[moderation] [bpf?] KCSAN: data-race in bcmp / stack_map_get_build_id_offset
0 views
Skip to first unread message
syzbot
Sep 22, 2025, 6:49:27 AM (10 days ago) Sep 22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 07e27ad16399 Linux 6.17-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e928e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e0c213d0735f5dd
dashboard link: https://syzkaller.appspot.com/bug?extid=0462708d433602258c29
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [and...@kernel.org a...@kernel.org b...@vger.kernel.org dan...@iogearbox.net edd...@gmail.com hao...@google.com john.fa...@gmail.com jo...@kernel.org kps...@kernel.org linux-...@vger.kernel.org marti...@linux.dev s...@fomichev.me so...@kernel.org yongho...@linux.dev]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/13f1b7910f3d/disk-07e27ad1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0a177c590a0f/vmlinux-07e27ad1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2ca3d6e8d07f/bzImage-07e27ad1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+046270...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in bcmp / stack_map_get_build_id_offset
write to 0xffff88811a1d89a0 of 4 bytes by task 5977 on cpu 0:
stack_map_get_build_id_offset+0x46b/0x570 kernel/bpf/stackmap.c:160
__bpf_get_stackid+0x617/0x800 kernel/bpf/stackmap.c:266
____bpf_get_stackid kernel/bpf/stackmap.c:324 [inline]
bpf_get_stackid+0xee/0x120 kernel/bpf/stackmap.c:300
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0xf6/0x120 kernel/trace/bpf_trace.c:1799
bpf_prog_33c66cfd8c9e7eb0+0x2a/0x32
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run4+0x114/0x1d0 kernel/trace/bpf_trace.c:2300
__do_trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
__alloc_frozen_pages_noprof+0x32d/0x360 mm/page_alloc.c:5170
alloc_pages_mpol+0xb3/0x250 mm/mempolicy.c:2416
folio_alloc_mpol_noprof+0x39/0x80 mm/mempolicy.c:2435
shmem_alloc_folio mm/shmem.c:1908 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1947 [inline]
shmem_get_folio_gfp+0x3cf/0xd60 mm/shmem.c:2597
shmem_fault+0xf6/0x250 mm/shmem.c:2798
__do_fault+0xbc/0x200 mm/memory.c:5152
do_read_fault mm/memory.c:5573 [inline]
do_fault mm/memory.c:5707 [inline]
do_pte_missing mm/memory.c:4234 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault mm/memory.c:6195 [inline]
handle_mm_fault+0xf78/0x2c20 mm/memory.c:6364
faultin_page mm/gup.c:1144 [inline]
__get_user_pages+0x102e/0x1fa0 mm/gup.c:1446
populate_vma_page_range mm/gup.c:1880 [inline]
__mm_populate+0x243/0x3a0 mm/gup.c:1983
mm_populate include/linux/mm.h:3367 [inline]
vm_mmap_pgoff+0x232/0x2e0 mm/util.c:585
ksys_mmap_pgoff+0xc2/0x310 mm/mmap.c:604
x64_sys_call+0x14a3/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:10
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88811a1d89a0 of 8 bytes by task 5944 on cpu 1:
memcmp lib/string.c:683 [inline]
bcmp+0x23/0x90 lib/string.c:715
memcmp include/linux/fortify-string.h:727 [inline]
__bpf_get_stackid+0x65a/0x800 kernel/bpf/stackmap.c:269
____bpf_get_stackid kernel/bpf/stackmap.c:324 [inline]
bpf_get_stackid+0xee/0x120 kernel/bpf/stackmap.c:300
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0xf6/0x120 kernel/trace/bpf_trace.c:1799
bpf_prog_33c66cfd8c9e7eb0+0x2a/0x32
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run4+0x114/0x1d0 kernel/trace/bpf_trace.c:2300
__do_trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
__alloc_frozen_pages_noprof+0x32d/0x360 mm/page_alloc.c:5170
alloc_pages_mpol+0xb3/0x250 mm/mempolicy.c:2416
alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
alloc_pages_noprof+0x90/0x130 mm/mempolicy.c:2507
pagetable_alloc_noprof include/linux/mm.h:2881 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:75 [inline]
pte_alloc_one+0x2d/0x120 arch/x86/mm/pgtable.c:18
__pte_alloc+0x32/0x2b0 mm/memory.c:452
do_anonymous_page mm/memory.c:5022 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault mm/memory.c:6195 [inline]
handle_mm_fault+0x1c55/0x2c20 mm/memory.c:6364
faultin_page mm/gup.c:1144 [inline]
__get_user_pages+0x102e/0x1fa0 mm/gup.c:1446
__get_user_pages_locked mm/gup.c:1712 [inline]
get_user_pages_remote+0x1d5/0x6d0 mm/gup.c:2634
get_arg_page+0x8e/0x1e0 fs/exec.c:163
copy_string_kernel+0x12c/0x1f0 fs/exec.c:566
do_execveat_common+0x5ad/0x750 fs/exec.c:1831
do_execveat fs/exec.c:1945 [inline]
__do_sys_execveat fs/exec.c:2019 [inline]
__se_sys_execveat fs/exec.c:2013 [inline]
__x64_sys_execveat+0x73/0x90 fs/exec.c:2013
x64_sys_call+0x1fec/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:323
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x2c6c684000000001 -> 0x0000000000000002
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 5944 Comm: syz.1.683 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 07e27ad16399 Linux 6.17-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e928e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e0c213d0735f5dd
dashboard link: https://syzkaller.appspot.com/bug?extid=0462708d433602258c29
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [and...@kernel.org a...@kernel.org b...@vger.kernel.org dan...@iogearbox.net edd...@gmail.com hao...@google.com john.fa...@gmail.com jo...@kernel.org kps...@kernel.org linux-...@vger.kernel.org marti...@linux.dev s...@fomichev.me so...@kernel.org yongho...@linux.dev]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/13f1b7910f3d/disk-07e27ad1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0a177c590a0f/vmlinux-07e27ad1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2ca3d6e8d07f/bzImage-07e27ad1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+046270...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in bcmp / stack_map_get_build_id_offset
write to 0xffff88811a1d89a0 of 4 bytes by task 5977 on cpu 0:
stack_map_get_build_id_offset+0x46b/0x570 kernel/bpf/stackmap.c:160
__bpf_get_stackid+0x617/0x800 kernel/bpf/stackmap.c:266
____bpf_get_stackid kernel/bpf/stackmap.c:324 [inline]
bpf_get_stackid+0xee/0x120 kernel/bpf/stackmap.c:300
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0xf6/0x120 kernel/trace/bpf_trace.c:1799
bpf_prog_33c66cfd8c9e7eb0+0x2a/0x32
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run4+0x114/0x1d0 kernel/trace/bpf_trace.c:2300
__do_trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
__alloc_frozen_pages_noprof+0x32d/0x360 mm/page_alloc.c:5170
alloc_pages_mpol+0xb3/0x250 mm/mempolicy.c:2416
folio_alloc_mpol_noprof+0x39/0x80 mm/mempolicy.c:2435
shmem_alloc_folio mm/shmem.c:1908 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1947 [inline]
shmem_get_folio_gfp+0x3cf/0xd60 mm/shmem.c:2597
shmem_fault+0xf6/0x250 mm/shmem.c:2798
__do_fault+0xbc/0x200 mm/memory.c:5152
do_read_fault mm/memory.c:5573 [inline]
do_fault mm/memory.c:5707 [inline]
do_pte_missing mm/memory.c:4234 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault mm/memory.c:6195 [inline]
handle_mm_fault+0xf78/0x2c20 mm/memory.c:6364
faultin_page mm/gup.c:1144 [inline]
__get_user_pages+0x102e/0x1fa0 mm/gup.c:1446
populate_vma_page_range mm/gup.c:1880 [inline]
__mm_populate+0x243/0x3a0 mm/gup.c:1983
mm_populate include/linux/mm.h:3367 [inline]
vm_mmap_pgoff+0x232/0x2e0 mm/util.c:585
ksys_mmap_pgoff+0xc2/0x310 mm/mmap.c:604
x64_sys_call+0x14a3/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:10
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88811a1d89a0 of 8 bytes by task 5944 on cpu 1:
memcmp lib/string.c:683 [inline]
bcmp+0x23/0x90 lib/string.c:715
memcmp include/linux/fortify-string.h:727 [inline]
__bpf_get_stackid+0x65a/0x800 kernel/bpf/stackmap.c:269
____bpf_get_stackid kernel/bpf/stackmap.c:324 [inline]
bpf_get_stackid+0xee/0x120 kernel/bpf/stackmap.c:300
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
bpf_get_stackid_raw_tp+0xf6/0x120 kernel/trace/bpf_trace.c:1799
bpf_prog_33c66cfd8c9e7eb0+0x2a/0x32
bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run4+0x114/0x1d0 kernel/trace/bpf_trace.c:2300
__do_trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
__alloc_frozen_pages_noprof+0x32d/0x360 mm/page_alloc.c:5170
alloc_pages_mpol+0xb3/0x250 mm/mempolicy.c:2416
alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
alloc_pages_noprof+0x90/0x130 mm/mempolicy.c:2507
pagetable_alloc_noprof include/linux/mm.h:2881 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:75 [inline]
pte_alloc_one+0x2d/0x120 arch/x86/mm/pgtable.c:18
__pte_alloc+0x32/0x2b0 mm/memory.c:452
do_anonymous_page mm/memory.c:5022 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault mm/memory.c:6195 [inline]
handle_mm_fault+0x1c55/0x2c20 mm/memory.c:6364
faultin_page mm/gup.c:1144 [inline]
__get_user_pages+0x102e/0x1fa0 mm/gup.c:1446
__get_user_pages_locked mm/gup.c:1712 [inline]
get_user_pages_remote+0x1d5/0x6d0 mm/gup.c:2634
get_arg_page+0x8e/0x1e0 fs/exec.c:163
copy_string_kernel+0x12c/0x1f0 fs/exec.c:566
do_execveat_common+0x5ad/0x750 fs/exec.c:1831
do_execveat fs/exec.c:1945 [inline]
__do_sys_execveat fs/exec.c:2019 [inline]
__se_sys_execveat fs/exec.c:2013 [inline]
__x64_sys_execveat+0x73/0x90 fs/exec.c:2013
x64_sys_call+0x1fec/0x2ff0 arch/x86/include/generated/asm/syscalls_64.h:323
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x2c6c684000000001 -> 0x0000000000000002
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 5944 Comm: syz.1.683 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages