff8881242845c0 of 72 bytes by interrupt on cpu 0:
 skb_put_data include/linux/skbuff.h:2813 [inline]
 bcm_can_tx+0x1b3/0x4c0 net/can/bcm.c:327
 bcm_tx_timeout_handler+0xe5/0x290 net/can/bcm.c:477
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x276/0x4f0 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0xe2/0x520 kernel/time/hrtimer.c:2011
 handle_softirqs+0xb9/0x280 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x42/0xd0 kernel/softirq.c:735
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x37/0x80 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

write to 0xffff8881242845c0 of 72 bytes by task 4914 on cpu 1:
 instrument_copy_from_user_before include/linux/instrumented.h:147 [inline]
 copy_from_user_iter lib/iov_iter.c:66 [inline]
 iterate_iovec include/linux/iov_iter.h:52 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
 iterate_and_advance include/linux/iov_iter.h:330 [inline]
 __copy_from_iter lib/iov_iter.c:261 [inline]
 _copy_from_iter+0x258/0xea0 lib/iov_iter.c:272
 copy_from_iter include/linux/uio.h:228 [inline]
 copy_from_iter_full include/linux/uio.h:245 [inline]
 memcpy_from_msg include/linux/skbuff.h:4298 [inline]
 bcm_tx_setup+0xaeb/0xde0 net/can/bcm.c:965
 bcm_sendmsg+0x357/0x4a0 net/can/bcm.c:1433
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 ____sys_sendmsg+0x563/0x5b0 net/socket.c:2698
 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2752
 __sys_sendmsg net/socket.c:2784 [inline]
 __do_sys_sendmsg net/socket.c:2789 [inline]
 __se_sys_sendmsg net/socket.c:2787 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2787
 x64_sys_call+0x194c/0x3020 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 4914 Comm: syz.4.421 Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/24 23:59 upstream dd6c438c3e64 1c2b9291 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in _copy_from_iter / bcm_can_tx
2026/04/04 19:30 upstream 7ca6d1cfec80 4440e7c2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in _copy_from_iter / bcm_can_tx
* Struck through repros no longer work on HEAD.