syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1349]
Subsystems
🐞 Fixed [7121]
🐞 Invalid [18828]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu

Status: moderation: reported on 2026/04/24 03:11
Subsystems: kernel
Labels: prio:low
[Documentation on labels]
Reported-by: syzbot+20790177528defde1ce2@syzkaller.appspotmail.com
First crash: 35d, last: 4d11h
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
1bacbd2d-3fcb-4ebb-a52e-c08e3a0807a9 assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌ KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu 2026/05/18 23:43 2026/05/18 23:43 2026/05/19 00:15 9f74d39908454b73546eaf1b8211b48b66e5c0fe
897f09ae-06f3-4bab-bf66-e2077a40f5d0 assessment-kcsan Benign: ✅ Confident: ✅ KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu 2026/04/24 03:10 2026/04/24 03:10 2026/04/24 03:29 629ff21a2358bd38f4dbede12a995fb52356ed72

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu

write to 0xffff888237d1b8e8 of 8 bytes by task 3925 on cpu 1:
 hrtimer_rearm kernel/time/hrtimer.c:2028 [inline]
 __hrtimer_rearm_deferred+0x537/0x670 kernel/time/hrtimer.c:2059
 hrtimer_rearm_deferred_tif include/linux/hrtimer_rearm.h:53 [inline]
 hrtimer_rearm_deferred include/linux/hrtimer_rearm.h:62 [inline]
 irqentry_exit_to_kernel_mode_after_preempt include/linux/irq-entry-common.h:505 [inline]
 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:542 [inline]
 irqentry_exit+0x55c/0x5d0 kernel/entry/common.c:164
 sysvec_apic_timer_interrupt+0x44/0x80 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 __preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:188 [inline]
 _raw_spin_unlock_irq+0x12/0x30 kernel/locking/spinlock.c:206
 spin_unlock_irq include/linux/spinlock.h:402 [inline]
 shmem_add_to_page_cache+0x3e6/0x5b0 mm/shmem.c:928
 shmem_alloc_and_add_folio mm/shmem.c:2001 [inline]
 shmem_get_folio_gfp+0x4f3/0xd60 mm/shmem.c:2564
 shmem_fault+0xf6/0x250 mm/shmem.c:2765
 __do_fault mm/memory.c:5474 [inline]
 do_read_fault mm/memory.c:5909 [inline]
 do_fault mm/memory.c:6043 [inline]
 do_pte_missing mm/memory.c:4566 [inline]
 handle_pte_fault mm/memory.c:6427 [inline]
 __handle_mm_fault mm/memory.c:6565 [inline]
 handle_mm_fault+0x16cd/0x2e70 mm/memory.c:6734
 faultin_page mm/gup.c:1126 [inline]
 __get_user_pages+0x1290/0x1f10 mm/gup.c:1428
 populate_vma_page_range mm/gup.c:1860 [inline]
 __mm_populate+0x242/0x390 mm/gup.c:1963
 mm_populate include/linux/mm.h:4137 [inline]
 vm_mmap_pgoff+0x23b/0x2d0 mm/util.c:586
 ksys_mmap_pgoff+0xc1/0x310 mm/mmap.c:606
 x64_sys_call+0x14df/0x3020 arch/x86/include/generated/asm/syscalls_64.h:10
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff888237d1b8e8 of 8 bytes by task 3935 on cpu 0:
 print_cpu+0x2fb/0x670 kernel/time/timer_list.c:129
 timer_list_show+0x107/0x170 kernel/time/timer_list.c:291
 seq_read_iter+0x31e/0x940 fs/seq_file.c:231
 proc_reg_read_iter+0x110/0x180 fs/proc/inode.c:299
 copy_splice_read+0x471/0x6c0 fs/splice.c:362
 do_splice_read fs/splice.c:980 [inline]
 splice_direct_to_actor+0x26e/0x670 fs/splice.c:1084
 do_splice_direct_actor fs/splice.c:1202 [inline]
 do_splice_direct+0x119/0x1a0 fs/splice.c:1228
 do_sendfile+0x382/0x650 fs/read_write.c:1372
 __do_sys_sendfile64 fs/read_write.c:1433 [inline]
 __se_sys_sendfile64 fs/read_write.c:1419 [inline]
 __x64_sys_sendfile64+0x105/0x150 fs/read_write.c:1419
 x64_sys_call+0x2dc4/0x3020 arch/x86/include/generated/asm/syscalls_64.h:41
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x7fffffffffffffff -> 0x0000000ec531373b

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 3935 Comm: syz.1.108 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/05/25 14:32 upstream e7ae89a0c97c c69befb3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu
2026/04/24 03:16 upstream 45dcf5e28813 9cfb3ca7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu
2026/04/24 03:10 upstream 45dcf5e28813 9cfb3ca7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __hrtimer_rearm_deferred / print_cpu
* Struck through repros no longer work on HEAD.