syzbot |
sign-in | mailing list | source | docs | 🏰 |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| 57793e6e-4ef7-45a9-988f-599b1468ee10 | repro | ❓ | KCSAN: data-race in perf_event_set_state / perf_mmap_rb | 2026/03/06 05:34 | 2026/03/06 05:34 | 2026/03/06 05:42 | 31e9c887f7dc24e04b3ca70d0d54fc34141844b0 |
threaded=true,collide=true
r0 = perf_event_open(&(0x7f0000000000)=@blob="0100000080000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x11000)=nil, 0x11000, 0x3, 0x1, r0, 0x0)
poll(&(0x7f0000001000)=[{r0, 0x1}], 0x1, 0x0)31e9c887f7dc24e04b3ca70d0d54fc34141844b0
================================================================== BUG: KCSAN: data-race in perf_event_set_state / perf_mmap_rb write to 0xffff88812279f1a0 of 8 bytes by task 12011 on cpu 1: perf_event_update_time kernel/events/core.c:737 [inline] perf_mmap_rb+0x71c/0x910 kernel/events/core.c:7037 perf_mmap+0x1ce/0x2f0 kernel/events/core.c:7164 vfs_mmap include/linux/fs.h:2053 [inline] mmap_file mm/internal.h:167 [inline] __mmap_new_file_vma mm/vma.c:2421 [inline] __mmap_new_vma mm/vma.c:2484 [inline] __mmap_region mm/vma.c:2708 [inline] mmap_region+0x1045/0x1410 mm/vma.c:2786 do_mmap+0x9b3/0xbe0 mm/mmap.c:558 vm_mmap_pgoff+0x17a/0x2e0 mm/util.c:581 ksys_mmap_pgoff+0x268/0x310 mm/mmap.c:604 x64_sys_call+0x16bb/0x3000 arch/x86/include/generated/asm/syscalls_64.h:10 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88812279f1a0 of 8 bytes by task 12005 on cpu 0: __perf_update_times kernel/events/core.c:720 [inline] perf_event_update_time kernel/events/core.c:735 [inline] perf_event_set_state+0x153/0x440 kernel/events/core.c:754 event_sched_out+0x2d4/0x4d0 kernel/events/core.c:2391 group_sched_out kernel/events/core.c:2415 [inline] __pmu_ctx_sched_out+0x3e7/0x530 kernel/events/core.c:3458 ctx_sched_out+0x273/0x2d0 kernel/events/core.c:3539 task_ctx_sched_out+0x4d/0x70 kernel/events/core.c:2859 perf_event_context_sched_out kernel/events/core.c:3746 [inline] __perf_event_task_sched_out+0x286/0x370 kernel/events/core.c:3846 perf_event_task_sched_out include/linux/perf_event.h:1654 [inline] prepare_task_switch kernel/sched/core.c:5045 [inline] context_switch kernel/sched/core.c:5201 [inline] __schedule+0xbf0/0xcd0 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0x5f/0xd0 kernel/sched/core.c:6960 schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:7017 __mutex_lock_common kernel/locking/mutex.c:692 [inline] __mutex_lock+0x4ff/0xe20 kernel/locking/mutex.c:776 __mutex_lock_slowpath+0xa/0x10 kernel/locking/mutex.c:1065 mutex_lock+0x89/0x90 kernel/locking/mutex.c:290 perf_poll+0x180/0x1f0 kernel/events/core.c:6150 vfs_poll include/linux/poll.h:82 [inline] select_poll_one fs/select.c:480 [inline] do_select+0x8f1/0xf40 fs/select.c:536 core_sys_select+0x3dc/0x6e0 fs/select.c:677 do_pselect fs/select.c:759 [inline] __do_sys_pselect6 fs/select.c:798 [inline] __se_sys_pselect6+0x213/0x280 fs/select.c:789 __x64_sys_pselect6+0x78/0x90 fs/select.c:789 x64_sys_call+0x2e98/0x3000 arch/x86/include/generated/asm/syscalls_64.h:271 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x000000000038c145 -> 0x00000000003929d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 12005 Comm: syz.4.2772 Tainted: G W syzkaller #0 PREEMPT(voluntary) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 ==================================================================
| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/03/06 05:34 | flow | repro |
8mResults:map[ReproOpts:threaded=true,collide=true ReproSyz:r0 = perf_event_open(&(0x7f0000000000)=@blob="0100000080000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x11000)=nil, 0x11000, 0x3, 0x1, r0, 0x0)
poll(&(0x7f0000001000)=[{r0, 0x1}], 0x1, 0x0) SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 1/1 | 2026/03/06 05:34 | action | provide-var |
0mResults:map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 2/1 | 2026/03/06 05:34 | action | kernel-checkouter |
0mResults:map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/45e88afe9f77e1065fe073226d73bb1a7b8fcd49] |
| 3/1 | 2026/03/06 05:35 | action | kernel-builder |
3mResults:map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/cd032fae0a4a355202951678faca55c2ed45746d] |
| 4/1 | 2026/03/06 05:39 | agent | crash-repro-finder |
3mModel:gemini-3-pro-preview Results: map[ReproOpts:threaded=true,collide=true] Instruction: You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug. Print only the syz program that could be executed directly, without backticks. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: Bug Title: KCSAN: data-race in perf_event_set_state / perf_mmap_rb Original Crash Report: ================================================================== BUG: KCSAN: data-race in perf_event_set_state / perf_mmap_rb write to 0xffff88812279f1a0 of 8 bytes by task 12011 on cpu 1: perf_event_update_time kernel/events/core.c:737 [inline] perf_mmap_rb+0x71c/0x910 kernel/events/core.c:7037 perf_mmap+0x1ce/0x2f0 kernel/events/core.c:7164 vfs_mmap include/linux/fs.h:2053 [inline] mmap_file mm/internal.h:167 [inline] __mmap_new_file_vma mm/vma.c:2421 [inline] __mmap_new_vma mm/vma.c:2484 [inline] __mmap_region mm/vma.c:2708 [inline] mmap_region+0x1045/0x1410 mm/vma.c:2786 do_mmap+0x9b3/0xbe0 mm/mmap.c:558 vm_mmap_pgoff+0x17a/0x2e0 mm/util.c:581 ksys_mmap_pgoff+0x268/0x310 mm/mmap.c:604 x64_sys_call+0x16bb/0x3000 arch/x86/include/generated/asm/syscalls_64.h:10 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88812279f1a0 of 8 bytes by task 12005 on cpu 0: __perf_update_times kernel/events/core.c:720 [inline] perf_event_update_time kernel/events/core.c:735 [inline] perf_event_set_state+0x153/0x440 kernel/events/core.c:754 event_sched_out+0x2d4/0x4d0 kernel/events/core.c:2391 group_sched_out kernel/events/core.c:2415 [inline] __pmu_ctx_sched_out+0x3e7/0x530 kernel/events/core.c:3458 ctx_sched_out+0x273/0x2d0 kernel/events/core.c:3539 task_ctx_sched_out+0x4d/0x70 kernel/events/core.c:2859 perf_event_context_sched_out kernel/events/core.c:3746 [inline] __perf_event_task_sched_out+0x286/0x370 kernel/events/core.c:3846 perf_event_task_sched_out include/linux/perf_event.h:1654 [inline] prepare_task_switch kernel/sched/core.c:5045 [inline] context_switch kernel/sched/core.c:5201 [inline] __schedule+0xbf0/0xcd0 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0x5f/0xd0 kernel/sched/core.c:6960 schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:7017 __mutex_lock_common kernel/locking/mutex.c:692 [inline] __mutex_lock+0x4ff/0xe20 kernel/locking/mutex.c:776 __mutex_lock_slowpath+0xa/0x10 kernel/locking/mutex.c:1065 mutex_lock+0x89/0x90 kernel/locking/mutex.c:290 perf_poll+0x180/0x1f0 kernel/events/core.c:6150 vfs_poll include/linux/poll.h:82 [inline] select_poll_one fs/select.c:480 [inline] do_select+0x8f1/0xf40 fs/select.c:536 core_sys_select+0x3dc/0x6e0 fs/select.c:677 do_pselect fs/select.c:759 [inline] __do_sys_pselect6 fs/select.c:798 [inline] __se_sys_pselect6+0x213/0x280 fs/select.c:789 __x64_sys_pselect6+0x78/0x90 fs/select.c:789 x64_sys_call+0x2e98/0x3000 arch/x86/include/generated/asm/syscalls_64.h:271 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x000000000038c145 -> 0x00000000003929d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 12005 Comm: syz.4.2772 Tainted: G W syzkaller #0 PREEMPT(voluntary) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 ================================================================== The list of existing description files: acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt Reply: r0 = perf_event_open(&(0x7f0000000000)=@blob="0100000080000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x11000)=nil, 0x11000, 0x3, 0x1, r0, 0x0)
poll(&(0x7f0000001000)=[{r0, 0x1}], 0x1, 0x0) |
| 5/2 | 2026/03/06 05:39 | llm | crash-repro-finder |
3mModel:gemini-3-pro-preview Tokens: input: 3452 output: 24 thoughts: 21989 Thoughts: **Analysis and Syzkaller Program to Trigger KCSAN Data-Race** Alright, let's craft a syzkaller program to expose that nasty data race in `perf_event_set_state` and `perf_mmap_rb`. The crash report points directly to the `perf_event_update_time` function being the culprit, with one thread performing a write through `perf_mmap_rb` during an `mmap` syscall and another reading/writing it through `perf_event_set_state` during a context switch from `schedule`. The shared data, which I'm pretty sure are time-tracking fields like `tstamp_running`, `tstamp_stopped` and `tstamp_enabled` in a `perf_event` structure, are the target. The core of the problem lies in the concurrency. I need to get one thread mapping a perf event ring buffer via `mmap`, thus calling `perf_mmap` and ultimately `perf_mmap_rb`, while another is actively causing a context switch that hits the `perf_event_set_state` path. My plan is to create a scenario where `mmap` and the state update run concurrently, with a high probability of overlap on the mutex that protects access to `perf_event_update_time`. I'm focusing on making sure Thread B, that does `poll` which leads to `schedule` has the event attached so the event's internal data can be updated. Here's how I'm thinking of building the program: 1. **Create a Perf Event:** Use `perf_event_open` to create a software CPU clock event. Set the `mmap` flag to ensure the ring buffer is mmap-able and start with the event enabled. 2. **Mmap the Ring Buffer:** The key part is to call `mmap` on the perf event FD. This triggers `perf_mmap`, which calls `perf_mmap_rb`. I'll pass a size that's a power of 2 + 1 to give the allocation work to the kernel (making it take longer, which increases the chance of overlap). And `mmap` should happen on a *different* thread from `perf_event_open` and `poll`. By calling it on a different thread, the hope is to ensure an overlap with thread B's `poll` which triggers a context switch. 3. **Trigger the Context Switch:** This is where `poll` comes in. The crash report shows `pselect6` (which will work with `poll`). I will call `poll` on the perf event file descriptor. This causes `perf_poll` to be called and that in turn calls `mutex_lock` which then calls `schedule`. This gets that mutex-contention, scheduling-out-while-holding-lock sequence I need. The timeout should be set to zero, so the call will always try to contend. The crucial part here is making sure that the mmap happens *while* the other thread is either blocked on the mutex in `poll` (and thus scheduled out) or in a state where it is close to doing so, while making sure that this is the same thread that owns the event so when that thread schedules out, the internal event time tracking is properly affected by the context switch. I’m aiming for the simplest possible setup that can expose the race. I'll construct a syzkaller program with just `perf_event_open`, `mmap`, and `poll`, hoping to get syz-execprog to distribute them to two threads. I will verify that the attributes in the `perf_event_open` are properly configured (especially the `mmap` flag), and that I create the appropriate file descriptor. The size argument of `mmap` should be set to a value which is `2^n + 1` (a total ring buffer size) in order to make the code hit the allocation logic I am aiming for, which will be the slow path. ``` r0 = perf_event_open(&(0x7f0000000000)=@blob="0100000080000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000 |
| 6/2 | 2026/03/06 05:42 | tool | set-results |
0mArgs:map[ReproOpts:threaded=true,collide=true] Results: map[ReproOpts:threaded=true,collide=true] |
| 7/2 | 2026/03/06 05:42 | llm | crash-repro-finder |
0mModel:gemini-3-pro-preview Tokens: input: 26512 output: 401 thoughts: 0 |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|