syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1349]
Subsystems
🐞 Fixed [7091]
🐞 Invalid [18737]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow

Status: moderation: reported on 2026/05/10 01:50
Subsystems: kernel
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+f7dcf4d975188a9ddca4@syzkaller.appspotmail.com
First crash: 8d12h, last: 1d15h
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
eba7887a-f055-4ca5-9c41-6b3177f6aa18 assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ✅ NetworkTrigger: ✅ PeripheralTrigger: ✅ RemoteTrigger: ✅ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ✅ VMHostTrigger: ✅ KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow 2026/05/15 19:26 2026/05/15 19:26 2026/05/15 19:28 efdaf0f9b8bfc56ea6d17bea15a64f4591cc712d
9325fa29-9ab9-48fd-ad41-5b9b20a0e913 assessment-kcsan Benign: ✅ KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow 2026/05/10 03:27 2026/05/10 03:27 2026/05/10 03:58 29233ece713919081e9069c2a18be92526041f39

Sample crash report:
==================================================================
BUG: KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow

write to 0xffffffff893a8488 of 304 bytes by interrupt on cpu 1:
 timekeeping_update_from_shadow+0x40d/0x440 kernel/time/timekeeping.c:829
 __timekeeping_advance+0xa5d/0xc10 kernel/time/timekeeping.c:2532
 timekeeping_advance kernel/time/timekeeping.c:2540 [inline]
 update_wall_time+0x21/0x50 kernel/time/timekeeping.c:2550
 tick_do_update_jiffies64+0x169/0x1c0 kernel/time/tick-sched.c:149
 tick_sched_do_timer kernel/time/tick-sched.c:253 [inline]
 tick_nohz_handler+0x8d/0x3d0 kernel/time/tick-sched.c:312
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x276/0x4f0 kernel/time/hrtimer.c:1994
 hrtimer_interrupt+0x261/0x850 kernel/time/hrtimer.c:2113
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 __sysvec_apic_timer_interrupt+0x5f/0x1c0 arch/x86/kernel/apic/apic.c:1067
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 kcsan_setup_watchpoint+0x404/0x410 kernel/kcsan/core.c:705
 __siphash_unaligned+0x32/0x2e0 lib/siphash.c:84
 siphash include/linux/siphash.h:86 [inline]
 hash_conntrack_raw net/netfilter/nf_conntrack_core.c:223 [inline]
 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1887 [inline]
 nf_conntrack_in+0x416/0xed0 net/netfilter/nf_conntrack_core.c:2042
 ipv6_conntrack_in+0x1d/0x30 net/netfilter/nf_conntrack_proto.c:376
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0x78/0x180 net/netfilter/core.c:619
 nf_hook_slow_list+0xff/0x220 net/netfilter/core.c:656
 NF_HOOK_LIST include/linux/netfilter.h:354 [inline]
 ip6_sublist_rcv+0x9e7/0xa00 net/ipv6/ip6_input.c:359
 ipv6_list_rcv+0x267/0x2a0 net/ipv6/ip6_input.c:395
 __netif_receive_skb_list_ptype net/core/dev.c:6245 [inline]
 __netif_receive_skb_list_core+0x3b0/0x500 net/core/dev.c:6292
 __netif_receive_skb_list net/core/dev.c:6344 [inline]
 netif_receive_skb_list_internal+0x47d/0x5f0 net/core/dev.c:6435
 netif_receive_skb_list+0x33/0x1c0 net/core/dev.c:6487
 xdp_recv_frames net/bpf/test_run.c:269 [inline]
 xdp_test_run_batch net/bpf/test_run.c:350 [inline]
 bpf_test_run_xdp_live+0x104c/0x1360 net/bpf/test_run.c:379
 bpf_prog_test_run_xdp+0x57b/0xa10 net/bpf/test_run.c:1430
 bpf_prog_test_run+0x204/0x340 kernel/bpf/syscall.c:4742
 __sys_bpf+0x52e/0x7e0 kernel/bpf/syscall.c:6266
 __do_sys_bpf kernel/bpf/syscall.c:6361 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6359 [inline]
 __x64_sys_bpf+0x41/0x50 kernel/bpf/syscall.c:6359
 x64_sys_call+0x10cb/0x3020 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffffff893a84a8 of 8 bytes by task 9761 on cpu 0:
 timekeeping_cycles_to_ns kernel/time/timekeeping.c:444 [inline]
 timekeeping_get_ns kernel/time/timekeeping.c:449 [inline]
 ktime_get_with_offset+0x150/0x260 kernel/time/timekeeping.c:1011
 ktime_get_real include/linux/timekeeping.h:88 [inline]
 __net_timestamp include/linux/skbuff.h:4448 [inline]
 __skb_tstamp_tx+0x5e1/0x700 net/core/skbuff.c:5718
 __dev_queue_xmit+0x1479/0x1ec0 net/core/dev.c:4780
 dev_queue_xmit include/linux/netdevice.h:3418 [inline]
 neigh_hh_output include/net/neighbour.h:540 [inline]
 neigh_output include/net/neighbour.h:554 [inline]
 ip_finish_output2+0x705/0x8c0 net/ipv4/ip_output.c:237
 __ip_finish_output net/ipv4/ip_output.c:-1 [inline]
 ip_finish_output+0x112/0x290 net/ipv4/ip_output.c:325
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip_mc_output+0x25d/0x370 net/ipv4/ip_output.c:422
 dst_output include/net/dst.h:470 [inline]
 ip_local_out net/ipv4/ip_output.c:131 [inline]
 ip_send_skb+0x139/0x140 net/ipv4/ip_output.c:1510
 udp_send_skb+0x52a/0x7b0 net/ipv4/udp.c:1161
 udp_sendmsg+0x10d2/0x1500 net/ipv4/udp.c:1443
 inet_sendmsg+0xac/0xd0 net/ipv4/af_inet.c:866
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 ____sys_sendmsg+0x519/0x5b0 net/socket.c:2698
 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2752
 __sys_sendmmsg+0x185/0x320 net/socket.c:2841
 __do_sys_sendmmsg net/socket.c:2868 [inline]
 __se_sys_sendmmsg net/socket.c:2865 [inline]
 __x64_sys_sendmmsg+0x57/0x70 net/socket.c:2865
 x64_sys_call+0x27aa/0x3020 arch/x86/include/generated/asm/syscalls_64.h:308
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x000e1e722801470e -> 0x000eb5a282054034

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 9761 Comm: syz.1.1727 Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/05/16 23:11 upstream 6916d5703ddf de5aae85 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow
2026/05/10 11:49 upstream 1bfaee9d3351 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow
2026/05/10 01:49 upstream e92b2872d0b1 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in ktime_get_with_offset / timekeeping_update_from_shadow
* Struck through repros no longer work on HEAD.