syzbot

bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P2390/1:b..l P2692/1:b..l
rcu: 	(detected by 0, t=10502 jiffies, g=182497, q=765 ncpus=1)
task:syz.4.12554     state:R  running task     stack:24688 pid:2692  tgid:2680  ppid:30782  task_flags:0x400840 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5295 [inline]
 __schedule+0xfee/0x60e0 kernel/sched/core.c:6907
 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7234
 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:unwind_next_frame+0xb65/0x1ea0 arch/x86/kernel/unwind_orc.c:605
Code: 00 0f 85 3c 0f 00 00 48 8b 14 24 49 89 45 48 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 fa 0e 00 00 4c 89 e2 <4d> 89 75 38 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00
RSP: 0018:ffffc90003df6990 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff91860e84
RDX: ffffc90003df6a50 RSI: 1ffff920007bed49 RDI: ffffc90003df7c28
RBP: ffffc90003df6a48 R08: ffffffff91860e88 R09: 0000000000000007
R10: 0000000000000200 R11: 00000000000168eb R12: ffffc90003df6a50
R13: ffffc90003df6a00 R14: ffffc90003df7c30 R15: ffffc90003df6a34
 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 save_stack+0x162/0x1e0 mm/page_owner.c:165
 __reset_page_owner+0x84/0x190 mm/page_owner.c:320
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 free_unref_folios+0xaea/0x1790 mm/page_alloc.c:3040
 shrink_folio_list+0x467b/0x6000 mm/vmscan.c:1541
 reclaim_folio_list+0xdc/0x600 mm/vmscan.c:2205
 reclaim_pages+0x428/0x5e0 mm/vmscan.c:2242
 madvise_cold_or_pageout_pte_range+0x1635/0x2720 mm/madvise.c:561
 walk_pmd_range mm/pagewalk.c:130 [inline]
 walk_pud_range mm/pagewalk.c:224 [inline]
 walk_p4d_range mm/pagewalk.c:262 [inline]
 walk_pgd_range+0xc04/0x1eb0 mm/pagewalk.c:303
 __walk_page_range+0x163/0x820 mm/pagewalk.c:411
 walk_page_range_vma_unsafe+0x209/0x8f0 mm/pagewalk.c:715
 walk_page_range_vma+0x63/0x90 mm/pagewalk.c:725
 madvise_pageout_page_range mm/madvise.c:620 [inline]
 madvise_pageout+0x259/0x540 mm/madvise.c:645
 madvise_vma_behavior+0x3e6/0x3050 mm/madvise.c:1364
 madvise_walk_vmas+0x2fe/0xa90 mm/madvise.c:1719
 madvise_do_behavior+0x1ea/0x510 mm/madvise.c:1935
 do_madvise+0x195/0x240 mm/madvise.c:2028
 __do_sys_madvise mm/madvise.c:2037 [inline]
 __se_sys_madvise mm/madvise.c:2035 [inline]
 __x64_sys_madvise+0xa9/0x110 mm/madvise.c:2035
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f579119c629
RSP: 002b:00007f5792098028 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f5791416090 RCX: 00007f579119c629
RDX: 0000000000000015 RSI: ffffffffffff0001 RDI: 0000000000000000
RBP: 00007f5791232b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5791416128 R14: 00007f5791416090 R15: 00007fff9d5b2998
 </TASK>
task:syz.2.12470     state:R  running task     stack:22552 pid:2390  tgid:2390  ppid:5885   task_flags:0x400640 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5295 [inline]
 __schedule+0xfee/0x60e0 kernel/sched/core.c:6907
 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7234
 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:mas_is_start lib/maple_tree.c:276 [inline]
RIP: 0010:mas_start lib/maple_tree.c:1192 [inline]
RIP: 0010:mas_state_walk lib/maple_tree.c:3291 [inline]
RIP: 0010:mt_find+0x163/0x8e0 lib/maple_tree.c:6497
Code: 00 00 00 31 f6 48 c7 c7 20 92 7e 8e e8 26 63 5e f6 e8 11 f1 06 00 31 ff 89 c3 89 c6 e8 86 17 82 f6 5a 85 db 0f 85 3e 05 00 00 <e8> c8 1c 82 f6 8b ac 24 88 00 00 00 e8 bc 1c 82 f6 bf 01 00 00 00
RSP: 0018:ffffc90004c8ed40 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8b85e3c6
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88806ab01e40
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004c8ee78
R13: ffffc90004c8ed80 R14: 000000000000000e R15: ffffffffffffffff
 find_vma+0xbf/0x140 mm/mmap.c:907
 gup_vma_lookup+0x20/0x170 mm/gup.c:1275
 __get_user_pages+0x241/0x34d0 mm/gup.c:1396
 __get_user_pages_locked mm/gup.c:1692 [inline]
 get_dump_page+0x27e/0x3d0 mm/gup.c:2192
 dump_user_range+0x18d/0xb50 fs/coredump.c:1367
 elf_core_dump+0x2d5f/0x3d10 fs/binfmt_elf.c:2109
 coredump_write fs/coredump.c:1050 [inline]
 do_coredump fs/coredump.c:1127 [inline]
 vfs_coredump+0x27bc/0x5570 fs/coredump.c:1201
 get_signal+0x1f2a/0x21e0 kernel/signal.c:3019
 arch_do_signal_or_restart+0x91/0x770 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:98 [inline]
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline]
 irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline]
 irqentry_exit+0x1f8/0x670 kernel/entry/common.c:219
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x0
RSP: 002b:000000000000000a EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007fac01015fa0 RCX: 00007fac00d9c629
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000020003b46
RBP: 00007fac00e32b39 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fac01016038 R14: 00007fac01015fa0 R15: 00007ffc8ff84988
 </TASK>
rcu: rcu_preempt kthread starved for 7628 jiffies! g182497 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:28584 pid:16    tgid:16    ppid:2      task_flags:0x208040 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5295 [inline]
 __schedule+0xfee/0x60e0 kernel/sched/core.c:6907
 __schedule_loop kernel/sched/core.c:6989 [inline]
 schedule+0xdd/0x390 kernel/sched/core.c:7004
 schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x1a9/0x900 kernel/rcu/tree.c:2095
 rcu_gp_kthread+0x179/0x230 kernel/rcu/tree.c:2297
 kthread+0x370/0x450 kernel/kthread.c:467
 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 3408 Comm: kworker/R-bat_e Tainted: G     U    I  L      syzkaller #0 PREEMPT(full) 
Tainted: [U]=USER, [I]=FIRMWARE_WORKAROUND, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: bat_events batadv_tt_purge
RIP: 0010:trace_lock_release include/trace/events/lock.h:69 [inline]
RIP: 0010:lock_release+0x40/0x320 kernel/locking/lockdep.c:5879
Code: 2d ed a8 28 12 48 89 6c 24 10 48 89 f5 0f 1f 44 00 00 65 8b 05 05 a9 28 12 83 f8 07 0f 87 1d 02 00 00 48 0f a3 05 d0 47 f5 0e <0f> 82 18 02 00 00 44 8b 05 97 7b f5 0e 45 85 c0 0f 84 48 01 00 00
RSP: 0018:ffffc90000007138 EFLAGS: 00000297
RAX: 0000000000000000 RBX: ffffffff8e7e9220 RCX: ffffffff8a65857c
RDX: ffff888033e5dac0 RSI: ffffffff8a6584ca RDI: ffffffff8e7e9220
RBP: ffffffff8a6584ca R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88807f5ff000
R13: ffff88816cfebe74 R14: ffff88816cfebe5c R15: ffff88816cfebe3f
FS:  0000000000000000(0000) GS:ffff888124351000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdcaca6e22 CR3: 0000000034bbc000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 rcu_lock_release include/linux/rcupdate.h:322 [inline]
 rcu_read_unlock include/linux/rcupdate.h:881 [inline]
 net_generic+0xef/0x2a0 include/net/netns/generic.h:48
 is_vlan_arp net/bridge/br_netfilter_hooks.c:109 [inline]
 br_nf_forward_finish+0x18f/0xb30 net/bridge/br_netfilter_hooks.c:639
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 br_nf_forward_ip.part.0+0x61e/0x820 net/bridge/br_netfilter_hooks.c:716
 br_nf_forward_ip net/bridge/br_netfilter_hooks.c:676 [inline]
 br_nf_forward+0xfe5/0x19f0 net/bridge/br_netfilter_hooks.c:773
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xbf/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK include/linux/netfilter.h:316 [inline]
 __br_forward+0x2f6/0x970 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 br_flood+0x37f/0x650 net/bridge/br_forward.c:250
 br_handle_frame_finish+0xf57/0x1f00 net/bridge/br_input.c:229
 br_nf_hook_thresh+0x30d/0x420 net/bridge/br_netfilter_hooks.c:1167
 br_nf_pre_routing_finish_ipv6+0x769/0xfb0 net/bridge/br_netfilter_ipv6.c:154
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x39c/0x8b0 net/bridge/br_netfilter_ipv6.c:184
 br_nf_pre_routing+0x93b/0x1510 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0xcdd/0x1520 net/bridge/br_input.c:442
 __netif_receive_skb_core.constprop.0+0x6c5/0x3550 net/core/dev.c:6043
 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6154
 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6269
 process_backlog+0x37a/0x1580 net/core/dev.c:6620
 __napi_poll.constprop.0+0xaf/0x450 net/core/dev.c:7684
 napi_poll net/core/dev.c:7747 [inline]
 net_rx_action+0xa40/0xf20 net/core/dev.c:7899
 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622
 do_softirq kernel/softirq.c:523 [inline]
 do_softirq+0xac/0xe0 kernel/softirq.c:510
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:395 [inline]
 batadv_tt_local_purge+0x21c/0x3d0 net/batman-adv/translation-table.c:1315
 batadv_tt_purge+0x8b/0xbd0 net/batman-adv/translation-table.c:3509
 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275
 process_scheduled_works kernel/workqueue.c:3358 [inline]
 rescuer_thread+0x902/0x1490 kernel/workqueue.c:3582
 kthread+0x370/0x450 kernel/kthread.c:467
 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
net_ratelimit: 20374 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:1a:05:70:2c:99:20, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
net_ratelimit: 20863 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:1a:05:70:2c:99:20, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)