[moderation] [kernel?] KCSAN: data-race in ktime_get_real_seconds / timekeeping_update_from_shadow (3)
0 views
Skip to first unread message
syzbot
Nov 4, 2025, 3:48:31 PM (2 days ago) Nov 4
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c9cfc122f037 Merge tag 'for-6.18-rc4-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10392532580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2e0bc0ae94545f7
dashboard link: https://syzkaller.appspot.com/bug?extid=442fd7e52f9be4e429ae
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [jst...@google.com linux-...@vger.kernel.org sb...@kernel.org tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f366eb5a67c/disk-c9cfc122.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/34bb36eef674/vmlinux-c9cfc122.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cc542f2a2978/bzImage-c9cfc122.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+442fd7...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in ktime_get_real_seconds / timekeeping_update_from_shadow
write to 0xffffffff88e8e0c8 of 280 bytes by interrupt on cpu 1:
timekeeping_update_from_shadow+0x2b4/0x2f0 kernel/time/timekeeping.c:753
__timekeeping_advance+0xa3d/0xbc0 kernel/time/timekeeping.c:2363
timekeeping_advance kernel/time/timekeeping.c:2371 [inline]
update_wall_time+0x24/0x90 kernel/time/timekeeping.c:2381
tick_do_update_jiffies64+0x169/0x1c0 kernel/time/tick-sched.c:149
tick_sched_do_timer kernel/time/tick-sched.c:232 [inline]
tick_nohz_handler+0x7f/0x2d0 kernel/time/tick-sched.c:290
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x20f/0x5a0 kernel/time/hrtimer.c:1841
hrtimer_interrupt+0x21a/0x460 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
__sysvec_apic_timer_interrupt+0x5f/0x1d0 arch/x86/kernel/apic/apic.c:1058
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1052
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
console_flush_all+0x51b/0x6a0 arch/x86/include/asm/irqflags.h:-1
__console_flush_and_unlock kernel/printk/printk.c:3258 [inline]
console_unlock+0xa1/0x2e0 kernel/printk/printk.c:3298
vprintk_emit+0x3b5/0x580 kernel/printk/printk.c:2423
vprintk_default+0x26/0x30 kernel/printk/printk.c:2438
vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
_printk+0x79/0xa0 kernel/printk/printk.c:2448
set_capacity_and_notify+0x14c/0x1f0 block/genhd.c:93
loop_set_size+0x2e/0x70 drivers/block/loop.c:220
loop_configure+0x828/0x9c0 drivers/block/loop.c:1081
lo_ioctl+0x1e1/0x12b0 drivers/block/loop.c:1536
blkdev_ioctl+0x356/0x440 block/ioctl.c:705
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x1816/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffffffff88e8e100 of 8 bytes by task 5437 on cpu 0:
ktime_get_real_seconds+0x15/0x30 kernel/time/timekeeping.c:1013
ext4_update_super+0xe0/0xb70 fs/ext4/super.c:6144
ext4_commit_super+0x40/0x280 fs/ext4/super.c:6207
ext4_handle_error+0x451/0x550 fs/ext4/super.c:718
__ext4_error_inode+0x1e3/0x3f0 fs/ext4/super.c:861
__ext4_mark_inode_dirty+0xbd/0x3f0 fs/ext4/inode.c:6491
__ext4_ext_dirty+0xdb/0x1f0 fs/ext4/extents.c:206
ext4_split_extent_at+0x48c/0x990 fs/ext4/extents.c:3230
ext4_split_extent+0x1af/0x3b0 fs/ext4/extents.c:3406
ext4_split_convert_extents fs/ext4/extents.c:3743 [inline]
ext4_ext_handle_unwritten_extents fs/ext4/extents.c:3915 [inline]
ext4_ext_map_blocks+0xb58/0x38a0 fs/ext4/extents.c:4274
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x5ee/0xd00 fs/ext4/inode.c:811
mpage_map_one_extent fs/ext4/inode.c:2374 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2468 [inline]
ext4_do_writepages+0x15e1/0x2750 fs/ext4/inode.c:2931
ext4_writepages+0x176/0x300 fs/ext4/inode.c:3025
do_writepages+0x1c6/0x310 mm/page-writeback.c:2604
__writeback_single_inode+0x80/0x7c0 fs/fs-writeback.c:1719
writeback_sb_inodes+0x48f/0xa30 fs/fs-writeback.c:2015
wb_writeback+0x252/0x5c0 fs/fs-writeback.c:2195
wb_do_writeback fs/fs-writeback.c:2342 [inline]
wb_workfn+0x194/0x910 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3346
worker_thread+0x582/0x770 kernel/workqueue.c:3427
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x122/0x1b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
value changed: 0x0000000077359429 -> 0x000000007735942a
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 5437 Comm: kworker/u8:55 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: writeback wb_workfn (flush-7:2)
==================================================================
EXT4-fs error: 18168 callbacks suppressed
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error: 31900 callbacks suppressed
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c9cfc122f037 Merge tag 'for-6.18-rc4-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10392532580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2e0bc0ae94545f7
dashboard link: https://syzkaller.appspot.com/bug?extid=442fd7e52f9be4e429ae
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [jst...@google.com linux-...@vger.kernel.org sb...@kernel.org tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f366eb5a67c/disk-c9cfc122.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/34bb36eef674/vmlinux-c9cfc122.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cc542f2a2978/bzImage-c9cfc122.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+442fd7...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in ktime_get_real_seconds / timekeeping_update_from_shadow
write to 0xffffffff88e8e0c8 of 280 bytes by interrupt on cpu 1:
timekeeping_update_from_shadow+0x2b4/0x2f0 kernel/time/timekeeping.c:753
__timekeeping_advance+0xa3d/0xbc0 kernel/time/timekeeping.c:2363
timekeeping_advance kernel/time/timekeeping.c:2371 [inline]
update_wall_time+0x24/0x90 kernel/time/timekeeping.c:2381
tick_do_update_jiffies64+0x169/0x1c0 kernel/time/tick-sched.c:149
tick_sched_do_timer kernel/time/tick-sched.c:232 [inline]
tick_nohz_handler+0x7f/0x2d0 kernel/time/tick-sched.c:290
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x20f/0x5a0 kernel/time/hrtimer.c:1841
hrtimer_interrupt+0x21a/0x460 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
__sysvec_apic_timer_interrupt+0x5f/0x1d0 arch/x86/kernel/apic/apic.c:1058
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1052
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
console_flush_all+0x51b/0x6a0 arch/x86/include/asm/irqflags.h:-1
__console_flush_and_unlock kernel/printk/printk.c:3258 [inline]
console_unlock+0xa1/0x2e0 kernel/printk/printk.c:3298
vprintk_emit+0x3b5/0x580 kernel/printk/printk.c:2423
vprintk_default+0x26/0x30 kernel/printk/printk.c:2438
vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
_printk+0x79/0xa0 kernel/printk/printk.c:2448
set_capacity_and_notify+0x14c/0x1f0 block/genhd.c:93
loop_set_size+0x2e/0x70 drivers/block/loop.c:220
loop_configure+0x828/0x9c0 drivers/block/loop.c:1081
lo_ioctl+0x1e1/0x12b0 drivers/block/loop.c:1536
blkdev_ioctl+0x356/0x440 block/ioctl.c:705
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x1816/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffffffff88e8e100 of 8 bytes by task 5437 on cpu 0:
ktime_get_real_seconds+0x15/0x30 kernel/time/timekeeping.c:1013
ext4_update_super+0xe0/0xb70 fs/ext4/super.c:6144
ext4_commit_super+0x40/0x280 fs/ext4/super.c:6207
ext4_handle_error+0x451/0x550 fs/ext4/super.c:718
__ext4_error_inode+0x1e3/0x3f0 fs/ext4/super.c:861
__ext4_mark_inode_dirty+0xbd/0x3f0 fs/ext4/inode.c:6491
__ext4_ext_dirty+0xdb/0x1f0 fs/ext4/extents.c:206
ext4_split_extent_at+0x48c/0x990 fs/ext4/extents.c:3230
ext4_split_extent+0x1af/0x3b0 fs/ext4/extents.c:3406
ext4_split_convert_extents fs/ext4/extents.c:3743 [inline]
ext4_ext_handle_unwritten_extents fs/ext4/extents.c:3915 [inline]
ext4_ext_map_blocks+0xb58/0x38a0 fs/ext4/extents.c:4274
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x5ee/0xd00 fs/ext4/inode.c:811
mpage_map_one_extent fs/ext4/inode.c:2374 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2468 [inline]
ext4_do_writepages+0x15e1/0x2750 fs/ext4/inode.c:2931
ext4_writepages+0x176/0x300 fs/ext4/inode.c:3025
do_writepages+0x1c6/0x310 mm/page-writeback.c:2604
__writeback_single_inode+0x80/0x7c0 fs/fs-writeback.c:1719
writeback_sb_inodes+0x48f/0xa30 fs/fs-writeback.c:2015
wb_writeback+0x252/0x5c0 fs/fs-writeback.c:2195
wb_do_writeback fs/fs-writeback.c:2342 [inline]
wb_workfn+0x194/0x910 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3346
worker_thread+0x582/0x770 kernel/workqueue.c:3427
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x122/0x1b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
value changed: 0x0000000077359429 -> 0x000000007735942a
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 5437 Comm: kworker/u8:55 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: writeback wb_workfn (flush-7:2)
==================================================================
EXT4-fs error: 18168 callbacks suppressed
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error: 31900 callbacks suppressed
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
EXT4-fs error (device loop2): __ext4_ext_dirty:206: inode #18: comm kworker/u8:55: mark_inode_dirty error
EXT4-fs error (device loop2) in ext4_reserve_inode_write:6313: Out of memory
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages