syzbot

 sign-in | mailing list | source | docs
🐞 Open [871] Subsystems 🐞 Fixed [4875] 🐞 Invalid [11634] Missing Backports [68] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KCSAN: data-race in xfrmi_xmit / xfrmi_xmit (3)

Status: premoderation: reported on 2023/09/02 18:47
Subsystems: net
[Documentation on labels]
Fix commit: f7c4e3e5d4f6 xfrm: interface: use DEV_STATS_INC()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 89d, last: 65d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in xfrmi_xmit / xfrmi_xmit (2) net 1 270d 270d 0/25 auto-obsoleted due to no activity on 2023/04/17 04:19
upstream KCSAN: data-race in xfrmi_xmit / xfrmi_xmit net 1 340d 340d 0/25 auto-obsoleted due to no activity on 2023/02/05 20:34

Sample crash report:
==================================================================
BUG: KCSAN: data-race in xfrmi_xmit / xfrmi_xmit

read-write to 0xffff888138907170 of 8 bytes by task 22475 on cpu 0:
 xfrmi_xmit+0x76e/0xb20 net/xfrm/xfrm_interface_core.c:584
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3544 [inline]
 dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
 __dev_queue_xmit+0xf27/0x1e20 net/core/dev.c:4340
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
 neigh_output include/net/neighbour.h:542 [inline]
 ip_finish_output2+0x773/0x880 net/ipv4/ip_output.c:233
 ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:321
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip_output+0xab/0x170 net/ipv4/ip_output.c:431
 dst_output include/net/dst.h:458 [inline]
 ip_local_out+0x64/0x80 net/ipv4/ip_output.c:127
 iptunnel_xmit+0x344/0x460 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3544 [inline]
 dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
 __dev_queue_xmit+0xf27/0x1e20 net/core/dev.c:4340
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 __bpf_tx_skb net/core/filter.c:2129 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2159 [inline]
 __bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
 ____bpf_clone_redirect net/core/filter.c:2453 [inline]
 bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
 ___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
 __bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
 bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
 __bpf_prog_run include/linux/filter.h:609 [inline]
 bpf_prog_run include/linux/filter.h:616 [inline]
 bpf_test_run+0x16b/0x3f0 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1046
 bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
 __sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
 __do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
 __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

read-write to 0xffff888138907170 of 8 bytes by task 22474 on cpu 1:
 xfrmi_xmit+0x76e/0xb20 net/xfrm/xfrm_interface_core.c:584
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3544 [inline]
 dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
 __dev_queue_xmit+0xf27/0x1e20 net/core/dev.c:4340
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
 neigh_output include/net/neighbour.h:542 [inline]
 ip_finish_output2+0x773/0x880 net/ipv4/ip_output.c:233
 ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:321
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip_output+0xab/0x170 net/ipv4/ip_output.c:431
 dst_output include/net/dst.h:458 [inline]
 ip_local_out+0x64/0x80 net/ipv4/ip_output.c:127
 iptunnel_xmit+0x344/0x460 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3544 [inline]
 dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
 __dev_queue_xmit+0xf27/0x1e20 net/core/dev.c:4340
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 __bpf_tx_skb net/core/filter.c:2129 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2159 [inline]
 __bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
 ____bpf_clone_redirect net/core/filter.c:2453 [inline]
 bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
 ___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
 __bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
 bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
 __bpf_prog_run include/linux/filter.h:609 [inline]
 bpf_prog_run include/linux/filter.h:616 [inline]
 bpf_test_run+0x16b/0x3f0 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1046
 bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
 __sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
 __do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
 __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x0000000000002185 -> 0x0000000000002186

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 22474 Comm: syz-executor.2 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
==================================================================
syz-executor.2 (22474) used greatest stack depth: 9096 bytes left

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/26 15:49 upstream 6465e260f487 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in xfrmi_xmit / xfrmi_xmit
2023/09/02 18:46 upstream 0468be89b3fa 696ea0d2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in xfrmi_xmit / xfrmi_xmit
* Struck through repros no longer work on HEAD.