================================================================== BUG: KCSAN: data-race in copy_mm / percpu_counter_destroy_many write to 0xffff88810b016a48 of 8 bytes by task 4811 on cpu 0: __list_del include/linux/list.h:203 [inline] __list_del_entry include/linux/list.h:226 [inline] list_del include/linux/list.h:237 [inline] percpu_counter_destroy_many+0xc7/0x2b0 lib/percpu_counter.c:244 __mmdrop+0x25a/0x3f0 kernel/fork.c:734 mmdrop include/linux/sched/mm.h:55 [inline] mmdrop_sched include/linux/sched/mm.h:83 [inline] mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline] finish_task_switch+0x186/0x2a0 kernel/sched/core.c:5139 context_switch kernel/sched/core.c:5259 [inline] __schedule+0x85f/0xcd0 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0x5f/0xd0 kernel/sched/core.c:6960 schedule_timeout+0x53/0x170 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:100 [inline] __wait_for_common kernel/sched/completion.c:121 [inline] wait_for_common+0xfa/0x1e0 kernel/sched/completion.c:132 wait_for_completion_state+0x15/0x40 kernel/sched/completion.c:269 call_usermodehelper_exec+0x266/0x2c0 kernel/umh.c:441 call_modprobe kernel/module/kmod.c:102 [inline] __request_module+0x283/0x3e0 kernel/module/kmod.c:172 crypto_larval_lookup crypto/api.c:306 [inline] crypto_alg_mod_lookup+0xe4/0x490 crypto/api.c:353 crypto_find_alg+0x61/0x70 crypto/api.c:599 crypto_type_has_alg+0x28/0x60 crypto/algapi.c:1045 crypto_has_aead+0x27/0x40 crypto/aead.c:229 xfrm_find_algo net/xfrm/xfrm_algo.c:695 [inline] xfrm_aead_get_byname+0x443/0x4a0 net/xfrm/xfrm_algo.c:784 attach_aead net/xfrm/xfrm_user.c:706 [inline] xfrm_state_construct net/xfrm/xfrm_user.c:914 [inline] xfrm_add_sa+0x12bd/0x25b0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x566/0x660 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x48/0x60 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x145/0x180 net/socket.c:742 ____sys_sendmsg+0x31e/0x4a0 net/socket.c:2592 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2681 x64_sys_call+0x17ba/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88810b016540 of 1664 bytes by task 4815 on cpu 1: dup_mm kernel/fork.c:1523 [inline] copy_mm+0xe2/0x370 kernel/fork.c:1581 copy_process+0xcbc/0x1ef0 kernel/fork.c:2221 kernel_clone+0x16c/0x5c0 kernel/fork.c:2651 __do_sys_clone kernel/fork.c:2792 [inline] __se_sys_clone kernel/fork.c:2776 [inline] __x64_sys_clone+0xe6/0x120 kernel/fork.c:2776 x64_sys_call+0x12d0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:57 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 4815 Comm: syz.1.426 Not tainted syzkaller #0 PREEMPT(voluntary) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 ================================================================== syz.1.426: attempt to access beyond end of device loop1: rw=8402945, sector=74, nr_sectors = 2 limit=64 Buffer I/O error on dev loop1, logical block 37, lost sync page write EXT4-fs error (device loop1): ext4_splice_branch:472: inode #18: block 37: comm syz.1.426: IO error syncing itable block EXT4-fs error (device loop1): ext4_check_bdev_write_error:227: comm syz.1.426: Error while async write back metadata syz.1.426: attempt to access beyond end of device loop1: rw=8390659, sector=476, nr_sectors = 2 limit=64 EXT4-fs (loop1): discard request in group:0 block:237 count:1 failed with -5 EXT4-fs error (device loop1) in ext4_mb_clear_bb:6689: IO failure EXT4-fs error (device loop1): mb_free_blocks:2037: group 0, inode 18: block 238:freeing already freed block (bit 237); block bitmap corrupt. EXT4-fs (loop1): pa ffff888107645540: logic 13, phys. 205, len 51 EXT4-fs error (device loop1): ext4_mb_release_inode_pa:5466: group 0, free 49, pa_free 48 syz.1.426: attempt to access beyond end of device loop1: rw=8402945, sector=74, nr_sectors = 2 limit=64 Buffer I/O error on dev loop1, logical block 37, lost sync page write EXT4-fs error (device loop1): ext4_free_data:978: inode #18: block 37: comm syz.1.426: IO error syncing itable block EXT4-fs error (device loop1): ext4_check_bdev_write_error:227: comm syz.1.426: Error while async write back metadata syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=82, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 41) Buffer I/O error on device loop1, logical block 41 Buffer I/O error on device loop1, logical block 42 Buffer I/O error on device loop1, logical block 43 Buffer I/O error on device loop1, logical block 44 syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=98, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 49) Buffer I/O error on device loop1, logical block 49 Buffer I/O error on device loop1, logical block 50 Buffer I/O error on device loop1, logical block 51 Buffer I/O error on device loop1, logical block 52 syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=114, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 57) Buffer I/O error on device loop1, logical block 57 Buffer I/O error on device loop1, logical block 58 syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=130, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 65) syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=90, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 45) syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=106, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 53) syz.1.426: attempt to access beyond end of device loop1: rw=2049, sector=122, nr_sectors = 8 limit=64 EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 61) EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 125) EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 161) EXT4-fs warning (device loop1): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 201)