[syzbot] [net?] KCSAN: data-race in copy_mm / percpu_counter_add_batch
0 views
Skip to first unread message
syzbot
3:19 PM (4 hours ago) 3:19 PM
to da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d0c3bcd5b897 Merge tag 'libcrypto-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11af0302580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3a78dd265deac3a9
dashboard link: https://syzkaller.appspot.com/bug?extid=648f94dd38904eae4be7
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2fc468d174ba/disk-d0c3bcd5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a28862469460/vmlinux-d0c3bcd5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/57a109709002/bzImage-d0c3bcd5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+648f94...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in copy_mm / percpu_counter_add_batch
read-write to 0xffff88812b22d5c8 of 8 bytes by task 26440 on cpu 0:
percpu_counter_add_batch+0x105/0x130 lib/percpu_counter.c:107
percpu_counter_add include/linux/percpu_counter.h:71 [inline]
percpu_counter_inc include/linux/percpu_counter.h:267 [inline]
inc_mm_counter include/linux/mm.h:3084 [inline]
wp_page_copy mm/memory.c:3825 [inline]
do_wp_page+0x1416/0x2590 mm/memory.c:4241
handle_pte_fault mm/memory.c:6333 [inline]
__handle_mm_fault mm/memory.c:6455 [inline]
handle_mm_fault+0x8cb/0x3020 mm/memory.c:6624
do_user_addr_fault+0x3fd/0x1050 arch/x86/mm/fault.c:1385
handle_page_fault arch/x86/mm/fault.c:1474 [inline]
exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:68
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
copy_to_user_iter lib/iov_iter.c:25 [inline]
iterate_ubuf include/linux/iov_iter.h:30 [inline]
iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
iterate_and_advance include/linux/iov_iter.h:330 [inline]
_copy_to_iter+0x141/0xea0 lib/iov_iter.c:197
copy_to_iter include/linux/uio.h:220 [inline]
simple_copy_to_iter net/core/datagram.c:521 [inline]
__skb_datagram_iter+0x2f4/0x680 net/core/datagram.c:435
skb_copy_datagram_iter+0x3f/0x120 net/core/datagram.c:535
skb_copy_datagram_msg include/linux/skbuff.h:4218 [inline]
unix_stream_read_actor+0x43/0x70 net/unix/af_unix.c:3109
unix_stream_read_generic+0x6e9/0x1630 net/unix/af_unix.c:3029
unix_stream_recvmsg+0xff/0x130 net/unix/af_unix.c:3146
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0xf5/0x120 net/socket.c:1100
____sys_recvmsg+0xf5/0x280 net/socket.c:2812
___sys_recvmsg+0x11f/0x3b0 net/socket.c:2854
__sys_recvmsg net/socket.c:2887 [inline]
__do_sys_recvmsg net/socket.c:2893 [inline]
__se_sys_recvmsg net/socket.c:2890 [inline]
__x64_sys_recvmsg+0xd1/0x160 net/socket.c:2890
x64_sys_call+0x2b1a/0x3020 arch/x86/include/generated/asm/syscalls_64.h:48
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812b22d100 of 1664 bytes by task 26447 on cpu 1:
dup_mm kernel/fork.c:1525 [inline]
copy_mm+0xe1/0x370 kernel/fork.c:1583
copy_process+0xe22/0x20b0 kernel/fork.c:2223
kernel_clone+0x16b/0x5d0 kernel/fork.c:2653
__do_sys_clone kernel/fork.c:2794 [inline]
__se_sys_clone kernel/fork.c:2778 [inline]
__x64_sys_clone+0x143/0x180 kernel/fork.c:2778
x64_sys_call+0x1222/0x3020 arch/x86/include/generated/asm/syscalls_64.h:57
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 26447 Comm: syz.1.8317 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
==================================================================
Q�6�`Ҙ speed is unknown, defaulting to 1000
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d0c3bcd5b897 Merge tag 'libcrypto-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11af0302580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3a78dd265deac3a9
dashboard link: https://syzkaller.appspot.com/bug?extid=648f94dd38904eae4be7
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2fc468d174ba/disk-d0c3bcd5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a28862469460/vmlinux-d0c3bcd5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/57a109709002/bzImage-d0c3bcd5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+648f94...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in copy_mm / percpu_counter_add_batch
read-write to 0xffff88812b22d5c8 of 8 bytes by task 26440 on cpu 0:
percpu_counter_add_batch+0x105/0x130 lib/percpu_counter.c:107
percpu_counter_add include/linux/percpu_counter.h:71 [inline]
percpu_counter_inc include/linux/percpu_counter.h:267 [inline]
inc_mm_counter include/linux/mm.h:3084 [inline]
wp_page_copy mm/memory.c:3825 [inline]
do_wp_page+0x1416/0x2590 mm/memory.c:4241
handle_pte_fault mm/memory.c:6333 [inline]
__handle_mm_fault mm/memory.c:6455 [inline]
handle_mm_fault+0x8cb/0x3020 mm/memory.c:6624
do_user_addr_fault+0x3fd/0x1050 arch/x86/mm/fault.c:1385
handle_page_fault arch/x86/mm/fault.c:1474 [inline]
exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:68
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
copy_to_user_iter lib/iov_iter.c:25 [inline]
iterate_ubuf include/linux/iov_iter.h:30 [inline]
iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
iterate_and_advance include/linux/iov_iter.h:330 [inline]
_copy_to_iter+0x141/0xea0 lib/iov_iter.c:197
copy_to_iter include/linux/uio.h:220 [inline]
simple_copy_to_iter net/core/datagram.c:521 [inline]
__skb_datagram_iter+0x2f4/0x680 net/core/datagram.c:435
skb_copy_datagram_iter+0x3f/0x120 net/core/datagram.c:535
skb_copy_datagram_msg include/linux/skbuff.h:4218 [inline]
unix_stream_read_actor+0x43/0x70 net/unix/af_unix.c:3109
unix_stream_read_generic+0x6e9/0x1630 net/unix/af_unix.c:3029
unix_stream_recvmsg+0xff/0x130 net/unix/af_unix.c:3146
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0xf5/0x120 net/socket.c:1100
____sys_recvmsg+0xf5/0x280 net/socket.c:2812
___sys_recvmsg+0x11f/0x3b0 net/socket.c:2854
__sys_recvmsg net/socket.c:2887 [inline]
__do_sys_recvmsg net/socket.c:2893 [inline]
__se_sys_recvmsg net/socket.c:2890 [inline]
__x64_sys_recvmsg+0xd1/0x160 net/socket.c:2890
x64_sys_call+0x2b1a/0x3020 arch/x86/include/generated/asm/syscalls_64.h:48
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812b22d100 of 1664 bytes by task 26447 on cpu 1:
dup_mm kernel/fork.c:1525 [inline]
copy_mm+0xe1/0x370 kernel/fork.c:1583
copy_process+0xe22/0x20b0 kernel/fork.c:2223
kernel_clone+0x16b/0x5d0 kernel/fork.c:2653
__do_sys_clone kernel/fork.c:2794 [inline]
__se_sys_clone kernel/fork.c:2778 [inline]
__x64_sys_clone+0x143/0x180 kernel/fork.c:2778
x64_sys_call+0x1222/0x3020 arch/x86/include/generated/asm/syscalls_64.h:57
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 26447 Comm: syz.1.8317 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
==================================================================
Q�6�`Ҙ speed is unknown, defaulting to 1000
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages