[moderation] [can?] KCSAN: data-race in can_receive / can_stat_update (12)
3 views
Skip to first unread message
syzbot
Mar 9, 2025, 6:41:26 AM3/9/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 68763b29e0a6 Merge tag 'spi-fix-v6.14-rc2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15fe59b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8889d5a0d6060f3
dashboard link: https://syzkaller.appspot.com/bug?extid=be0fffb1410569be5bb1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [linu...@vger.kernel.org linux-...@vger.kernel.org m...@pengutronix.de sock...@hartkopp.net]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c16c0ea5c802/disk-68763b29.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/01c9fd28dc40/vmlinux-68763b29.xz
kernel image: https://storage.googleapis.com/syzbot-assets/85508704f500/bzImage-68763b29.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+be0fff...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in can_receive / can_stat_update
read-write to 0xffff888106d07e98 of 8 bytes by interrupt on cpu 1:
can_receive+0x1b6/0x1f0 net/can/af_can.c:672
can_rcv+0xe7/0x180 net/can/af_can.c:688
__netif_receive_skb_one_core net/core/dev.c:5828 [inline]
__netif_receive_skb+0x123/0x280 net/core/dev.c:5941
process_backlog+0x22e/0x440 net/core/dev.c:6289
__napi_poll+0x63/0x3c0 net/core/dev.c:7106
napi_poll net/core/dev.c:7175 [inline]
net_rx_action+0x3a1/0x7f0 net/core/dev.c:7297
handle_softirqs+0xbf/0x280 kernel/softirq.c:561
run_ksoftirqd+0x1c/0x30 kernel/softirq.c:950
smpboot_thread_fn+0x31c/0x4c0 kernel/smpboot.c:164
kthread+0x4ae/0x520 kernel/kthread.c:464
ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
read to 0xffff888106d07e98 of 8 bytes by interrupt on cpu 0:
can_stat_update+0x382/0x7f0 net/can/proc.c:138
call_timer_fn+0x3a/0x300 kernel/time/timer.c:1789
expire_timers kernel/time/timer.c:1840 [inline]
__run_timers kernel/time/timer.c:2414 [inline]
__run_timer_base+0x417/0x640 kernel/time/timer.c:2426
run_timer_base kernel/time/timer.c:2435 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2445
handle_softirqs+0xbf/0x280 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:662
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x73/0x80 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]
arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
folio_test_swapbacked include/linux/page-flags.h:537 [inline]
folio_test_swapcache include/linux/page-flags.h:584 [inline]
free_swap_cache mm/swap_state.c:291 [inline]
free_pages_and_swap_cache+0xf9/0x400 mm/swap_state.c:324
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:389 [inline]
tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:396
zap_pte_range mm/memory.c:1770 [inline]
zap_pmd_range mm/memory.c:1823 [inline]
zap_pud_range mm/memory.c:1852 [inline]
zap_p4d_range mm/memory.c:1873 [inline]
unmap_page_range+0x2222/0x26c0 mm/memory.c:1894
unmap_single_vma+0x142/0x1d0 mm/memory.c:1940
unmap_vmas+0x18d/0x2b0 mm/memory.c:1984
exit_mmap+0x1ae/0x6d0 mm/mmap.c:1284
__mmput+0x28/0x1d0 kernel/fork.c:1356
mmput+0x4c/0x60 kernel/fork.c:1378
exit_mm+0xe4/0x190 kernel/exit.c:570
do_exit+0x559/0x17f0 kernel/exit.c:925
do_group_exit+0x102/0x150 kernel/exit.c:1087
get_signal+0xeb9/0x1000 kernel/signal.c:3036
arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x62/0x120 kernel/entry/common.c:218
do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x0000000000001621 -> 0x0000000000001622
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 5649 Comm: syz.0.896 Not tainted 6.14.0-rc2-syzkaller-00162-g68763b29e0a6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 68763b29e0a6 Merge tag 'spi-fix-v6.14-rc2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15fe59b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8889d5a0d6060f3
dashboard link: https://syzkaller.appspot.com/bug?extid=be0fffb1410569be5bb1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [linu...@vger.kernel.org linux-...@vger.kernel.org m...@pengutronix.de sock...@hartkopp.net]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c16c0ea5c802/disk-68763b29.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/01c9fd28dc40/vmlinux-68763b29.xz
kernel image: https://storage.googleapis.com/syzbot-assets/85508704f500/bzImage-68763b29.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+be0fff...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in can_receive / can_stat_update
read-write to 0xffff888106d07e98 of 8 bytes by interrupt on cpu 1:
can_receive+0x1b6/0x1f0 net/can/af_can.c:672
can_rcv+0xe7/0x180 net/can/af_can.c:688
__netif_receive_skb_one_core net/core/dev.c:5828 [inline]
__netif_receive_skb+0x123/0x280 net/core/dev.c:5941
process_backlog+0x22e/0x440 net/core/dev.c:6289
__napi_poll+0x63/0x3c0 net/core/dev.c:7106
napi_poll net/core/dev.c:7175 [inline]
net_rx_action+0x3a1/0x7f0 net/core/dev.c:7297
handle_softirqs+0xbf/0x280 kernel/softirq.c:561
run_ksoftirqd+0x1c/0x30 kernel/softirq.c:950
smpboot_thread_fn+0x31c/0x4c0 kernel/smpboot.c:164
kthread+0x4ae/0x520 kernel/kthread.c:464
ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
read to 0xffff888106d07e98 of 8 bytes by interrupt on cpu 0:
can_stat_update+0x382/0x7f0 net/can/proc.c:138
call_timer_fn+0x3a/0x300 kernel/time/timer.c:1789
expire_timers kernel/time/timer.c:1840 [inline]
__run_timers kernel/time/timer.c:2414 [inline]
__run_timer_base+0x417/0x640 kernel/time/timer.c:2426
run_timer_base kernel/time/timer.c:2435 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2445
handle_softirqs+0xbf/0x280 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:662
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x73/0x80 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]
arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
folio_test_swapbacked include/linux/page-flags.h:537 [inline]
folio_test_swapcache include/linux/page-flags.h:584 [inline]
free_swap_cache mm/swap_state.c:291 [inline]
free_pages_and_swap_cache+0xf9/0x400 mm/swap_state.c:324
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:389 [inline]
tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:396
zap_pte_range mm/memory.c:1770 [inline]
zap_pmd_range mm/memory.c:1823 [inline]
zap_pud_range mm/memory.c:1852 [inline]
zap_p4d_range mm/memory.c:1873 [inline]
unmap_page_range+0x2222/0x26c0 mm/memory.c:1894
unmap_single_vma+0x142/0x1d0 mm/memory.c:1940
unmap_vmas+0x18d/0x2b0 mm/memory.c:1984
exit_mmap+0x1ae/0x6d0 mm/mmap.c:1284
__mmput+0x28/0x1d0 kernel/fork.c:1356
mmput+0x4c/0x60 kernel/fork.c:1378
exit_mm+0xe4/0x190 kernel/exit.c:570
do_exit+0x559/0x17f0 kernel/exit.c:925
do_group_exit+0x102/0x150 kernel/exit.c:1087
get_signal+0xeb9/0x1000 kernel/signal.c:3036
arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x62/0x120 kernel/entry/common.c:218
do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x0000000000001621 -> 0x0000000000001622
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 5649 Comm: syz.0.896 Not tainted 6.14.0-rc2-syzkaller-00162-g68763b29e0a6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 7, 2025, 9:47:23 AM5/7/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages