[moderation] [kernfs?] KCSAN: data-race in rwsem_down_write_slowpath / rwsem_down_write_slowpath
1 view
Skip to first unread message
syzbot
Jan 18, 2026, 11:38:22 PM (2 days ago) Jan 18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e84d960149e7 Merge tag 'for-6.19-rc5-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c90d22580000
kernel config: https://syzkaller.appspot.com/x/.config?x=676c6f0212d0c041
dashboard link: https://syzkaller.appspot.com/bug?extid=f5e0ba366db50663c2e2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [gre...@linuxfoundation.org linux-...@vger.kernel.org t...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e2c3723b9ab1/disk-e84d9601.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5790bc964aa6/vmlinux-e84d9601.xz
kernel image: https://storage.googleapis.com/syzbot-assets/023ce82e3277/bzImage-e84d9601.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f5e0ba...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in rwsem_down_write_slowpath / rwsem_down_write_slowpath
write to 0xffffc90001dbfaf8 of 1 bytes by task 11768 on cpu 1:
rwsem_try_write_lock kernel/locking/rwsem.c:653 [inline]
rwsem_down_write_slowpath+0x3ec/0xa80 kernel/locking/rwsem.c:1159
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0xab/0xc0 kernel/locking/rwsem.c:1591
kernfs_activate+0x48/0xa0 fs/kernfs/dir.c:1430
kernfs_add_one+0x212/0x280 fs/kernfs/dir.c:839
__kernfs_create_file+0x145/0x180 fs/kernfs/file.c:1086
sysfs_add_file_mode_ns+0x132/0x1b0 fs/sysfs/file.c:313
create_files fs/sysfs/group.c:82 [inline]
internal_create_group+0x441/0x9e0 fs/sysfs/group.c:189
internal_create_groups fs/sysfs/group.c:229 [inline]
sysfs_create_groups+0x3f/0xf0 fs/sysfs/group.c:255
device_add_groups drivers/base/core.c:2836 [inline]
device_add_attrs+0x64/0x3f0 drivers/base/core.c:2900
device_add+0x37a/0x770 drivers/base/core.c:3643
netdev_register_kobject+0x109/0x230 net/core/net-sysfs.c:2358
register_netdevice+0x8cf/0xdd0 net/core/dev.c:11406
__ip_tunnel_create+0x319/0x430 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x210/0x490 net/ipv4/ip_tunnel.c:1147
vti_init_net+0x39/0xf0 net/ipv4/ip_vti.c:517
ops_init+0x22a/0x2e0 net/core/net_namespace.c:137
setup_net+0x9f/0x230 net/core/net_namespace.c:446
copy_net_ns+0x308/0x450 net/core/net_namespace.c:581
create_new_namespaces+0x20e/0x400 kernel/nsproxy.c:130
copy_namespaces+0x1ad/0x210 kernel/nsproxy.c:195
copy_process+0xce5/0x1f10 kernel/fork.c:2224
kernel_clone+0x16b/0x5b0 kernel/fork.c:2651
__do_sys_clone kernel/fork.c:2792 [inline]
__se_sys_clone kernel/fork.c:2776 [inline]
__x64_sys_clone+0x143/0x180 kernel/fork.c:2776
x64_sys_call+0x12d0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:57
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffffc90001dbfaf8 of 1 bytes by task 9429 on cpu 0:
rwsem_down_write_slowpath+0x463/0xa80 kernel/locking/rwsem.c:1177
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0xab/0xc0 kernel/locking/rwsem.c:1591
kernfs_remove_by_name_ns+0x5c/0xf0 fs/kernfs/dir.c:1717
kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xa5/0x170 fs/sysfs/group.c:328
sysfs_remove_groups+0x3a/0x80 fs/sysfs/group.c:352
destroy_gid_attrs drivers/infiniband/core/sysfs.c:1182 [inline]
ib_free_port_attrs+0x8e/0x260 drivers/infiniband/core/sysfs.c:1407
remove_one_compat_dev drivers/infiniband/core/device.c:1038 [inline]
rdma_dev_exit_net+0x1aa/0x290 drivers/infiniband/core/device.c:1176
ops_exit_list net/core/net_namespace.c:199 [inline]
ops_undo_list+0x285/0x420 net/core/net_namespace.c:252
cleanup_net+0x31c/0x550 net/core/net_namespace.c:696
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4cd/0x9d0 kernel/workqueue.c:3340
worker_thread+0x581/0x770 kernel/workqueue.c:3421
kthread+0x488/0x510 kernel/kthread.c:463
ret_from_fork+0x148/0x280 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0x00 -> 0x01
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 9429 Comm: kworker/u8:15 Tainted: G W syzkaller #0 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
==================================================================
hsr_slave_0: left promiscuous mode
hsr_slave_1: left promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
IPVS: stop unused estimator thread 0...
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e84d960149e7 Merge tag 'for-6.19-rc5-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c90d22580000
kernel config: https://syzkaller.appspot.com/x/.config?x=676c6f0212d0c041
dashboard link: https://syzkaller.appspot.com/bug?extid=f5e0ba366db50663c2e2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [gre...@linuxfoundation.org linux-...@vger.kernel.org t...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e2c3723b9ab1/disk-e84d9601.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5790bc964aa6/vmlinux-e84d9601.xz
kernel image: https://storage.googleapis.com/syzbot-assets/023ce82e3277/bzImage-e84d9601.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f5e0ba...@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in rwsem_down_write_slowpath / rwsem_down_write_slowpath
write to 0xffffc90001dbfaf8 of 1 bytes by task 11768 on cpu 1:
rwsem_try_write_lock kernel/locking/rwsem.c:653 [inline]
rwsem_down_write_slowpath+0x3ec/0xa80 kernel/locking/rwsem.c:1159
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0xab/0xc0 kernel/locking/rwsem.c:1591
kernfs_activate+0x48/0xa0 fs/kernfs/dir.c:1430
kernfs_add_one+0x212/0x280 fs/kernfs/dir.c:839
__kernfs_create_file+0x145/0x180 fs/kernfs/file.c:1086
sysfs_add_file_mode_ns+0x132/0x1b0 fs/sysfs/file.c:313
create_files fs/sysfs/group.c:82 [inline]
internal_create_group+0x441/0x9e0 fs/sysfs/group.c:189
internal_create_groups fs/sysfs/group.c:229 [inline]
sysfs_create_groups+0x3f/0xf0 fs/sysfs/group.c:255
device_add_groups drivers/base/core.c:2836 [inline]
device_add_attrs+0x64/0x3f0 drivers/base/core.c:2900
device_add+0x37a/0x770 drivers/base/core.c:3643
netdev_register_kobject+0x109/0x230 net/core/net-sysfs.c:2358
register_netdevice+0x8cf/0xdd0 net/core/dev.c:11406
__ip_tunnel_create+0x319/0x430 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x210/0x490 net/ipv4/ip_tunnel.c:1147
vti_init_net+0x39/0xf0 net/ipv4/ip_vti.c:517
ops_init+0x22a/0x2e0 net/core/net_namespace.c:137
setup_net+0x9f/0x230 net/core/net_namespace.c:446
copy_net_ns+0x308/0x450 net/core/net_namespace.c:581
create_new_namespaces+0x20e/0x400 kernel/nsproxy.c:130
copy_namespaces+0x1ad/0x210 kernel/nsproxy.c:195
copy_process+0xce5/0x1f10 kernel/fork.c:2224
kernel_clone+0x16b/0x5b0 kernel/fork.c:2651
__do_sys_clone kernel/fork.c:2792 [inline]
__se_sys_clone kernel/fork.c:2776 [inline]
__x64_sys_clone+0x143/0x180 kernel/fork.c:2776
x64_sys_call+0x12d0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:57
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffffc90001dbfaf8 of 1 bytes by task 9429 on cpu 0:
rwsem_down_write_slowpath+0x463/0xa80 kernel/locking/rwsem.c:1177
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0xab/0xc0 kernel/locking/rwsem.c:1591
kernfs_remove_by_name_ns+0x5c/0xf0 fs/kernfs/dir.c:1717
kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xa5/0x170 fs/sysfs/group.c:328
sysfs_remove_groups+0x3a/0x80 fs/sysfs/group.c:352
destroy_gid_attrs drivers/infiniband/core/sysfs.c:1182 [inline]
ib_free_port_attrs+0x8e/0x260 drivers/infiniband/core/sysfs.c:1407
remove_one_compat_dev drivers/infiniband/core/device.c:1038 [inline]
rdma_dev_exit_net+0x1aa/0x290 drivers/infiniband/core/device.c:1176
ops_exit_list net/core/net_namespace.c:199 [inline]
ops_undo_list+0x285/0x420 net/core/net_namespace.c:252
cleanup_net+0x31c/0x550 net/core/net_namespace.c:696
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4cd/0x9d0 kernel/workqueue.c:3340
worker_thread+0x581/0x770 kernel/workqueue.c:3421
kthread+0x488/0x510 kernel/kthread.c:463
ret_from_fork+0x148/0x280 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0x00 -> 0x01
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 9429 Comm: kworker/u8:15 Tainted: G W syzkaller #0 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
==================================================================
hsr_slave_0: left promiscuous mode
hsr_slave_1: left promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
IPVS: stop unused estimator thread 0...
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages