[moderation] [io-uring?] KCSAN: data-race in io_waitid_complete / io_waitid_wait
0 views
Skip to first unread message
syzbot
1:05 PM (3 hours ago) 1:05 PM
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d358e5254674 Merge tag 'for-6.19/dm-changes' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10d5c1b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9230b46da882b43c
dashboard link: https://syzkaller.appspot.com/bug?extid=eb441775f4f948a0902f
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [ax...@kernel.dk io-u...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4f60a2fdbe51/disk-d358e525.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/127ec1e804fb/vmlinux-d358e525.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2402e3e45961/bzImage-d358e525.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eb4417...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in io_waitid_complete / io_waitid_wait
write to 0xffff888128852518 of 8 bytes by task 10094 on cpu 0:
io_waitid_wait+0xb5/0x130 io_uring/waitid.c:249
__wake_up_common kernel/sched/wait.c:108 [inline]
__wake_up_common_lock kernel/sched/wait.c:125 [inline]
__wake_up_sync_key+0x52/0x80 kernel/sched/wait.c:192
__wake_up_parent+0x36/0x40 kernel/exit.c:1613
do_notify_parent+0x4e8/0x560 kernel/signal.c:2260
exit_notify kernel/exit.c:758 [inline]
do_exit+0xc01/0x15d0 kernel/exit.c:983
__do_sys_exit kernel/exit.c:1079 [inline]
__se_sys_exit kernel/exit.c:1077 [inline]
__x64_sys_exit+0x1f/0x20 kernel/exit.c:1077
x64_sys_call+0x2fe7/0x3000 arch/x86/include/generated/asm/syscalls_64.h:61
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
write to 0xffff888128852518 of 8 bytes by task 31 on cpu 1:
io_waitid_remove_wq io_uring/waitid.c:121 [inline]
io_waitid_complete+0xdf/0x220 io_uring/waitid.c:138
__io_waitid_cancel+0x50/0xa0 io_uring/waitid.c:162
io_cancel_remove_all+0x266/0x2b0 io_uring/cancel.c:362
io_waitid_remove_all+0x31/0x40 io_uring/waitid.c:176
io_uring_try_cancel_requests+0x289/0x310 io_uring/cancel.c:550
io_ring_exit_work+0x14b/0x520 io_uring/io_uring.c:3006
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0xffff888103a5f1a0 -> 0x0000000000000000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 31 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: iou_exit io_ring_exit_work
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d358e5254674 Merge tag 'for-6.19/dm-changes' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10d5c1b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9230b46da882b43c
dashboard link: https://syzkaller.appspot.com/bug?extid=eb441775f4f948a0902f
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [ax...@kernel.dk io-u...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4f60a2fdbe51/disk-d358e525.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/127ec1e804fb/vmlinux-d358e525.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2402e3e45961/bzImage-d358e525.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eb4417...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in io_waitid_complete / io_waitid_wait
write to 0xffff888128852518 of 8 bytes by task 10094 on cpu 0:
io_waitid_wait+0xb5/0x130 io_uring/waitid.c:249
__wake_up_common kernel/sched/wait.c:108 [inline]
__wake_up_common_lock kernel/sched/wait.c:125 [inline]
__wake_up_sync_key+0x52/0x80 kernel/sched/wait.c:192
__wake_up_parent+0x36/0x40 kernel/exit.c:1613
do_notify_parent+0x4e8/0x560 kernel/signal.c:2260
exit_notify kernel/exit.c:758 [inline]
do_exit+0xc01/0x15d0 kernel/exit.c:983
__do_sys_exit kernel/exit.c:1079 [inline]
__se_sys_exit kernel/exit.c:1077 [inline]
__x64_sys_exit+0x1f/0x20 kernel/exit.c:1077
x64_sys_call+0x2fe7/0x3000 arch/x86/include/generated/asm/syscalls_64.h:61
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
write to 0xffff888128852518 of 8 bytes by task 31 on cpu 1:
io_waitid_remove_wq io_uring/waitid.c:121 [inline]
io_waitid_complete+0xdf/0x220 io_uring/waitid.c:138
__io_waitid_cancel+0x50/0xa0 io_uring/waitid.c:162
io_cancel_remove_all+0x266/0x2b0 io_uring/cancel.c:362
io_waitid_remove_all+0x31/0x40 io_uring/waitid.c:176
io_uring_try_cancel_requests+0x289/0x310 io_uring/cancel.c:550
io_ring_exit_work+0x14b/0x520 io_uring/io_uring.c:3006
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0xffff888103a5f1a0 -> 0x0000000000000000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 31 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: iou_exit io_ring_exit_work
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages