==================================================================
BUG: KCSAN: data-race in virtqueue_get_buf_ctx / vring_interrupt

read-write to 0xffff88810224b25c of 2 bytes by interrupt on cpu 0:
 virtqueue_get_buf_ctx_split drivers/virtio/virtio_ring.c:959 [inline]
 virtqueue_get_buf_ctx+0x607/0xdb0 drivers/virtio/virtio_ring.c:3086
 virtqueue_get_buf+0x1f/0x30 drivers/virtio/virtio_ring.c:3092
 __free_old_xmit+0x53/0x340 drivers/net/virtio_net.c:588
 virtnet_free_old_xmit+0x39/0x1b0 drivers/net/virtio_net.c:629
 free_old_xmit drivers/net/virtio_net.c:958 [inline]
 virtnet_poll_tx+0x2de/0xca0 drivers/net/virtio_net.c:3239
 __napi_poll+0x61/0x300 net/core/dev.c:7730
 napi_poll net/core/dev.c:7793 [inline]
 net_rx_action+0x452/0x930 net/core/dev.c:7950
 handle_softirqs+0xb9/0x280 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x42/0xd0 kernel/softirq.c:735
 common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:326
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
 __preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
 _raw_spin_unlock_irqrestore+0x1a/0x30 kernel/locking/spinlock.c:198
 spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
 __skb_try_recv_datagram+0x123/0x320 net/core/datagram.c:267
 __unix_dgram_recvmsg+0x25a/0x870 net/unix/af_unix.c:2587
 unix_dgram_recvmsg+0x7e/0x90 net/unix/af_unix.c:2686
 sock_recvmsg_nosec+0xc2/0xf0 net/socket.c:1137
 ____sys_recvmsg+0x26f/0x280 net/socket.c:2916
 ___sys_recvmsg+0x11f/0x3b0 net/socket.c:2960
 do_recvmmsg+0x1ef/0x560 net/socket.c:3055
 __sys_recvmmsg net/socket.c:3129 [inline]
 __do_sys_recvmmsg net/socket.c:3152 [inline]
 __se_sys_recvmmsg net/socket.c:3145 [inline]
 __x64_sys_recvmmsg+0xe5/0x170 net/socket.c:3145
 x64_sys_call+0x80f/0x3020 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88810224b25c of 2 bytes by interrupt on cpu 1:
 more_used_split drivers/virtio/virtio_ring.c:906 [inline]
 more_used drivers/virtio/virtio_ring.c:3218 [inline]
 vring_interrupt+0x48/0x310 drivers/virtio/virtio_ring.c:3233
 __handle_irq_event_percpu+0x8b/0x480 kernel/irq/handle.c:209
 handle_irq_event_percpu kernel/irq/handle.c:246 [inline]
 handle_irq_event+0x64/0xf0 kernel/irq/handle.c:263
 handle_edge_irq+0x154/0x450 kernel/irq/chip.c:856
 generic_handle_irq_desc include/linux/irqdesc.h:186 [inline]
 handle_irq arch/x86/kernel/irq.c:262 [inline]
 call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
 __common_interrupt+0x60/0xb0 arch/x86/kernel/irq.c:333
 common_interrupt+0x7e/0x90 arch/x86/kernel/irq.c:326
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
 __preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
 _raw_spin_unlock_irqrestore+0x1a/0x30 kernel/locking/spinlock.c:198
 spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
 avc_reclaim_node security/selinux/avc.c:488 [inline]
 avc_alloc_node+0x21c/0x280 security/selinux/avc.c:507
 avc_insert security/selinux/avc.c:618 [inline]
 avc_compute_av+0xb0/0x430 security/selinux/avc.c:993
 avc_perm_nonode+0x5e/0xe0 security/selinux/avc.c:1117
 avc_has_perm_noaudit+0xf2/0x130 security/selinux/avc.c:1160
 avc_has_perm+0x60/0x190 security/selinux/avc.c:1195
 may_create+0x455/0x4a0 security/selinux/hooks.c:1880
 selinux_inode_symlink+0x22/0x30 security/selinux/hooks.c:3092
 security_inode_symlink+0x75/0xb0 security/security.c:1698
 vfs_symlink+0x8e/0x220 fs/namei.c:5635
 filename_symlinkat+0xe8/0x2b0 fs/namei.c:5668
 __do_sys_symlinkat fs/namei.c:5688 [inline]
 __se_sys_symlinkat+0x43/0x1b0 fs/namei.c:5683
 __x64_sys_symlinkat+0x43/0x50 fs/namei.c:5683
 x64_sys_call+0x2b7d/0x3020 arch/x86/include/generated/asm/syscalls_64.h:267
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x25f1 -> 0x25f2

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 8527 Comm: syz-executor Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
==================================================================