Re: [syzbot] [bpf?] KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
To: syzbot <syzbot+44044637ef892e79ca2b@syzkaller.appspotmail.com>,
	andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	daniel@iogearbox.net, eddyz87@gmail.com, jolsa@kernel.org,
	linux-kernel@vger.kernel.org, martin.lau@linux.dev,
	memxor@gmail.com, song@kernel.org,
	syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy
Date: Mon, 20 Apr 2026 18:37:40 +0100	[thread overview]
Message-ID: <a29a0db1-1beb-4e78-a499-81958dedf6ac@gmail.com> (raw)
In-Reply-To: <69e63489.a00a0220.17a17.0005.GAE@google.com>

On 4/20/26 3:13 PM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    c1f49dea2b8f Merge tag 'mm-hotfixes-stable-2026-04-19-00-1..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10ec34ce580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d3740f7f69b18f59
> dashboard link: https://syzkaller.appspot.com/bug?extid=44044637ef892e79ca2b
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/4ed91de40e47/disk-c1f49dea.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/7353bf53627b/vmlinux-c1f49dea.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ab6db1fcd59d/bzImage-c1f49dea.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+44044637ef892e79ca2b@syzkaller.appspotmail.com
> 
> netlink: 676 bytes leftover after parsing attributes in process `syz.4.735'.
> ==================================================================
> BUG: KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy
> 
> write to 0xffffe8ffffa24c00 of 1404 bytes by task 6603 on cpu 0:
>   bpf_obj_memcpy+0x13c/0x1a0 include/linux/bpf.h:-1
>   copy_map_value include/linux/bpf.h:557 [inline]
>   bpf_percpu_array_update+0x1e1/0x2d0 kernel/bpf/arraymap.c:443
>   bpf_map_update_value+0x260/0x570 kernel/bpf/syscall.c:275
>   generic_map_update_batch+0x52d/0x680 kernel/bpf/syscall.c:2025
>   bpf_map_do_batch+0x25c/0x380 kernel/bpf/syscall.c:5689
>   __sys_bpf+0x6a2/0x7e0 kernel/bpf/syscall.c:-1
>   __do_sys_bpf kernel/bpf/syscall.c:6361 [inline]
>   __se_sys_bpf kernel/bpf/syscall.c:6359 [inline]
>   __x64_sys_bpf+0x41/0x50 kernel/bpf/syscall.c:6359
>   x64_sys_call+0x10cb/0x3020 arch/x86/include/generated/asm/syscalls_64.h:322
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> write to 0xffffe8ffffa24c00 of 1404 bytes by task 6604 on cpu 1:
>   bpf_obj_memcpy+0x13c/0x1a0 include/linux/bpf.h:-1
>   copy_map_value include/linux/bpf.h:557 [inline]
>   bpf_percpu_array_update+0x1e1/0x2d0 kernel/bpf/arraymap.c:443
>   bpf_map_update_value+0x260/0x570 kernel/bpf/syscall.c:275
>   generic_map_update_batch+0x52d/0x680 kernel/bpf/syscall.c:2025
>   bpf_map_do_batch+0x25c/0x380 kernel/bpf/syscall.c:5689
>   __sys_bpf+0x6a2/0x7e0 kernel/bpf/syscall.c:-1
>   __do_sys_bpf kernel/bpf/syscall.c:6361 [inline]
>   __se_sys_bpf kernel/bpf/syscall.c:6359 [inline]
>   __x64_sys_bpf+0x41/0x50 kernel/bpf/syscall.c:6359
>   x64_sys_call+0x10cb/0x3020 arch/x86/include/generated/asm/syscalls_64.h:322
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 

This looks like a design choice - no explicit synchronization for percpu 
data updates, for performance reasons.
 From the syscall side it's possible to use external lock. From BPF in 
NMI context torn writes risk is acceptable.

     prev parent reply	other threads:[~2026-04-20 17:37 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-20 14:13 [syzbot] [bpf?] KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy syzbot
2026-04-20 17:37 ` Mykyta Yatsenko [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a29a0db1-1beb-4e78-a499-81958dedf6ac@gmail.com \
    --to=mykyta.yatsenko5@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=song@kernel.org \
    --cc=syzbot+44044637ef892e79ca2b@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox