[moderation] [wireguard?] KCSAN: data-race in wg_expired_retransmit_handshake / wg_packet_send_queued_handshake_initiation (3)
1 view
Skip to first unread message
syzbot
Jan 6, 2026, 9:04:27 AM (yesterday) Jan 6
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 805f9a061372 Merge tag 'perf-tools-fixes-for-v6.19-2026-01..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130ad69a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b319ff1b6a2797ca
dashboard link: https://syzkaller.appspot.com/bug?extid=4ca4b3947732ae465350
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [Ja...@zx2c4.com andrew...@lunn.ch da...@davemloft.net edum...@google.com ku...@kernel.org linux-...@vger.kernel.org net...@vger.kernel.org pab...@redhat.com wire...@lists.zx2c4.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/08267c23dc87/disk-805f9a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6cd580254f4b/vmlinux-805f9a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/911f7705c0e2/bzImage-805f9a06.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4ca4b3...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in wg_expired_retransmit_handshake / wg_packet_send_queued_handshake_initiation
write to 0xffff88811ac8a458 of 4 bytes by interrupt on cpu 0:
wg_packet_send_queued_handshake_initiation+0x32/0x180 drivers/net/wireguard/send.c:59
wg_expired_new_handshake+0x26/0x30 drivers/net/wireguard/timers.c:104
call_timer_fn+0x3b/0x290 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x415/0x610 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2404
handle_softirqs+0xba/0x290 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
__sanitizer_cov_trace_pc+0x5d/0x70 kernel/kcov.c:233
sock_recvmsg_nosec+0x17/0x130 net/socket.c:1077
____sys_recvmsg+0x26f/0x280 net/socket.c:2810
___sys_recvmsg+0x11f/0x370 net/socket.c:2854
do_recvmmsg+0x1ef/0x540 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3039
x64_sys_call+0x2b75/0x3000 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
write to 0xffff88811ac8a458 of 4 bytes by interrupt on cpu 1:
wg_expired_retransmit_handshake+0x81/0x160 drivers/net/wireguard/timers.c:64
call_timer_fn+0x3b/0x290 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x415/0x610 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2404
handle_softirqs+0xba/0x290 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
finish_task_switch+0x83/0x2a0 kernel/sched/core.c:5114
context_switch kernel/sched/core.c:5259 [inline]
__schedule+0x85f/0xcd0 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0x5f/0xd0 kernel/sched/core.c:6960
schedule_timeout+0x53/0x170 kernel/time/sleep_timeout.c:75
unix_wait_for_peer+0x113/0x170 net/unix/af_unix.c:1618
unix_dgram_sendmsg+0x8bc/0xfd0 net/unix/af_unix.c:2250
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x145/0x180 net/socket.c:742
____sys_sendmsg+0x345/0x4a0 net/socket.c:2592
___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646
__sys_sendmmsg+0x178/0x300 net/socket.c:2735
__do_sys_sendmmsg net/socket.c:2762 [inline]
__se_sys_sendmmsg net/socket.c:2759 [inline]
__x64_sys_sendmmsg+0x57/0x70 net/socket.c:2759
x64_sys_call+0x1e28/0x3000 arch/x86/include/generated/asm/syscalls_64.h:308
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000003 -> 0x00000000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 4651 Comm: syz.0.321 Tainted: G W syzkaller #0 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 805f9a061372 Merge tag 'perf-tools-fixes-for-v6.19-2026-01..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130ad69a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b319ff1b6a2797ca
dashboard link: https://syzkaller.appspot.com/bug?extid=4ca4b3947732ae465350
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [Ja...@zx2c4.com andrew...@lunn.ch da...@davemloft.net edum...@google.com ku...@kernel.org linux-...@vger.kernel.org net...@vger.kernel.org pab...@redhat.com wire...@lists.zx2c4.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/08267c23dc87/disk-805f9a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6cd580254f4b/vmlinux-805f9a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/911f7705c0e2/bzImage-805f9a06.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4ca4b3...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in wg_expired_retransmit_handshake / wg_packet_send_queued_handshake_initiation
write to 0xffff88811ac8a458 of 4 bytes by interrupt on cpu 0:
wg_packet_send_queued_handshake_initiation+0x32/0x180 drivers/net/wireguard/send.c:59
wg_expired_new_handshake+0x26/0x30 drivers/net/wireguard/timers.c:104
call_timer_fn+0x3b/0x290 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x415/0x610 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2404
handle_softirqs+0xba/0x290 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
__sanitizer_cov_trace_pc+0x5d/0x70 kernel/kcov.c:233
sock_recvmsg_nosec+0x17/0x130 net/socket.c:1077
____sys_recvmsg+0x26f/0x280 net/socket.c:2810
___sys_recvmsg+0x11f/0x370 net/socket.c:2854
do_recvmmsg+0x1ef/0x540 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3039
x64_sys_call+0x2b75/0x3000 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
write to 0xffff88811ac8a458 of 4 bytes by interrupt on cpu 1:
wg_expired_retransmit_handshake+0x81/0x160 drivers/net/wireguard/timers.c:64
call_timer_fn+0x3b/0x290 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x415/0x610 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2404
handle_softirqs+0xba/0x290 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x3a/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
finish_task_switch+0x83/0x2a0 kernel/sched/core.c:5114
context_switch kernel/sched/core.c:5259 [inline]
__schedule+0x85f/0xcd0 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0x5f/0xd0 kernel/sched/core.c:6960
schedule_timeout+0x53/0x170 kernel/time/sleep_timeout.c:75
unix_wait_for_peer+0x113/0x170 net/unix/af_unix.c:1618
unix_dgram_sendmsg+0x8bc/0xfd0 net/unix/af_unix.c:2250
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x145/0x180 net/socket.c:742
____sys_sendmsg+0x345/0x4a0 net/socket.c:2592
___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646
__sys_sendmmsg+0x178/0x300 net/socket.c:2735
__do_sys_sendmmsg net/socket.c:2762 [inline]
__se_sys_sendmmsg net/socket.c:2759 [inline]
__x64_sys_sendmmsg+0x57/0x70 net/socket.c:2759
x64_sys_call+0x1e28/0x3000 arch/x86/include/generated/asm/syscalls_64.h:308
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000003 -> 0x00000000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 4651 Comm: syz.0.321 Tainted: G W syzkaller #0 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages