[moderation] [mm?] KCSAN: data-race in filemap_read_folio / filemap_read_folio (4)
1 view
Skip to first unread message
syzbot
Feb 13, 2026, 3:50:24 PM (19 hours ago) Feb 13
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cee73b1e840c Merge tag 'riscv-for-linus-7.0-mw1' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e86b3a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a6d4a8c8877f1220
dashboard link: https://syzkaller.appspot.com/bug?extid=40530cc4256b7fa74046
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [ak...@linux-foundation.org da...@kernel.org j...@ziepe.ca jhub...@nvidia.com linux-...@vger.kernel.org linu...@kvack.org pet...@redhat.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c607da3ff440/disk-cee73b1e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0ca19d705091/vmlinux-cee73b1e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6c9182a73e86/bzImage-cee73b1e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+40530c...@syzkaller.appspotmail.com
syz.1.7451: attempt to access beyond end of device
loop1: rw=8388608, sector=2065, nr_sectors = 8 limit=128
==================================================================
BUG: KCSAN: data-race in filemap_read_folio / filemap_read_folio
read-write to 0xffff8881670352e0 of 4 bytes by task 1786 on cpu 1:
shrink_readahead_size_eio mm/filemap.c:2438 [inline]
filemap_read_folio+0xea/0x110 mm/filemap.c:2508
filemap_fault+0x5c8/0xb90 mm/filemap.c:3641
__do_fault+0xbc/0x200 mm/memory.c:5355
do_read_fault mm/memory.c:5790 [inline]
do_fault mm/memory.c:5924 [inline]
do_pte_missing mm/memory.c:4469 [inline]
handle_pte_fault mm/memory.c:6308 [inline]
__handle_mm_fault mm/memory.c:6446 [inline]
handle_mm_fault+0x11d7/0x3020 mm/memory.c:6615
faultin_page mm/gup.c:1126 [inline]
__get_user_pages+0x1023/0x1ea0 mm/gup.c:1428
populate_vma_page_range mm/gup.c:1860 [inline]
__mm_populate+0x242/0x390 mm/gup.c:1963
mm_populate include/linux/mm.h:3689 [inline]
vm_mmap_pgoff+0x23b/0x2d0 mm/util.c:586
ksys_mmap_pgoff+0x267/0x310 mm/mmap.c:604
x64_sys_call+0x14df/0x3020 arch/x86/include/generated/asm/syscalls_64.h:10
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read-write to 0xffff8881670352e0 of 4 bytes by task 1814 on cpu 0:
shrink_readahead_size_eio mm/filemap.c:2438 [inline]
filemap_read_folio+0xea/0x110 mm/filemap.c:2508
filemap_fault+0x5c8/0xb90 mm/filemap.c:3641
__do_fault+0xbc/0x200 mm/memory.c:5355
do_read_fault mm/memory.c:5790 [inline]
do_fault mm/memory.c:5924 [inline]
do_pte_missing mm/memory.c:4469 [inline]
handle_pte_fault mm/memory.c:6308 [inline]
__handle_mm_fault mm/memory.c:6446 [inline]
handle_mm_fault+0x11d7/0x3020 mm/memory.c:6615
do_user_addr_fault+0x3fd/0x1050 arch/x86/mm/fault.c:1385
handle_page_fault arch/x86/mm/fault.c:1474 [inline]
exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:68
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
_inline_copy_from_user include/linux/uaccess.h:185 [inline]
_copy_from_user+0x6f/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:223 [inline]
copy_mount_options fs/namespace.c:4028 [inline]
__do_sys_mount fs/namespace.c:4343 [inline]
__se_sys_mount+0x10d/0x2e0 fs/namespace.c:4325
__x64_sys_mount+0x67/0x80 fs/namespace.c:4325
x64_sys_call+0x2d61/0x3020 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000020 -> 0x00000008
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 1814 Comm: syz.1.7451 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
==================================================================
syz.1.7451: attempt to access beyond end of device
loop1: rw=8388608, sector=2065, nr_sectors = 8 limit=128
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: cee73b1e840c Merge tag 'riscv-for-linus-7.0-mw1' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e86b3a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a6d4a8c8877f1220
dashboard link: https://syzkaller.appspot.com/bug?extid=40530cc4256b7fa74046
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [ak...@linux-foundation.org da...@kernel.org j...@ziepe.ca jhub...@nvidia.com linux-...@vger.kernel.org linu...@kvack.org pet...@redhat.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c607da3ff440/disk-cee73b1e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0ca19d705091/vmlinux-cee73b1e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6c9182a73e86/bzImage-cee73b1e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+40530c...@syzkaller.appspotmail.com
syz.1.7451: attempt to access beyond end of device
loop1: rw=8388608, sector=2065, nr_sectors = 8 limit=128
==================================================================
BUG: KCSAN: data-race in filemap_read_folio / filemap_read_folio
read-write to 0xffff8881670352e0 of 4 bytes by task 1786 on cpu 1:
shrink_readahead_size_eio mm/filemap.c:2438 [inline]
filemap_read_folio+0xea/0x110 mm/filemap.c:2508
filemap_fault+0x5c8/0xb90 mm/filemap.c:3641
__do_fault+0xbc/0x200 mm/memory.c:5355
do_read_fault mm/memory.c:5790 [inline]
do_fault mm/memory.c:5924 [inline]
do_pte_missing mm/memory.c:4469 [inline]
handle_pte_fault mm/memory.c:6308 [inline]
__handle_mm_fault mm/memory.c:6446 [inline]
handle_mm_fault+0x11d7/0x3020 mm/memory.c:6615
faultin_page mm/gup.c:1126 [inline]
__get_user_pages+0x1023/0x1ea0 mm/gup.c:1428
populate_vma_page_range mm/gup.c:1860 [inline]
__mm_populate+0x242/0x390 mm/gup.c:1963
mm_populate include/linux/mm.h:3689 [inline]
vm_mmap_pgoff+0x23b/0x2d0 mm/util.c:586
ksys_mmap_pgoff+0x267/0x310 mm/mmap.c:604
x64_sys_call+0x14df/0x3020 arch/x86/include/generated/asm/syscalls_64.h:10
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read-write to 0xffff8881670352e0 of 4 bytes by task 1814 on cpu 0:
shrink_readahead_size_eio mm/filemap.c:2438 [inline]
filemap_read_folio+0xea/0x110 mm/filemap.c:2508
filemap_fault+0x5c8/0xb90 mm/filemap.c:3641
__do_fault+0xbc/0x200 mm/memory.c:5355
do_read_fault mm/memory.c:5790 [inline]
do_fault mm/memory.c:5924 [inline]
do_pte_missing mm/memory.c:4469 [inline]
handle_pte_fault mm/memory.c:6308 [inline]
__handle_mm_fault mm/memory.c:6446 [inline]
handle_mm_fault+0x11d7/0x3020 mm/memory.c:6615
do_user_addr_fault+0x3fd/0x1050 arch/x86/mm/fault.c:1385
handle_page_fault arch/x86/mm/fault.c:1474 [inline]
exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:68
copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
_inline_copy_from_user include/linux/uaccess.h:185 [inline]
_copy_from_user+0x6f/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:223 [inline]
copy_mount_options fs/namespace.c:4028 [inline]
__do_sys_mount fs/namespace.c:4343 [inline]
__se_sys_mount+0x10d/0x2e0 fs/namespace.c:4325
__x64_sys_mount+0x67/0x80 fs/namespace.c:4325
x64_sys_call+0x2d61/0x3020 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000020 -> 0x00000008
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 1814 Comm: syz.1.7451 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
==================================================================
syz.1.7451: attempt to access beyond end of device
loop1: rw=8388608, sector=2065, nr_sectors = 8 limit=128
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages