syzbot


KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy

Status: upstream: reported on 2026/04/20 14:13
Subsystems: bpf
Labels: prio:low
[Documentation on labels]
Reported-by: syzbot+44044637ef892e79ca2b@syzkaller.appspotmail.com
First crash: 73d, last: 3d23h
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
4ba95b45-ca03-4f56-a1b5-7a117ffc519a assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌ KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy 2026/05/15 20:10 2026/05/15 20:10 2026/05/15 20:38 efdaf0f9b8bfc56ea6d17bea15a64f4591cc712d

			
		
927ccc03-b65a-449c-a2fd-bf5ddc75070e assessment-kcsan Benign: ❌ Confident: ✅ KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy 2026/04/20 10:15 2026/04/20 10:15 2026/04/20 10:35 303e2802d4760a2024848e19b613070c0df2a791

			
		
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bpf?] KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy 1 (2) 2026/04/20 17:37

Sample crash report:
==================================================================
BUG: KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy

write to 0xffff88811c81be60 of 2 bytes by task 26082 on cpu 0:
 bpf_obj_memcpy+0x13c/0x1a0 include/linux/bpf.h:-1
 copy_map_value include/linux/bpf.h:591 [inline]
 rhtab_map_update_existing kernel/bpf/hashtab.c:3019 [inline]
 rhtab_map_update_elem+0xfa/0xf40 kernel/bpf/hashtab.c:3048
 bpf_map_update_value+0x4ea/0x560 kernel/bpf/syscall.c:298
 generic_map_update_batch+0x52d/0x680 kernel/bpf/syscall.c:2103
 bpf_map_do_batch+0x25b/0x380 kernel/bpf/syscall.c:5832
 __sys_bpf+0xa8e/0xc30 kernel/bpf/syscall.c:-1
 __do_sys_bpf kernel/bpf/syscall.c:6537 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6534 [inline]
 __x64_sys_bpf+0x69/0x80 kernel/bpf/syscall.c:6534
 x64_sys_call+0x10cb/0x3020 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x136/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

write to 0xffff88811c81be60 of 2 bytes by task 26081 on cpu 1:
 bpf_obj_memcpy+0x13c/0x1a0 include/linux/bpf.h:-1
 copy_map_value include/linux/bpf.h:591 [inline]
 rhtab_map_update_existing kernel/bpf/hashtab.c:3019 [inline]
 rhtab_map_update_elem+0xfa/0xf40 kernel/bpf/hashtab.c:3048
 bpf_map_update_value+0x4ea/0x560 kernel/bpf/syscall.c:298
 generic_map_update_batch+0x52d/0x680 kernel/bpf/syscall.c:2103
 bpf_map_do_batch+0x25b/0x380 kernel/bpf/syscall.c:5832
 __sys_bpf+0xa8e/0xc30 kernel/bpf/syscall.c:-1
 __do_sys_bpf kernel/bpf/syscall.c:6537 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6534 [inline]
 __x64_sys_bpf+0x69/0x80 kernel/bpf/syscall.c:6534
 x64_sys_call+0x10cb/0x3020 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x136/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x0000 -> 0xffff

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 26081 Comm: syz.9.3879 Tainted: G        W           syzkaller #0 PREEMPT(lazy) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/28 12:24 upstream 780d569e6c4b fb92f11c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy
2026/06/13 20:11 upstream 062871f1371b 1d2f3589 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy
2026/04/20 10:15 upstream c1f49dea2b8f 303e2802 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in bpf_obj_memcpy / bpf_obj_memcpy
* Struck through repros no longer work on HEAD.