syzbot

 sign-in | mailing list | source | docs
🐞 Open [1508]
Subsystems
🐞 Fixed [6531]
🐞 Invalid [16651]
Missing Backports [205]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KCSAN: data-race in bond_compute_features / l3mdev_master_ifindex_rcu

Status: auto-obsoleted due to no activity on 2025/08/01 08:28
Subsystems: net
[Documentation on labels]
First crash: 83d, last: 83d

Sample crash report:
netlink: 'syz.4.8259': attribute type 10 has an invalid length.
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KCSAN: data-race in bond_compute_features / l3mdev_master_ifindex_rcu

read to 0xffff888119242000 of 8 bytes by interrupt on cpu 1:
 netif_is_l3_master include/linux/netdevice.h:5388 [inline]
 l3mdev_master_ifindex_rcu+0x1e/0xc0 net/l3mdev/l3mdev.c:117
 ipv6_dev_get_saddr+0x189/0x440 net/ipv6/addrconf.c:1886
 ip6_route_get_saddr include/net/ip6_route.h:147 [inline]
 ip6_dst_lookup_tail+0x3d3/0xab0 net/ipv6/ip6_output.c:1133
 ip6_dst_lookup+0x3c/0x50 net/ipv6/ip6_output.c:1237
 icmpv6_route_lookup+0x6a/0x3e0 net/ipv6/icmp.c:363
 icmp6_send+0xc54/0x1050 net/ipv6/icmp.c:604
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x29/0x110 net/ipv6/route.c:2843
 dst_link_failure include/net/dst.h:429 [inline]
 ndisc_error_report+0x65/0xa0 net/ipv6/ndisc.c:733
 neigh_invalidate+0x160/0x290 net/core/neighbour.c:1008
 neigh_timer_handler+0x479/0x7d0 net/core/neighbour.c:1095
 call_timer_fn+0x3b/0x2c0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x415/0x610 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0x31/0x70 kernel/time/timer.c:2403
 handle_softirqs+0xb7/0x290 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
 x64_sys_call+0x1988/0x2fb0 arch/x86/entry/syscall_64.c:41
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

write to 0xffff888119242000 of 8 bytes by task 29351 on cpu 0:
 bond_compute_features+0x422/0x460 drivers/net/bonding/bond_main.c:-1
 bond_enslave+0x1824/0x2160 drivers/net/bonding/bond_main.c:2356
 do_set_master+0x38d/0x460 net/core/rtnetlink.c:2946
 do_setlink+0xa43/0x2810 net/core/rtnetlink.c:3148
 rtnl_changelink net/core/rtnetlink.c:3759 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3918 [inline]
 rtnl_newlink+0xe75/0x12d0 net/core/rtnetlink.c:4055
 rtnetlink_rcv_msg+0x5fb/0x6d0 net/core/rtnetlink.c:6944
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2534
 rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:6971
 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
 netlink_unicast+0x59e/0x670 net/netlink/af_netlink.c:1339
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1883
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:727
 ____sys_sendmsg+0x31e/0x4e0 net/socket.c:2566
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2655
 x64_sys_call+0x2999/0x2fb0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 29351 Comm: syz.4.8259 Not tainted 6.15.0-syzkaller-12426-ge271ed52b344 #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
==================================================================
bond0: (slave batadv0): Enslaving as an active interface with an up link
xt_TPROXY: Can be used only with -p tcp or -p udp
netlink: 'syz.4.8259': attribute type 10 has an invalid length.
netlink: 40 bytes leftover after parsing attributes in process `syz.4.8259'.
batadv0: entered allmulticast mode
bond0: (slave batadv0): Releasing backup interface
A link change request failed with some changes committed already. Interface batadv0 may have been left with an inconsistent configuration, please check.

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/06 08:26 upstream e271ed52b344 6b6b5f21 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in bond_compute_features / l3mdev_master_ifindex_rcu
* Struck through repros no longer work on HEAD.