From: "Rafael Passos" <rafael@rcpassos.me>
To: <Jason@zx2c4.com>, <andrew+netdev@lunn.ch>, <davem@davemloft.net>,
<edumazet@google.com>, <kuba@kernel.org>,
<linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
<pabeni@redhat.com>, <syzkaller-bugs@googlegroups.com>,
<wireguard@lists.zx2c4.com>,
"syzbot" <syzbot+9ca7674fa7521a3f1bc2@syzkaller.appspotmail.com>
Subject: Re: [syzbot] [wireguard?] KCSAN: data-race in wg_socket_send_skb_to_peer / wg_socket_send_skb_to_peer (9)
Date: Mon, 22 Jun 2026 16:34:33 -0300 [thread overview]
Message-ID: <DJFTVX3FE7OD.2O8GTO84798T@rcpassos.me> (raw)
In-Reply-To: <6a1d983b.b111c304.35cd64.0028.GAE@google.com>
Hi,
I started investigating this KCSAN warning by syzbot, and would like to
ask a few questions.
On Mon Jun 1, 2026 at 11:33 AM -03, syzbot wrote:
> ==================================================================
> BUG: KCSAN: data-race in wg_socket_send_skb_to_peer / wg_socket_send_skb_to_peer
>
> read-write to 0xffff88811af99028 of 8 bytes by task 310 on cpu 1:
> wg_socket_send_skb_to_peer+0xe8/0x130 drivers/net/wireguard/socket.c:182
> wg_socket_send_buffer_to_peer+0xf1/0x120 drivers/net/wireguard/socket.c:199
> wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
> wg_packet_handshake_send_worker+0x10d/0x160 drivers/net/wireguard/send.c:51
> process_one_work kernel/workqueue.c:3314 [inline]
> process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3397
> worker_thread+0x58a/0x780 kernel/workqueue.c:3478
> kthread+0x22a/0x280 kernel/kthread.c:436
> ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> read-write to 0xffff88811af99028 of 8 bytes by task 15360 on cpu 0:
> wg_socket_send_skb_to_peer+0xe8/0x130 drivers/net/wireguard/socket.c:182
> wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
> wg_packet_tx_worker+0x12d/0x330 drivers/net/wireguard/send.c:276
> process_one_work kernel/workqueue.c:3314 [inline]
> process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3397
> worker_thread+0x58a/0x780 kernel/workqueue.c:3478
> kthread+0x22a/0x280 kernel/kthread.c:436
> ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> value changed: 0x0000000000000a2c -> 0x0000000000000ac0
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 0 UID: 0 PID: 15360 Comm: kworker/0:2 Tainted: G W syzkaller #0 PREEMPT(lazy)
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
> Workqueue: wg-crypt-wg2 wg_packet_tx_worker
I tracked the change to this counter increment in `wg_socket_send_skb_to_peer`
+++ b/drivers/net/wireguard/socket.c
@@ -179,7 +179,8 @@ int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb, u8 ds)
else
dev_kfree_skb(skb);
if (likely(!ret))
-> peer->tx_bytes += skb_len; <- protected by a read_lock_bh only
read_unlock_bh(&peer->endpoint_lock);
It is protected by the read-part of a rwlock.
However, if the stack trace makes sense, this `wg_socket_send_skb_to_peer`
is being called after a handshake (wg_packet_send_handshake_initiation) and
a send worker call (wg_packet_tx_worker).
Does this make sense ? Are such calls possible to really hapen outside of fuzzing ?
Out of curiosity, I changed `tx_bytes` and `rx_bytes` from u64 to atomic64_t
in peer.h, and also the r/w ops in netlink.c, receive.c and socket.c files.
I ran the wireguard kselftest suite with and without this patch, and it
worked fine. Iperf results seem sine (on amd64).
I'm not sure if this should be the solution, or if this is even a real issue in the first place.
Any comments ?
Eager to learn.
Thanks,
Rafael Passos
prev parent reply other threads:[~2026-06-22 19:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 14:33 [syzbot] [wireguard?] KCSAN: data-race in wg_socket_send_skb_to_peer / wg_socket_send_skb_to_peer (9) syzbot
2026-06-22 19:34 ` Rafael Passos [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJFTVX3FE7OD.2O8GTO84798T@rcpassos.me \
--to=rafael@rcpassos.me \
--cc=Jason@zx2c4.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+9ca7674fa7521a3f1bc2@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox