[moderation] [virt?] KCSAN: data-race in virtqueue_get_buf_ctx / vring_interrupt (8)
1 view
Skip to first unread message
syzbot
2:55 AM (7 hours ago) 2:55 AM
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9207d47f966b Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=147abf6c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2e40c0f41e01837e
dashboard link: https://syzkaller.appspot.com/bug?extid=b3300c32e263374b2cf3
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [eper...@redhat.com jaso...@redhat.com linux-...@vger.kernel.org m...@redhat.com virtual...@lists.linux.dev xuan...@linux.alibaba.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/516e5f20bc19/disk-9207d47f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0b33d7255cb5/vmlinux-9207d47f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b53b39dff98a/bzImage-9207d47f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b3300c...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in virtqueue_get_buf_ctx / vring_interrupt
read-write to 0xffff88810224b25c of 2 bytes by interrupt on cpu 0:
virtqueue_get_buf_ctx_split drivers/virtio/virtio_ring.c:959 [inline]
virtqueue_get_buf_ctx+0x607/0xdb0 drivers/virtio/virtio_ring.c:3086
virtqueue_get_buf+0x1f/0x30 drivers/virtio/virtio_ring.c:3092
__free_old_xmit+0x53/0x340 drivers/net/virtio_net.c:588
virtnet_free_old_xmit+0x39/0x1b0 drivers/net/virtio_net.c:629
free_old_xmit drivers/net/virtio_net.c:958 [inline]
virtnet_poll_tx+0x2de/0xca0 drivers/net/virtio_net.c:3239
__napi_poll+0x61/0x300 net/core/dev.c:7730
napi_poll net/core/dev.c:7793 [inline]
net_rx_action+0x452/0x930 net/core/dev.c:7950
handle_softirqs+0xb9/0x280 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x42/0xd0 kernel/softirq.c:735
common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:326
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
__preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
_raw_spin_unlock_irqrestore+0x1a/0x30 kernel/locking/spinlock.c:198
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
__skb_try_recv_datagram+0x123/0x320 net/core/datagram.c:267
__unix_dgram_recvmsg+0x25a/0x870 net/unix/af_unix.c:2587
unix_dgram_recvmsg+0x7e/0x90 net/unix/af_unix.c:2686
sock_recvmsg_nosec+0xc2/0xf0 net/socket.c:1137
____sys_recvmsg+0x26f/0x280 net/socket.c:2916
___sys_recvmsg+0x11f/0x3b0 net/socket.c:2960
do_recvmmsg+0x1ef/0x560 net/socket.c:3055
__sys_recvmmsg net/socket.c:3129 [inline]
__do_sys_recvmmsg net/socket.c:3152 [inline]
__se_sys_recvmmsg net/socket.c:3145 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3145
x64_sys_call+0x80f/0x3020 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88810224b25c of 2 bytes by interrupt on cpu 1:
more_used_split drivers/virtio/virtio_ring.c:906 [inline]
more_used drivers/virtio/virtio_ring.c:3218 [inline]
vring_interrupt+0x48/0x310 drivers/virtio/virtio_ring.c:3233
__handle_irq_event_percpu+0x8b/0x480 kernel/irq/handle.c:209
handle_irq_event_percpu kernel/irq/handle.c:246 [inline]
handle_irq_event+0x64/0xf0 kernel/irq/handle.c:263
handle_edge_irq+0x154/0x450 kernel/irq/chip.c:856
generic_handle_irq_desc include/linux/irqdesc.h:186 [inline]
handle_irq arch/x86/kernel/irq.c:262 [inline]
call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
__common_interrupt+0x60/0xb0 arch/x86/kernel/irq.c:333
common_interrupt+0x7e/0x90 arch/x86/kernel/irq.c:326
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
__preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
_raw_spin_unlock_irqrestore+0x1a/0x30 kernel/locking/spinlock.c:198
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
avc_reclaim_node security/selinux/avc.c:488 [inline]
avc_alloc_node+0x21c/0x280 security/selinux/avc.c:507
avc_insert security/selinux/avc.c:618 [inline]
avc_compute_av+0xb0/0x430 security/selinux/avc.c:993
avc_perm_nonode+0x5e/0xe0 security/selinux/avc.c:1117
avc_has_perm_noaudit+0xf2/0x130 security/selinux/avc.c:1160
avc_has_perm+0x60/0x190 security/selinux/avc.c:1195
may_create+0x455/0x4a0 security/selinux/hooks.c:1880
selinux_inode_symlink+0x22/0x30 security/selinux/hooks.c:3092
security_inode_symlink+0x75/0xb0 security/security.c:1698
vfs_symlink+0x8e/0x220 fs/namei.c:5635
filename_symlinkat+0xe8/0x2b0 fs/namei.c:5668
__do_sys_symlinkat fs/namei.c:5688 [inline]
__se_sys_symlinkat+0x43/0x1b0 fs/namei.c:5683
__x64_sys_symlinkat+0x43/0x50 fs/namei.c:5683
x64_sys_call+0x2b7d/0x3020 arch/x86/include/generated/asm/syscalls_64.h:267
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x25f1 -> 0x25f2
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 8527 Comm: syz-executor Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9207d47f966b Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=147abf6c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2e40c0f41e01837e
dashboard link: https://syzkaller.appspot.com/bug?extid=b3300c32e263374b2cf3
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [eper...@redhat.com jaso...@redhat.com linux-...@vger.kernel.org m...@redhat.com virtual...@lists.linux.dev xuan...@linux.alibaba.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/516e5f20bc19/disk-9207d47f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0b33d7255cb5/vmlinux-9207d47f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b53b39dff98a/bzImage-9207d47f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b3300c...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in virtqueue_get_buf_ctx / vring_interrupt
read-write to 0xffff88810224b25c of 2 bytes by interrupt on cpu 0:
virtqueue_get_buf_ctx_split drivers/virtio/virtio_ring.c:959 [inline]
virtqueue_get_buf_ctx+0x607/0xdb0 drivers/virtio/virtio_ring.c:3086
virtqueue_get_buf+0x1f/0x30 drivers/virtio/virtio_ring.c:3092
__free_old_xmit+0x53/0x340 drivers/net/virtio_net.c:588
virtnet_free_old_xmit+0x39/0x1b0 drivers/net/virtio_net.c:629
free_old_xmit drivers/net/virtio_net.c:958 [inline]
virtnet_poll_tx+0x2de/0xca0 drivers/net/virtio_net.c:3239
__napi_poll+0x61/0x300 net/core/dev.c:7730
napi_poll net/core/dev.c:7793 [inline]
net_rx_action+0x452/0x930 net/core/dev.c:7950
handle_softirqs+0xb9/0x280 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x42/0xd0 kernel/softirq.c:735
common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:326
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
__preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
_raw_spin_unlock_irqrestore+0x1a/0x30 kernel/locking/spinlock.c:198
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
__skb_try_recv_datagram+0x123/0x320 net/core/datagram.c:267
__unix_dgram_recvmsg+0x25a/0x870 net/unix/af_unix.c:2587
unix_dgram_recvmsg+0x7e/0x90 net/unix/af_unix.c:2686
sock_recvmsg_nosec+0xc2/0xf0 net/socket.c:1137
____sys_recvmsg+0x26f/0x280 net/socket.c:2916
___sys_recvmsg+0x11f/0x3b0 net/socket.c:2960
do_recvmmsg+0x1ef/0x560 net/socket.c:3055
__sys_recvmmsg net/socket.c:3129 [inline]
__do_sys_recvmmsg net/socket.c:3152 [inline]
__se_sys_recvmmsg net/socket.c:3145 [inline]
__x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3145
x64_sys_call+0x80f/0x3020 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88810224b25c of 2 bytes by interrupt on cpu 1:
more_used_split drivers/virtio/virtio_ring.c:906 [inline]
more_used drivers/virtio/virtio_ring.c:3218 [inline]
vring_interrupt+0x48/0x310 drivers/virtio/virtio_ring.c:3233
__handle_irq_event_percpu+0x8b/0x480 kernel/irq/handle.c:209
handle_irq_event_percpu kernel/irq/handle.c:246 [inline]
handle_irq_event+0x64/0xf0 kernel/irq/handle.c:263
handle_edge_irq+0x154/0x450 kernel/irq/chip.c:856
generic_handle_irq_desc include/linux/irqdesc.h:186 [inline]
handle_irq arch/x86/kernel/irq.c:262 [inline]
call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
__common_interrupt+0x60/0xb0 arch/x86/kernel/irq.c:333
common_interrupt+0x7e/0x90 arch/x86/kernel/irq.c:326
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
__preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
_raw_spin_unlock_irqrestore+0x1a/0x30 kernel/locking/spinlock.c:198
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
avc_reclaim_node security/selinux/avc.c:488 [inline]
avc_alloc_node+0x21c/0x280 security/selinux/avc.c:507
avc_insert security/selinux/avc.c:618 [inline]
avc_compute_av+0xb0/0x430 security/selinux/avc.c:993
avc_perm_nonode+0x5e/0xe0 security/selinux/avc.c:1117
avc_has_perm_noaudit+0xf2/0x130 security/selinux/avc.c:1160
avc_has_perm+0x60/0x190 security/selinux/avc.c:1195
may_create+0x455/0x4a0 security/selinux/hooks.c:1880
selinux_inode_symlink+0x22/0x30 security/selinux/hooks.c:3092
security_inode_symlink+0x75/0xb0 security/security.c:1698
vfs_symlink+0x8e/0x220 fs/namei.c:5635
filename_symlinkat+0xe8/0x2b0 fs/namei.c:5668
__do_sys_symlinkat fs/namei.c:5688 [inline]
__se_sys_symlinkat+0x43/0x1b0 fs/namei.c:5683
__x64_sys_symlinkat+0x43/0x50 fs/namei.c:5683
x64_sys_call+0x2b7d/0x3020 arch/x86/include/generated/asm/syscalls_64.h:267
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x25f1 -> 0x25f2
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 8527 Comm: syz-executor Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages