[syzbot] [mm?] KCSAN: data-race in __percpu_counter_limited_add / percpu_counter_add_batch (3)

[syzbot <syzbot+a3c71b9db9c11c270f59@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    5e2e14749c3d Merge tag 'landlock-7.2-rc1' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=115453b6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b0ae27ce66b92956
dashboard link: https://syzkaller.appspot.com/bug?extid=a3c71b9db9c11c270f59
compiler:       Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a565c60a4762/disk-5e2e1474.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e593a6eb0057/vmlinux-5e2e1474.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d24b55020ea3/bzImage-5e2e1474.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a3c71b9db9c11c270f59@syzkaller.appspotmail.com

==================================================================
BUG: KCSAN: data-race in __percpu_counter_limited_add / percpu_counter_add_batch

read-write to 0xffff88812a80e9d0 of 8 bytes by task 11484 on cpu 0:
 percpu_counter_add_batch+0x101/0x120 lib/percpu_counter.c:107
 percpu_counter_add include/linux/percpu_counter.h:71 [inline]
 percpu_counter_sub include/linux/percpu_counter.h:277 [inline]
 shmem_inode_unacct_blocks mm/shmem.c:263 [inline]
 shmem_recalc_inode+0x143/0x1f0 mm/shmem.c:466
 shmem_undo_range+0xb20/0xb60 mm/shmem.c:1272
 shmem_truncate_range mm/shmem.c:1277 [inline]
 shmem_evict_inode+0x132/0x520 mm/shmem.c:1407
 evict+0x2a5/0x510 fs/inode.c:828
 iput_final fs/inode.c:2022 [inline]
 iput+0x430/0x5a0 fs/inode.c:2071
 filename_unlinkat+0x21f/0x410 fs/namei.c:5585
 __do_sys_unlink fs/namei.c:5616 [inline]
 __se_sys_unlink+0x2b/0xe0 fs/namei.c:5613
 __x64_sys_unlink+0x1f/0x30 fs/namei.c:5613
 x64_sys_call+0x2eb6/0x3020 arch/x86/include/generated/asm/syscalls_64.h:88
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x136/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88812a80e9d0 of 8 bytes by task 16836 on cpu 1:
 __percpu_counter_limited_add+0xc4/0x3f0 lib/percpu_counter.c:-1
 percpu_counter_limited_add include/linux/percpu_counter.h:77 [inline]
 shmem_inode_acct_blocks+0xf4/0x230 mm/shmem.c:232
 shmem_alloc_and_add_folio mm/shmem.c:1979 [inline]
 shmem_get_folio_gfp+0x5d3/0xd90 mm/shmem.c:2502
 shmem_get_folio mm/shmem.c:2608 [inline]
 shmem_write_begin+0xfc/0x1f0 mm/shmem.c:3239
 generic_perform_write+0x186/0x490 mm/filemap.c:4363
 shmem_file_write_iter+0xc5/0xf0 mm/shmem.c:3414
 __kernel_write_iter+0x30f/0x590 fs/read_write.c:621
 dump_emit_page fs/coredump.c:1298 [inline]
 dump_user_range+0xa73/0xd00 fs/coredump.c:1372
 elf_core_dump+0x21c0/0x2340 fs/binfmt_elf.c:2109
 coredump_write+0xaf9/0xdd0 fs/coredump.c:1052
 do_coredump fs/coredump.c:1131 [inline]
 vfs_coredump+0x2770/0x3290 fs/coredump.c:1200
 get_signal+0xd33/0xf10 kernel/signal.c:3023
 arch_do_signal_or_restart+0x96/0x480 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:66 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:101 [inline]
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:244 [inline]
 irqentry_exit_to_user_mode include/linux/irq-entry-common.h:315 [inline]
 irqentry_exit+0x14d/0x610 kernel/entry/common.c:165
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:595

value changed: 0x000000000000459f -> 0x00000000000035b4

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 16836 Comm: syz.5.4499 Tainted: G        W           syzkaller #0 PREEMPT(lazy) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup