[moderation] [can?] KCSAN: data-race in can_rcv_filter / can_rcv_filter (13)
0 views
Skip to first unread message
syzbot
Sep 28, 2025, 8:33:25 PM (21 hours ago) Sep 28
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8f9736633f8c Merge tag 'trace-v6.17-rc7' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cdcae2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7f65ba98bb01573
dashboard link: https://syzkaller.appspot.com/bug?extid=d92de0baa57e75f2d5d9
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [linu...@vger.kernel.org linux-...@vger.kernel.org m...@pengutronix.de sock...@hartkopp.net]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b74435919545/disk-8f973663.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/21519f724616/vmlinux-8f973663.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d8aaf14f3780/bzImage-8f973663.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d92de0...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in can_rcv_filter / can_rcv_filter
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 1:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_write_unlock_bh include/linux/rwlock_api_smp.h:281 [inline]
_raw_write_unlock_bh+0x1f/0x30 kernel/locking/spinlock.c:366
sock_orphan include/net/sock.h:2088 [inline]
pfkey_release+0x178/0x230 net/key/af_key.c:181
__sock_release net/socket.c:649 [inline]
sock_close+0x68/0x150 net/socket.c:1439
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe4/0x100 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x1d6/0x200 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 0:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
instr_sysvec_irq_work arch/x86/kernel/irq_work.c:17 [inline]
sysvec_irq_work+0x6b/0x80 arch/x86/kernel/irq_work.c:17
asm_sysvec_irq_work+0x1a/0x20 arch/x86/include/asm/idtentry.h:738
__wrmsrq arch/x86/include/asm/msr.h:80 [inline]
native_write_msr arch/x86/include/asm/msr.h:137 [inline]
wrmsrq arch/x86/include/asm/msr.h:199 [inline]
native_apic_msr_write+0x3d/0x60 arch/x86/include/asm/apic.h:212
apic_write arch/x86/include/asm/apic.h:405 [inline]
x2apic_send_IPI_self+0x10/0x20 arch/x86/kernel/apic/x2apic_phys.c:107
__apic_send_IPI_self arch/x86/include/asm/apic.h:455 [inline]
arch_irq_work_raise+0x46/0x50 arch/x86/kernel/irq_work.c:31
irq_work_raise kernel/irq_work.c:84 [inline]
__irq_work_queue_local+0x10f/0x2c0 kernel/irq_work.c:112
irq_work_queue+0x70/0x100 kernel/irq_work.c:124
bpf_send_signal_common+0x280/0x300 kernel/trace/bpf_trace.c:872
____bpf_send_signal kernel/trace/bpf_trace.c:881 [inline]
bpf_send_signal+0x1d/0x30 kernel/trace/bpf_trace.c:879
bpf_prog_631417f49dd64198+0x25/0x4c
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x107/0x1c0 kernel/trace/bpf_trace.c:2298
__traceiter_kfree+0x2e/0x50 include/trace/events/kmem.h:94
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x27b/0x320 mm/slub.c:4881
___sys_recvmsg+0x135/0x370 net/socket.c:2877
do_recvmmsg+0x1ef/0x540 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3061
x64_sys_call+0x27a6/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x000000000004ddc8 -> 0x000000000004ddc9
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 19336 Comm: syz.0.4427 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
==================================================================
BUG: KCSAN: data-race in can_rcv_filter / can_rcv_filter
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 1:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:835 [inline]
nsim_dev_trap_report_work+0x52b/0x630 drivers/net/netdevsim/dev.c:866
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 0:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
kcsan_setup_watchpoint+0x415/0x430 kernel/kcsan/core.c:705
bpf_reset_run_ctx include/linux/bpf.h:2259 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2260 [inline]
bpf_trace_run2+0x114/0x1c0 kernel/trace/bpf_trace.c:2298
__traceiter_kfree+0x2e/0x50 include/trace/events/kmem.h:94
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x27b/0x320 mm/slub.c:4881
___sys_recvmsg+0x135/0x370 net/socket.c:2877
do_recvmmsg+0x1ef/0x540 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3061
x64_sys_call+0x27a6/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000000a41c7 -> 0x00000000000a41c8
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 19336 Comm: syz.0.4427 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
==================================================================
BUG: KCSAN: data-race in can_can_gw_rcv / can_can_gw_rcv
read-write to 0xffff88810a474020 of 4 bytes by interrupt on cpu 1:
can_can_gw_rcv+0x807/0x820 net/can/gw.c:566
deliver net/can/af_can.c:575 [inline]
can_rcv_filter+0xc4/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:910 [inline]
mod_peer_timer drivers/net/wireguard/timers.c:38 [inline]
wg_timers_any_authenticated_packet_traversal+0xdd/0x100 drivers/net/wireguard/timers.c:218
wg_packet_create_data_done drivers/net/wireguard/send.c:247 [inline]
wg_packet_tx_worker+0xeb/0x330 drivers/net/wireguard/send.c:276
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff88810a474020 of 4 bytes by interrupt on cpu 0:
can_can_gw_rcv+0x807/0x820 net/can/gw.c:566
deliver net/can/af_can.c:575 [inline]
can_rcv_filter+0xc4/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
should_watch kernel/kcsan/core.c:280 [inline]
check_access kernel/kcsan/core.c:752 [inline]
__tsan_read_write8+0x14d/0x190 kernel/kcsan/core.c:1025
__import_iovec+0x321/0x540 lib/iov_iter.c:-1
import_iovec+0x61/0x80 lib/iov_iter.c:1523
copy_msghdr_from_user net/socket.c:2551 [inline]
recvmsg_copy_msghdr net/socket.c:2800 [inline]
___sys_recvmsg+0x358/0x370 net/socket.c:2872
do_recvmmsg+0x1ef/0x540 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3061
x64_sys_call+0x27a6/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x000aa2b1 -> 0x000aa2b2
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 19336 Comm: syz.0.4427 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
==================================================================
BUG: KCSAN: data-race in can_rcv_filter / can_rcv_filter
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 1:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:835 [inline]
nsim_dev_trap_report_work+0x52b/0x630 drivers/net/netdevsim/dev.c:866
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 0:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_nc_purge_paths+0x22b/0x270 net/batman-adv/network-coding.c:471
batadv_nc_worker+0x3d8/0xae0 net/batman-adv/network-coding.c:720
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
value changed: 0x00000000000f523e -> 0x00000000000f523f
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 4415 Comm: kworker/u8:15 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: bat_events batadv_nc_worker
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8f9736633f8c Merge tag 'trace-v6.17-rc7' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cdcae2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7f65ba98bb01573
dashboard link: https://syzkaller.appspot.com/bug?extid=d92de0baa57e75f2d5d9
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [linu...@vger.kernel.org linux-...@vger.kernel.org m...@pengutronix.de sock...@hartkopp.net]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b74435919545/disk-8f973663.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/21519f724616/vmlinux-8f973663.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d8aaf14f3780/bzImage-8f973663.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d92de0...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in can_rcv_filter / can_rcv_filter
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 1:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_write_unlock_bh include/linux/rwlock_api_smp.h:281 [inline]
_raw_write_unlock_bh+0x1f/0x30 kernel/locking/spinlock.c:366
sock_orphan include/net/sock.h:2088 [inline]
pfkey_release+0x178/0x230 net/key/af_key.c:181
__sock_release net/socket.c:649 [inline]
sock_close+0x68/0x150 net/socket.c:1439
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe4/0x100 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x1d6/0x200 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 0:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
instr_sysvec_irq_work arch/x86/kernel/irq_work.c:17 [inline]
sysvec_irq_work+0x6b/0x80 arch/x86/kernel/irq_work.c:17
asm_sysvec_irq_work+0x1a/0x20 arch/x86/include/asm/idtentry.h:738
__wrmsrq arch/x86/include/asm/msr.h:80 [inline]
native_write_msr arch/x86/include/asm/msr.h:137 [inline]
wrmsrq arch/x86/include/asm/msr.h:199 [inline]
native_apic_msr_write+0x3d/0x60 arch/x86/include/asm/apic.h:212
apic_write arch/x86/include/asm/apic.h:405 [inline]
x2apic_send_IPI_self+0x10/0x20 arch/x86/kernel/apic/x2apic_phys.c:107
__apic_send_IPI_self arch/x86/include/asm/apic.h:455 [inline]
arch_irq_work_raise+0x46/0x50 arch/x86/kernel/irq_work.c:31
irq_work_raise kernel/irq_work.c:84 [inline]
__irq_work_queue_local+0x10f/0x2c0 kernel/irq_work.c:112
irq_work_queue+0x70/0x100 kernel/irq_work.c:124
bpf_send_signal_common+0x280/0x300 kernel/trace/bpf_trace.c:872
____bpf_send_signal kernel/trace/bpf_trace.c:881 [inline]
bpf_send_signal+0x1d/0x30 kernel/trace/bpf_trace.c:879
bpf_prog_631417f49dd64198+0x25/0x4c
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x107/0x1c0 kernel/trace/bpf_trace.c:2298
__traceiter_kfree+0x2e/0x50 include/trace/events/kmem.h:94
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x27b/0x320 mm/slub.c:4881
___sys_recvmsg+0x135/0x370 net/socket.c:2877
do_recvmmsg+0x1ef/0x540 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3061
x64_sys_call+0x27a6/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x000000000004ddc8 -> 0x000000000004ddc9
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 19336 Comm: syz.0.4427 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
==================================================================
BUG: KCSAN: data-race in can_rcv_filter / can_rcv_filter
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 1:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:835 [inline]
nsim_dev_trap_report_work+0x52b/0x630 drivers/net/netdevsim/dev.c:866
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 0:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
kcsan_setup_watchpoint+0x415/0x430 kernel/kcsan/core.c:705
bpf_reset_run_ctx include/linux/bpf.h:2259 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2260 [inline]
bpf_trace_run2+0x114/0x1c0 kernel/trace/bpf_trace.c:2298
__traceiter_kfree+0x2e/0x50 include/trace/events/kmem.h:94
__do_trace_kfree include/trace/events/kmem.h:94 [inline]
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x27b/0x320 mm/slub.c:4881
___sys_recvmsg+0x135/0x370 net/socket.c:2877
do_recvmmsg+0x1ef/0x540 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3061
x64_sys_call+0x27a6/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000000a41c7 -> 0x00000000000a41c8
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 19336 Comm: syz.0.4427 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
==================================================================
BUG: KCSAN: data-race in can_can_gw_rcv / can_can_gw_rcv
read-write to 0xffff88810a474020 of 4 bytes by interrupt on cpu 1:
can_can_gw_rcv+0x807/0x820 net/can/gw.c:566
deliver net/can/af_can.c:575 [inline]
can_rcv_filter+0xc4/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:910 [inline]
mod_peer_timer drivers/net/wireguard/timers.c:38 [inline]
wg_timers_any_authenticated_packet_traversal+0xdd/0x100 drivers/net/wireguard/timers.c:218
wg_packet_create_data_done drivers/net/wireguard/send.c:247 [inline]
wg_packet_tx_worker+0xeb/0x330 drivers/net/wireguard/send.c:276
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff88810a474020 of 4 bytes by interrupt on cpu 0:
can_can_gw_rcv+0x807/0x820 net/can/gw.c:566
deliver net/can/af_can.c:575 [inline]
can_rcv_filter+0xc4/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:680
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
should_watch kernel/kcsan/core.c:280 [inline]
check_access kernel/kcsan/core.c:752 [inline]
__tsan_read_write8+0x14d/0x190 kernel/kcsan/core.c:1025
__import_iovec+0x321/0x540 lib/iov_iter.c:-1
import_iovec+0x61/0x80 lib/iov_iter.c:1523
copy_msghdr_from_user net/socket.c:2551 [inline]
recvmsg_copy_msghdr net/socket.c:2800 [inline]
___sys_recvmsg+0x358/0x370 net/socket.c:2872
do_recvmmsg+0x1ef/0x540 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3061
x64_sys_call+0x27a6/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x000aa2b1 -> 0x000aa2b2
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 19336 Comm: syz.0.4427 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
==================================================================
BUG: KCSAN: data-race in can_rcv_filter / can_rcv_filter
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 1:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:835 [inline]
nsim_dev_trap_report_work+0x52b/0x630 drivers/net/netdevsim/dev.c:866
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff8881014626a8 of 8 bytes by interrupt on cpu 0:
deliver net/can/af_can.c:576 [inline]
can_rcv_filter+0xd9/0x4f0 net/can/af_can.c:602
can_receive+0x163/0x1c0 net/can/af_can.c:666
canfd_rcv+0xed/0x190 net/can/af_can.c:705
__netif_receive_skb_one_core net/core/dev.c:5991 [inline]
__netif_receive_skb+0x120/0x270 net/core/dev.c:6104
process_backlog+0x229/0x420 net/core/dev.c:6456
__napi_poll+0x66/0x310 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0x391/0x830 net/core/dev.c:7696
handle_softirqs+0xb7/0x290 kernel/softirq.c:579
do_softirq+0x5d/0x90 kernel/softirq.c:480
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:407
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_nc_purge_paths+0x22b/0x270 net/batman-adv/network-coding.c:471
batadv_nc_worker+0x3d8/0xae0 net/batman-adv/network-coding.c:720
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3319
worker_thread+0x582/0x770 kernel/workqueue.c:3400
kthread+0x486/0x510 kernel/kthread.c:463
ret_from_fork+0x11f/0x1b0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
value changed: 0x00000000000f523e -> 0x00000000000f523f
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 4415 Comm: kworker/u8:15 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: bat_events batadv_nc_worker
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages