[moderation] [kernel?] KCSAN: data-race in advance_sched / taprio_dequeue_from_txq
1 view
Skip to first unread message
syzbot
Dec 8, 2025, 7:09:28 PM (14 hours ago) Dec 8
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c2f2b01b74be Merge tag 'i3c/for-6.19' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146a721a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c3201432211be40f
dashboard link: https://syzkaller.appspot.com/bug?extid=2e61cdf6db1b925f4a68
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [anna-...@linutronix.de fred...@kernel.org linux-...@vger.kernel.org tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/15a5e839a554/disk-c2f2b01b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/038ca01b3a1e/vmlinux-c2f2b01b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b489de2e6a0/bzImage-c2f2b01b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e61cd...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in advance_sched / taprio_dequeue_from_txq
write to 0xffff88811b63cac0 of 8 bytes by interrupt on cpu 1:
advance_sched+0x2d1/0x6a0 net/sched/sch_taprio.c:-1
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x20f/0x5a0 kernel/time/hrtimer.c:1841
hrtimer_interrupt+0x21a/0x460 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
__sysvec_apic_timer_interrupt+0x5f/0x1d0 arch/x86/kernel/apic/apic.c:1062
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
native_pause arch/x86/include/asm/vdso/processor.h:13 [inline]
cpu_relax arch/x86/include/asm/vdso/processor.h:18 [inline]
pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:433 [inline]
__pv_queued_spin_lock_slowpath+0x320/0x800 kernel/locking/qspinlock.c:325
queued_spin_lock_slowpath+0x27/0x40 arch/x86/include/asm/qspinlock.h:52
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock include/linux/spinlock.h:187 [inline]
__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
_raw_spin_lock+0x98/0xa0 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
net_tx_action+0x2ab/0x590 net/core/dev.c:5765
handle_softirqs+0xba/0x290 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x37/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
read to 0xffff88811b63cac0 of 8 bytes by task 31 on cpu 0:
taprio_entry_allows_tx net/sched/sch_taprio.c:167 [inline]
taprio_dequeue_from_txq+0x348/0x490 net/sched/sch_taprio.c:743
taprio_dequeue_tc_priority net/sched/sch_taprio.c:793 [inline]
taprio_dequeue+0x17f/0x5d0 net/sched/sch_taprio.c:857
dequeue_skb net/sched/sch_generic.c:297 [inline]
qdisc_restart net/sched/sch_generic.c:402 [inline]
__qdisc_run+0x193/0xc90 net/sched/sch_generic.c:420
qdisc_run include/net/pkt_sched.h:120 [inline]
__dev_xmit_skb net/core/dev.c:4250 [inline]
__dev_queue_xmit+0x1206/0x1ec0 net/core/dev.c:4783
dev_queue_xmit include/linux/netdevice.h:3381 [inline]
vlan_dev_hard_start_xmit+0x201/0x2c0 net/8021q/vlan_dev.c:126
__netdev_start_xmit include/linux/netdevice.h:5273 [inline]
netdev_start_xmit include/linux/netdevice.h:5282 [inline]
xmit_one net/core/dev.c:3853 [inline]
dev_hard_start_xmit+0x125/0x3e0 net/core/dev.c:3869
__dev_queue_xmit+0xda9/0x1ec0 net/core/dev.c:4817
dev_queue_xmit include/linux/netdevice.h:3381 [inline]
neigh_connected_output+0x253/0x2c0 net/core/neighbour.c:1623
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xa5f/0xd10 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x3a4/0x540 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x10a/0x250 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:464 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
ndisc_send_skb+0x50f/0x760 net/ipv6/ndisc.c:512
ndisc_send_rs+0x2e7/0x360 net/ipv6/ndisc.c:722
addrconf_dad_completed+0x60d/0x890 net/ipv6/addrconf.c:4360
addrconf_dad_work+0x8ac/0xbf0 net/ipv6/addrconf.c:-1
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0x187f636dc7253c8d -> 0x187f636dc725bc8e
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 31 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ipv6_addrconf addrconf_dad_work
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c2f2b01b74be Merge tag 'i3c/for-6.19' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146a721a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c3201432211be40f
dashboard link: https://syzkaller.appspot.com/bug?extid=2e61cdf6db1b925f4a68
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [anna-...@linutronix.de fred...@kernel.org linux-...@vger.kernel.org tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/15a5e839a554/disk-c2f2b01b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/038ca01b3a1e/vmlinux-c2f2b01b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b489de2e6a0/bzImage-c2f2b01b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e61cd...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in advance_sched / taprio_dequeue_from_txq
write to 0xffff88811b63cac0 of 8 bytes by interrupt on cpu 1:
advance_sched+0x2d1/0x6a0 net/sched/sch_taprio.c:-1
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x20f/0x5a0 kernel/time/hrtimer.c:1841
hrtimer_interrupt+0x21a/0x460 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
__sysvec_apic_timer_interrupt+0x5f/0x1d0 arch/x86/kernel/apic/apic.c:1062
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
native_pause arch/x86/include/asm/vdso/processor.h:13 [inline]
cpu_relax arch/x86/include/asm/vdso/processor.h:18 [inline]
pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:433 [inline]
__pv_queued_spin_lock_slowpath+0x320/0x800 kernel/locking/qspinlock.c:325
queued_spin_lock_slowpath+0x27/0x40 arch/x86/include/asm/qspinlock.h:52
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock include/linux/spinlock.h:187 [inline]
__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
_raw_spin_lock+0x98/0xa0 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
net_tx_action+0x2ab/0x590 net/core/dev.c:5765
handle_softirqs+0xba/0x290 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x37/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
read to 0xffff88811b63cac0 of 8 bytes by task 31 on cpu 0:
taprio_entry_allows_tx net/sched/sch_taprio.c:167 [inline]
taprio_dequeue_from_txq+0x348/0x490 net/sched/sch_taprio.c:743
taprio_dequeue_tc_priority net/sched/sch_taprio.c:793 [inline]
taprio_dequeue+0x17f/0x5d0 net/sched/sch_taprio.c:857
dequeue_skb net/sched/sch_generic.c:297 [inline]
qdisc_restart net/sched/sch_generic.c:402 [inline]
__qdisc_run+0x193/0xc90 net/sched/sch_generic.c:420
qdisc_run include/net/pkt_sched.h:120 [inline]
__dev_xmit_skb net/core/dev.c:4250 [inline]
__dev_queue_xmit+0x1206/0x1ec0 net/core/dev.c:4783
dev_queue_xmit include/linux/netdevice.h:3381 [inline]
vlan_dev_hard_start_xmit+0x201/0x2c0 net/8021q/vlan_dev.c:126
__netdev_start_xmit include/linux/netdevice.h:5273 [inline]
netdev_start_xmit include/linux/netdevice.h:5282 [inline]
xmit_one net/core/dev.c:3853 [inline]
dev_hard_start_xmit+0x125/0x3e0 net/core/dev.c:3869
__dev_queue_xmit+0xda9/0x1ec0 net/core/dev.c:4817
dev_queue_xmit include/linux/netdevice.h:3381 [inline]
neigh_connected_output+0x253/0x2c0 net/core/neighbour.c:1623
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xa5f/0xd10 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x3a4/0x540 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x10a/0x250 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:464 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
ndisc_send_skb+0x50f/0x760 net/ipv6/ndisc.c:512
ndisc_send_rs+0x2e7/0x360 net/ipv6/ndisc.c:722
addrconf_dad_completed+0x60d/0x890 net/ipv6/addrconf.c:4360
addrconf_dad_work+0x8ac/0xbf0 net/ipv6/addrconf.c:-1
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0x187f636dc7253c8d -> 0x187f636dc725bc8e
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 31 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ipv6_addrconf addrconf_dad_work
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages