syzbot

Code: 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
==================================================================
BUG: KCSAN: data-race in data_push_tail / string

write to 0xffffffff893be288 of 1 bytes by task 28 on cpu 0:
 string_nocheck lib/vsprintf.c:659 [inline]
 string+0x187/0x220 lib/vsprintf.c:737
 vsnprintf+0x532/0x860 lib/vsprintf.c:2948
 vscnprintf+0x41/0x90 lib/vsprintf.c:3013
 printk_sprint+0x30/0x2b0 kernel/printk/printk.c:2222
 vprintk_store+0x57b/0x910 kernel/printk/printk.c:2364
 vprintk_emit+0x1a4/0x600 kernel/printk/printk.c:2455
 vprintk_default+0x26/0x30 kernel/printk/printk.c:2494
 vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
 _printk+0x79/0xa0 kernel/printk/printk.c:2504
 kauditd_printk_skb kernel/audit.c:587 [inline]
 kauditd_hold_skb+0x1b1/0x1c0 kernel/audit.c:622
 kauditd_send_queue+0x273/0x2c0 kernel/audit.c:807
 kauditd_thread+0x444/0x670 kernel/audit.c:931
 kthread+0x22a/0x280 kernel/kthread.c:436
 ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

read to 0xffffffff893be288 of 8 bytes by task 14714 on cpu 1:
 data_make_reusable kernel/printk/printk_ringbuffer.c:608 [inline]
 data_push_tail+0x100/0x470 kernel/printk/printk_ringbuffer.c:693
 data_alloc+0x11b/0x390 kernel/printk/printk_ringbuffer.c:1089
 prb_reserve+0x8d7/0xae0 kernel/printk/printk_ringbuffer.c:1724
 vprintk_store+0x54a/0x910 kernel/printk/printk.c:2354
 vprintk_emit+0x1a4/0x600 kernel/printk/printk.c:2455
 vprintk_default+0x26/0x30 kernel/printk/printk.c:2494
 vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
 _printk+0x79/0xa0 kernel/printk/printk.c:2504
 show_opcodes+0xfd/0x120 arch/x86/kernel/dumpstack.c:121
 show_iret_regs+0x12/0x40 arch/x86/kernel/dumpstack.c:147
 __show_regs+0x2a/0x430 arch/x86/kernel/process_64.c:78
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:165 [inline]
 __show_trace_log_lvl+0x38f/0x560 arch/x86/kernel/dumpstack.c:298
 __warn+0x159/0x330 kernel/panic.c:1060
 __report_bug+0x241/0x490 lib/bug.c:246
 report_bug_entry+0xb2/0x100 lib/bug.c:266
 handle_bug+0xce/0x200 arch/x86/kernel/traps.c:431
 exc_invalid_op+0x1a/0x50 arch/x86/kernel/traps.c:490
 asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:616
 ext4_xattr_inode_update_ref+0x332/0x350 fs/ext4/xattr.c:1057
 ext4_xattr_inode_dec_ref fs/ext4/xattr.c:1082 [inline]
 ext4_xattr_inode_dec_ref_all+0x57c/0x880 fs/ext4/xattr.c:1228
 ext4_xattr_delete_inode+0x6c1/0x7a0 fs/ext4/xattr.c:2950
 ext4_evict_inode+0xb16/0xe30 fs/ext4/inode.c:284
 evict+0x2af/0x510 fs/inode.c:841
 iput_final fs/inode.c:1960 [inline]
 iput+0x41a/0x580 fs/inode.c:2009
 ext4_process_orphan+0x1a9/0x1c0 fs/ext4/orphan.c:358
 ext4_orphan_cleanup+0x6a2/0xa00 fs/ext4/orphan.c:472
 __ext4_fill_super fs/ext4/super.c:5695 [inline]
 ext4_fill_super+0x3408/0x37c0 fs/ext4/super.c:5818
 get_tree_bdev_flags+0x291/0x300 fs/super.c:1694
 get_tree_bdev+0x1f/0x30 fs/super.c:1717
 ext4_get_tree+0x1c/0x30 fs/ext4/super.c:5850
 vfs_get_tree+0x57/0x1d0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x288/0x8d0 fs/namespace.c:3834
 path_mount+0x4d0/0xbc0 fs/namespace.c:4154
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount+0x28c/0x2e0 fs/namespace.c:4360
 __x64_sys_mount+0x67/0x80 fs/namespace.c:4360
 x64_sys_call+0x2d61/0x3020 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000000ffffea06 -> 0x747865746e6f6373

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 14714 Comm: syz.9.3986 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
==================================================================
RSP: 002b:00007efeec3eee58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007efeec3eeee0 RCX: 00007efeed99da8a
RDX: 00002000000009c0 RSI: 0000200000000540 RDI: 00007efeec3eeea0
RBP: 00002000000009c0 R08: 00007efeec3eeee0 R09: 0000000000800718
R10: 0000000000800718 R11: 0000000000000246 R12: 0000200000000540
R13: 00007efeec3eeea0 R14: 000000000000048d R15: 0000200000000200
 </TASK>
---[ end trace 0000000000000000 ]---
EXT4-fs (loop9): 1 orphan inode deleted
EXT4-fs (loop9): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
----------------
Code disassembly (best guess):
   0:	48 c7 c2 e8 ff ff ff 	mov    $0xffffffffffffffe8,%rdx
   7:	f7 d8                	neg    %eax
   9:	64 89 02             	mov    %eax,%fs:(%rdx)
   c:	b8 ff ff ff ff       	mov    $0xffffffff,%eax
  11:	c3                   	ret
  12:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  19:	00 00 00
  1c:	0f 1f 40 00          	nopl   0x0(%rax)
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 a5 00 00 00       	mov    $0xa5,%eax
  28:	0f 05                	syscall
* 2a:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax <-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 c7 c1 e8 ff ff ff 	mov    $0xffffffffffffffe8,%rcx
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W