last executing test programs: 242.959032ms ago: executing program 4 (id=20): quotactl$Q_GETFMT(0x0, &(0x7f0000000000), 0x0, &(0x7f0000000000)) 215.534523ms ago: executing program 4 (id=23): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video2', 0x2, 0x0) 215.032623ms ago: executing program 4 (id=25): kexec_load(0x0, 0x0, &(0x7f0000000000), 0x0) 201.666823ms ago: executing program 4 (id=33): recvfrom(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0, 0x0) 200.892323ms ago: executing program 4 (id=37): sched_yield() 185.286874ms ago: executing program 4 (id=44): pause() 65.957038ms ago: executing program 1 (id=97): userfaultfd(0x0) 65.679728ms ago: executing program 1 (id=99): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer', 0x800, 0x0) 51.109388ms ago: executing program 1 (id=103): mlockall(0x0) 50.867328ms ago: executing program 1 (id=106): mmap(0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) 34.650059ms ago: executing program 1 (id=110): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/socket/zygote', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/socket/zygote', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/socket/zygote', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/socket/zygote', 0x800, 0x0) 34.242068ms ago: executing program 3 (id=113): fcntl$F_GET_FILE_RW_HINT(0xffffffffffffffff, 0x40d, &(0x7f0000000000)) 34.113259ms ago: executing program 1 (id=114): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/policy', 0x0, 0x0) 34.056988ms ago: executing program 0 (id=115): sigaltstack(&(0x7f0000000000), 0x0) 33.987488ms ago: executing program 2 (id=116): open(&(0x7f0000000000), 0x0, 0x0) 33.940608ms ago: executing program 3 (id=117): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full', 0x800, 0x0) 19.210789ms ago: executing program 0 (id=118): setresgid(0x0, 0x0, 0x0) 18.967069ms ago: executing program 2 (id=119): geteuid() 18.903339ms ago: executing program 3 (id=120): init_module(&(0x7f0000000000), 0x0, &(0x7f0000000000)) 18.748659ms ago: executing program 0 (id=121): syz_open_dev$vim2m(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$vim2m(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$vim2m(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$vim2m(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$vim2m(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$vim2m(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$vim2m(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$vim2m(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$vim2m(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$vim2m(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$vim2m(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$vim2m(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$vim2m(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$vim2m(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$vim2m(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$vim2m(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$vim2m(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$vim2m(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$vim2m(&(0x7f0000000500), 0x4, 0x800) 18.717929ms ago: executing program 2 (id=122): rmdir(&(0x7f0000000000)) 18.548359ms ago: executing program 3 (id=123): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cdrom1', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cdrom1', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cdrom1', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cdrom1', 0x800, 0x0) 18.467589ms ago: executing program 0 (id=124): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcsa', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcsa', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcsa', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcsa', 0x800, 0x0) 669.13µs ago: executing program 2 (id=125): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hpet', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hpet', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hpet', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hpet', 0x800, 0x0) 518.58µs ago: executing program 3 (id=126): semget(0xffffffffffffffff, 0x0, 0x0) 461.95µs ago: executing program 0 (id=127): getresuid(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000)) 264.08µs ago: executing program 2 (id=128): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dma_heap/system', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dma_heap/system', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dma_heap/system', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dma_heap/system', 0x800, 0x0) 154.33µs ago: executing program 3 (id=129): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nmem0', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/nmem0', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/nmem0', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/nmem0', 0x800, 0x0) 123.46µs ago: executing program 0 (id=130): syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$vbi(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$vbi(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$vbi(&(0x7f0000000100), 0x0, 0x800) 0s ago: executing program 2 (id=131): mincore(0x0, 0x0, &(0x7f0000000000)) kernel console output (not intermixed with test programs): [ 16.951615][ T28] audit: type=1400 audit(1778924872.389:98): avc: denied { transition } for pid=3173 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.974364][ T28] audit: type=1400 audit(1778924872.389:99): avc: denied { noatsecure } for pid=3173 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.996467][ T28] audit: type=1400 audit(1778924872.389:100): avc: denied { write } for pid=3173 comm="sh" path="pipe:[1498]" dev="pipefs" ino=1498 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 17.018855][ T28] audit: type=1400 audit(1778924872.389:101): avc: denied { rlimitinh } for pid=3173 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.037990][ T28] audit: type=1400 audit(1778924872.389:102): avc: denied { siginh } for pid=3173 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.807468][ T3181] scp (3181) used greatest stack depth: 10984 bytes left [ 18.191763][ T28] audit: type=1400 audit(1778924873.629:103): avc: denied { search } for pid=3182 comm="dhcpcd-run-hook" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 18.213787][ T28] audit: type=1400 audit(1778924873.629:104): avc: denied { search } for pid=3182 comm="dhcpcd-run-hook" name="dhcpcd" dev="tmpfs" ino=483 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 19.207678][ T28] kauditd_printk_skb: 16 callbacks suppressed [ 19.207693][ T28] audit: type=1400 audit(1778924874.649:121): avc: denied { write } for pid=3249 comm="rm" name="hook-state" dev="tmpfs" ino=487 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 19.275174][ T28] audit: type=1400 audit(1778924874.709:122): avc: denied { write } for pid=3252 comm="dhcpcd-run-hook" name="hook-state" dev="tmpfs" ino=487 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 19.298258][ T28] audit: type=1400 audit(1778924874.729:123): avc: denied { write } for pid=3263 comm="rm" name="hook-state" dev="tmpfs" ino=487 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 19.412061][ T28] audit: type=1400 audit(1778924874.849:124): avc: denied { write } for pid=3266 comm="dhcpcd-run-hook" name="hook-state" dev="tmpfs" ino=487 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 19.435009][ T28] audit: type=1400 audit(1778924874.859:125): avc: denied { write } for pid=3277 comm="rm" name="hook-state" dev="tmpfs" ino=487 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 Warning: Permanently added '10.128.1.76' (ED25519) to the list of known hosts. [ 24.638053][ T28] audit: type=1400 audit(1778924880.079:126): avc: denied { mounton } for pid=3288 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.661178][ T28] audit: type=1400 audit(1778924880.099:127): avc: denied { mount } for pid=3288 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.661963][ T3288] cgroup: Unknown subsys name 'net' [ 24.688894][ T28] audit: type=1400 audit(1778924880.129:128): avc: denied { unmount } for pid=3288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.787127][ T3288] cgroup: Unknown subsys name 'cpuset' [ 24.793142][ T3288] cgroup: Unknown subsys name 'rlimit' [ 24.885742][ T28] audit: type=1400 audit(1778924880.319:129): avc: denied { setattr } for pid=3288 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=142 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.909119][ T28] audit: type=1400 audit(1778924880.329:130): avc: denied { create } for pid=3288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.929736][ T28] audit: type=1400 audit(1778924880.329:131): avc: denied { write } for pid=3288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.942088][ T3291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 24.950377][ T28] audit: type=1400 audit(1778924880.329:132): avc: denied { read } for pid=3288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 24.980225][ T28] audit: type=1400 audit(1778924880.329:133): avc: denied { mounton } for pid=3288 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 25.005086][ T28] audit: type=1400 audit(1778924880.329:134): avc: denied { mount } for pid=3288 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 25.014580][ T3288] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.028831][ T28] audit: type=1400 audit(1778924880.369:135): avc: denied { read } for pid=3025 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 26.213244][ T40] ================================================================== [ 26.221347][ T40] BUG: KCSAN: data-race in copy_process / free_pid [ 26.227842][ T40] [ 26.230149][ T40] read-write to 0xffffffff86c5c3a8 of 4 bytes by task 3302 on cpu 0: [ 26.238191][ T40] free_pid+0xb3/0x1b0 [ 26.242247][ T40] free_pids+0x54/0xb0 [ 26.246302][ T40] release_task+0x9a7/0xb60 [ 26.250788][ T40] wait_consider_task+0x1160/0x1670 [ 26.255973][ T40] __do_wait+0xf9/0x510 [ 26.260114][ T40] do_wait+0xb6/0x230 [ 26.264080][ T40] kernel_wait4+0x19f/0x210 [ 26.268568][ T40] __x64_sys_wait4+0x91/0x120 [ 26.273231][ T40] x64_sys_call+0x2aee/0x3020 [ 26.277892][ T40] do_syscall_64+0x12c/0x3b0 [ 26.282467][ T40] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 26.288340][ T40] [ 26.290647][ T40] read to 0xffffffff86c5c3a8 of 4 bytes by task 40 on cpu 1: [ 26.297992][ T40] copy_process+0x1af1/0x2370 [ 26.302649][ T40] kernel_clone+0x1a5/0x5e0 [ 26.307132][ T40] user_mode_thread+0x9c/0xd0 [ 26.311790][ T40] call_usermodehelper_exec_work+0x7a/0x160 [ 26.317669][ T40] process_scheduled_works+0x4f0/0x9c0 [ 26.323111][ T40] worker_thread+0x58a/0x780 [ 26.327687][ T40] kthread+0x22a/0x280 [ 26.331737][ T40] ret_from_fork+0x146/0x330 [ 26.336314][ T40] ret_from_fork_asm+0x1a/0x30 [ 26.341062][ T40] [ 26.343365][ T40] value changed: 0x8000009a -> 0x80000099 [ 26.349062][ T40] [ 26.351362][ T40] Reported by Kernel Concurrency Sanitizer on: SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 26.357504][ T40] CPU: 1 UID: 0 PID: 40 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT(full) [ 26.366765][ T40] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 26.376802][ T40] Workqueue: events_unbound call_usermodehelper_exec_work [ 26.383913][ T40] ==================================================================