| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/07/15 10:43 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": null,
"FocusSymbols": [
"neigh_forced_gc"
],
"Reasoning": "The patch modifies the neighbor garbage collection logic by adding a rate limit for forced GC passes on large neighbor tables. This is functional core networking code.",
"WorthFuzzing": true
} |
| 1/1 | 2026/07/15 10:43 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 6fc59cc6d4c5d32879829c0ad23c8c862c812dbb\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Wed Jul 15 10:43:14 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/net/core/neighbour.c b/net/core/neighbour.c\nindex 1349c0eedb6425..9977b9f3204ef4 100644\n--- a/net/core/neighbour.c\n+++ b/net/core/neighbour.c\n@@ -250,6 +250,8 @@ bool neigh_remove_one(struct neighbour *n)\n \treturn retval;\n }\n \n+#define NEIGH_FORCED_GC_LARGE_TABLE_THRESH 16384\n+\n static int neigh_forced_gc(struct neigh_table *tbl)\n {\n \tint max_clean = atomic_read(\u0026tbl-\u003egc_entries) -\n@@ -260,6 +262,15 @@ static int neigh_forced_gc(struct neigh_table *tbl)\n \tint shrunk = 0;\n \tint loop = 0;\n \n+\t/*\n+\t * For large neighbor tables, repeated forced GC passes can spend\n+\t * significant CPU scanning neighbor entries when most remain active.\n+\t * Rate-limit consecutive forced GC passes to reduce CPU overhead.\n+\t */\n+\tif (atomic_read(\u0026tbl-\u003egc_entries) \u003e= NEIGH_FORCED_GC_LARGE_TABLE_THRESH \u0026\u0026\n+\t time_before(jiffies, READ_ONCE(tbl-\u003elast_flush) + msecs_to_jiffies(50)))\n+\t\treturn 0;\n+\n \tNEIGH_CACHE_STAT_INC(tbl, forced_gc_runs);\n \n \tspin_lock_bh(\u0026tbl-\u003elock);\n"
} |
| 2/1 | 2026/07/15 10:43 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": null,
"FocusSymbols": [
"neigh_forced_gc"
],
"Reasoning": "The patch modifies the neighbor garbage collection logic by adding a rate limit for forced GC passes on large neighbor tables. This is functional core networking code.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 6fc59cc6d4c5d32879829c0ad23c8c862c812dbb
Author: syz-cluster <triage@syzkaller.com>
Date: Wed Jul 15 10:43:14 2026 +0000
syz-cluster: applied patch under review
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 1349c0eedb6425..9977b9f3204ef4 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -250,6 +250,8 @@ bool neigh_remove_one(struct neighbour *n)
return retval;
}
+#define NEIGH_FORCED_GC_LARGE_TABLE_THRESH 16384
+
static int neigh_forced_gc(struct neigh_table *tbl)
{
int max_clean = atomic_read(&tbl->gc_entries) -
@@ -260,6 +262,15 @@ static int neigh_forced_gc(struct neigh_table *tbl)
int shrunk = 0;
int loop = 0;
+ /*
+ * For large neighbor tables, repeated forced GC passes can spend
+ * significant CPU scanning neighbor entries when most remain active.
+ * Rate-limit consecutive forced GC passes to reduce CPU overhead.
+ */
+ if (atomic_read(&tbl->gc_entries) >= NEIGH_FORCED_GC_LARGE_TABLE_THRESH &&
+ time_before(jiffies, READ_ONCE(tbl->last_flush) + msecs_to_jiffies(50)))
+ return 0;
+
NEIGH_CACHE_STAT_INC(tbl, forced_gc_runs);
spin_lock_bh(&tbl->lock);
|
| 3/2 | 2026/07/15 10:43 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 2016 output: 32 thoughts: 135 Thoughts: Okay, here's my understanding, thinking through this code change in `net/core/neighbour.c`. **Analyzing the Neighbor Table Forced Garbage Collection Rate Limiting** Alright, I see a patch has been introduced to modify `net/core/neighbour.c`, specifically focusing on `neigh_forced_gc`. This is interesting, and likely addressing a performance issue related to large neighbor tables. The core of this seems to be a rate-limiting mechanism for the "forced garbage collection" passes. It looks like it's designed to prevent excessive GC activity when we have a huge number of entries. The key condition being introduced revolves around two checks. First, it's comparing the current number of GC entries, retrieved with `atomic_read(&tbl->gc_entries)`, against `NEIGH_FORCED_GC_LARGE_TABLE_THRESH`. My guess is that threshold is probably set at 16384, which seems a reasonable boundary to define as "large". If that first condition is met, then it checks a second condition. The second condition checks the time since the last flush using `time_before(jiffies, READ_ONCE(tbl->last_flush) + msecs_to_jiffies(50))`. The last flush time is compared to the current `jiffies` plus a time interval equivalent to 50 milliseconds. So, effectively, the patch is trying to throttle the frequency of `neigh_forced_gc` calls. If the neighbor table hits the "large" size threshold, a GC pass will be skipped if it's been less than 50ms since the last one. That's a good way to mitigate the impact of excessive GC on large tables. It seems like the core idea is to prevent the forced garbage collection from consuming too much processing time when the neighbor table is large. It seems like it's a good approach. I should probably dive deeper into this `neigh_forced_gc` function itself to fully understand the logic. |
| 4/2 | 2026/07/15 10:43 | tool | grepper |
0mArgs:{
"Expression": "neigh_forced_gc",
"PathPrefix": "net/core/neighbour.c"
}Results: {
"Output": "net/core/neighbour.c=236=bool neigh_remove_one(struct neighbour *n)\n--\nnet/core/neighbour.c-254-\nnet/core/neighbour.c:255:static int neigh_forced_gc(struct neigh_table *tbl)\nnet/core/neighbour.c-256-{\n--\nnet/core/neighbour.c=504=static struct neighbour *neigh_alloc(struct neigh_table *tbl,\n--\nnet/core/neighbour.c-519-\t time_after(now, READ_ONCE(tbl-\u003elast_flush) + 5 * HZ))) {\nnet/core/neighbour.c:520:\t\tif (!neigh_forced_gc(tbl) \u0026\u0026 entries \u003e= gc_thresh3) {\nnet/core/neighbour.c-521-\t\t\tnet_info_ratelimited(\"%s: neighbor table overflow!\\n\",\n"
} |
| 5/2 | 2026/07/15 10:43 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 2833 output: 30 thoughts: 156 Thoughts: **Analyzing the `neigh_forced_gc` and `neigh_alloc` Functions** Okay, so I'm digging into this patch. It looks like the change is centered around `neigh_forced_gc`, and it's being called from within `neigh_alloc`. That's a solid start – definitely a functional path and it's reachable code, so that's promising. `neigh_alloc` itself is invoked when a new neighbor is allocated, which is a key process within networking. I'm checking if there are any specific configurations that would affect this code path. Since it's nestled within `net/core/neighbour.c`, part of the core networking stack, the only required configuration I can think of is `CONFIG_NET`. It's foundational. Now, considering fuzzing, I'm thinking both `neigh_forced_gc` and `neigh_alloc` are good candidates to focus on. `neigh_forced_gc` looks like a particularly juicy target. `neigh_alloc` is also appealing, though I need to keep in mind it could be a hot path. The high call count might make it more sensitive to fuzzing-induced overhead, but also a good test case for detecting memory bugs. My next step is to get a clearer picture of `neigh_alloc`. I should see where else that function is being called from. Knowing the call graph will help to understand the context and potential entry points for fuzzing. |
| 6/2 | 2026/07/15 10:43 | tool | grepper |
0mArgs:{
"Expression": "neigh_alloc",
"PathPrefix": "net/core/neighbour.c"
}Results: {
"Output": "net/core/neighbour.c=498=int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)\n--\nnet/core/neighbour.c-503-\nnet/core/neighbour.c:504:static struct neighbour *neigh_alloc(struct neigh_table *tbl,\nnet/core/neighbour.c-505-\t\t\t\t struct net_device *dev,\n--\nnet/core/neighbour.c=654=___neigh_create(struct neigh_table *tbl, const void *pkey,\n--\nnet/core/neighbour.c-662-\nnet/core/neighbour.c:663:\tn = neigh_alloc(tbl, dev, flags, exempt_from_gc);\nnet/core/neighbour.c-664-\ttrace_neigh_create(tbl, dev, pkey, n, exempt_from_gc);\n"
} |
| 7/2 | 2026/07/15 10:43 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 3552 output: 67 thoughts: 97 Thoughts: **Analyzing the 'neigh_forced_gc' Patch** Okay, so I'm looking at this patch and my initial thought is that `neigh_forced_gc` is a pretty good target symbol. It seems directly related to a critical function: the garbage collection process for the neighbor table, which I know is vital for network performance. The description confirms this – it's triggered when the neighbor table, which stores information about directly connected devices, gets full. The interesting part, and what makes this worth a closer look, is the addition of a rate limit for large tables. This suggests the existing garbage collection mechanism could become a bottleneck or resource hog under heavy load. The addition of a rate limit implies someone identified a performance issue with that process. Functionally, this seems solid; the patch is clearly intended to improve performance and stability when dealing with potentially huge neighbor tables, which are common in dense environments. I agree with the 'WorthFuzzing: true' designation. This type of core networking code, especially when dealing with potentially problematic situations like a full table, is precisely where fuzzing can expose edge cases and potential vulnerabilities, even if the code change seems straightforward. The `FocusSymbols: ["neigh_forced_gc"]` is right on the money. This is the heart of the changes. The 'EnableConfigs: []' is probably because it’s a generic function that doesn't need any special configurations to test. It all seems reasonable. |
| 8/2 | 2026/07/15 10:43 | tool | set-results |
0mArgs:{
"EnableConfigs": [],
"FocusSymbols": [
"neigh_forced_gc"
],
"Reasoning": "The patch modifies the neighbor garbage collection logic by adding a rate limit for forced GC passes on large neighbor tables. This is functional core networking code.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": null,
"FocusSymbols": [
"neigh_forced_gc"
],
"Reasoning": "The patch modifies the neighbor garbage collection logic by adding a rate limit for forced GC passes on large neighbor tables. This is functional core networking code.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|