syzbot

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	0-...!: (1 GPs behind) idle=24ac/1/0x4000000000000000 softirq=25625/25629 fqs=0
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P2996/1:b..l P7073/1:b..l
rcu: 	(detected by 1, t=10505 jiffies, g=19893, q=820 ncpus=2)
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 7072 Comm: syz.1.291 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:__lock_acquire+0xaf6/0xd20 kernel/locking/lockdep.c:-1
Code: 4c 89 bb e0 0a 00 00 8b 83 e8 0a 00 00 ff c0 89 83 e8 0a 00 00 83 f8 30 0f 83 64 01 00 00 3b 05 98 6b 06 12 0f 87 c9 01 00 00 <41> bf 01 00 00 00 e9 a7 01 00 00 48 89 fb e8 e7 8f 03 00 48 c7 c7
RSP: 0018:ffffc90000007ab0 EFLAGS: 00000087
RAX: 0000000000000005 RBX: ffff88807b2f8000 RCX: 76cccc55d6b76800
RDX: 0000000000000000 RSI: ffff88807b2f8b90 RDI: ffff88807b2f8000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff84c0c66b
R10: ffffc90000007ca0 R11: fffff52000000f96 R12: 00000000b2b20f67
R13: ffff88807b2f8af0 R14: ffff88807b2f8b90 R15: a26fb770857742d4
FS:  00007f606a6936c0(0000) GS:ffff888125c51000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f606a692f98 CR3: 000000002999e000 CR4: 00000000003526f0
DR0: 0000000000000005 DR1: 0000000000000047 DR2: 0000000000000007
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
 debug_object_activate+0xbb/0x420 lib/debugobjects.c:818
 debug_hrtimer_activate kernel/time/hrtimer.c:445 [inline]
 debug_activate kernel/time/hrtimer.c:484 [inline]
 enqueue_hrtimer+0x30/0x3a0 kernel/time/hrtimer.c:1088
 __run_hrtimer kernel/time/hrtimer.c:1778 [inline]
 __hrtimer_run_queues+0x656/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1056
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_is_held_type+0x137/0x190 kernel/locking/lockdep.c:5948
Code: 01 75 44 48 c7 04 24 00 00 00 00 9c 8f 04 24 f7 04 24 00 02 00 00 75 4c 41 f7 c4 00 02 00 00 74 01 fb 65 48 8b 05 29 f3 34 07 <48> 3b 44 24 08 75 43 89 d8 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffffc900046af3f8 EFLAGS: 00000206
RAX: 76cccc55d6b76800 RBX: 0000000000000001 RCX: 76cccc55d6b76800
RDX: ffff88807b2f8000 RSI: ffffffff8db707c4 RDI: ffffffff8be1c200
RBP: 00000000ffffffff R08: ffff88807b2f8000 R09: 0000000000000002
R10: 0000000000000003 R11: 0000000000000002 R12: 0000000000000246
R13: ffff88807b2f8000 R14: ffffffff8e13ee60 R15: 0000000000000001
 xa_head include/linux/xarray.h:1210 [inline]
 xas_start+0x295/0x770 lib/xarray.c:191
 xas_load+0x2c/0x5b0 lib/xarray.c:239
 xas_find+0x157/0x990 lib/xarray.c:1406
 next_uptodate_folio+0x32/0x5d0 mm/filemap.c:3562
 filemap_map_pages+0x21f/0x1740 mm/filemap.c:3714
 do_fault_around mm/memory.c:5548 [inline]
 do_read_fault mm/memory.c:5581 [inline]
 do_fault mm/memory.c:5724 [inline]
 do_pte_missing mm/memory.c:4251 [inline]
 handle_pte_fault mm/memory.c:6069 [inline]
 __handle_mm_fault+0x368a/0x5620 mm/memory.c:6212
 handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6381
 faultin_page mm/gup.c:1186 [inline]
 __get_user_pages+0x1af4/0x30b0 mm/gup.c:1488
 populate_vma_page_range+0x26b/0x340 mm/gup.c:1926
 __mm_populate+0x24c/0x380 mm/gup.c:2029
 mm_populate include/linux/mm.h:3348 [inline]
 vm_mmap_pgoff+0x3f0/0x4c0 mm/util.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f606978e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f606a693038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f60699b6080 RCX: 00007f606978e929
RDX: b635773f06ebbeee RSI: 0000000000b36000 RDI: 0000200000000000
RBP: 00007f6069810b39 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008031 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f60699b6080 R15: 00007fffb36acac8
 </TASK>
task:syz.3.292       state:R  running task     stack:25464 pid:7073  tgid:7069  ppid:5842   task_flags:0x400140 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5401 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
 preempt_schedule_common+0x83/0xd0 kernel/sched/core.c:6970
 preempt_schedule+0xae/0xc0 kernel/sched/core.c:6994
 preempt_schedule_thunk+0x16/0x30 arch/x86/entry/thunk.S:12
 __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_unlock+0x3f/0x50 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 follow_page_pte+0x1dd/0x14b0 mm/gup.c:940
 follow_pmd_mask mm/gup.c:971 [inline]
 follow_pud_mask mm/gup.c:1023 [inline]
 follow_p4d_mask mm/gup.c:1040 [inline]
 follow_page_mask mm/gup.c:1083 [inline]
 __get_user_pages+0xbad/0x30b0 mm/gup.c:1486
 __get_user_pages_locked mm/gup.c:1754 [inline]
 faultin_page_range+0x257/0x890 mm/gup.c:1978
 madvise_populate mm/madvise.c:974 [inline]
 madvise_do_behavior+0x232/0x2e70 mm/madvise.c:1731
 do_madvise+0x174/0x220 mm/madvise.c:1826
 __do_sys_madvise mm/madvise.c:1835 [inline]
 __se_sys_madvise mm/madvise.c:1833 [inline]
 __x64_sys_madvise+0xa7/0xc0 mm/madvise.c:1833
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f231638e929
RSP: 002b:00007f2317289038 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f23165b6080 RCX: 00007f231638e929
RDX: 0000000000000016 RSI: 0000000000c00000 RDI: 0000200000000000
RBP: 00007f2316410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f23165b6080 R15: 00007ffe205fbde8
 </TASK>
task:kworker/u8:10   state:R  running task     stack:23360 pid:2996  tgid:2996  ppid:2      task_flags:0x4208060 flags:0x00004000
Workqueue: iou_exit io_ring_exit_work
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5401 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
 preempt_schedule_irq+0xb5/0x150 kernel/sched/core.c:7113
 irqentry_exit+0x6f/0x90 kernel/entry/common.c:307
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5875
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 ab c1 fe 10 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc9000be971f8 EFLAGS: 00000206
RAX: ccfa5d4cbdf5b300 RBX: 0000000000000000 RCX: ccfa5d4cbdf5b300
RDX: 0000000000000000 RSI: ffffffff8db707c4 RDI: ffffffff8be1c200
RBP: ffffffff81729af5 R08: 0000000000000000 R09: ffffffff81729af5
R10: ffffc9000be973b8 R11: ffffffff81acf220 R12: 0000000000000002
R13: ffffffff8e13ee60 R14: 0000000000000000 R15: 0000000000000246
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 __call_rcu_common kernel/rcu/tree.c:3094 [inline]
 call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3214
 slab_free_hook mm/slub.c:2345 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x309/0x400 mm/slub.c:4745
 __io_req_caches_free+0x8f/0x140 io_uring/io_uring.c:2710
 io_req_caches_free+0x21/0x30 io_uring/io_uring.c:2722
 io_ring_exit_work+0x415/0x930 io_uring/io_uring.c:2920
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: rcu_preempt kthread starved for 10505 jiffies! g19893 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:27320 pid:16    tgid:16    ppid:2      task_flags:0x208040 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5401 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
 __schedule_loop kernel/sched/core.c:6868 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6883
 schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2054
 rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2256
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 1 UID: 0 PID: 1093 Comm: kworker/u8:5 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:csd_lock_wait kernel/smp.c:340 [inline]
RIP: 0010:smp_call_function_many_cond+0xf69/0x12d0 kernel/smp.c:885
Code: 00 45 8b 2f 44 89 ee 83 e6 01 31 ff e8 c0 78 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 6b 74 0b 00 eb 37 f3 90 <43> 0f b6 04 2c 84 c0 75 10 41 f7 07 01 00 00 00 74 1e e8 50 74 0b
RSP: 0018:ffffc9000401f6a0 EFLAGS: 00000293
RAX: ffffffff81b4b090 RBX: ffff8880b873b040 RCX: ffff888026915a00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc9000401f800 R08: ffffffff8fa0bbf7 R09: 1ffffffff1f4177e
R10: dffffc0000000000 R11: fffffbfff1f4177f R12: 1ffff110170c835d
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8880b8641ae8
FS:  0000000000000000(0000) GS:ffff888125d51000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2e19d3 CR3: 000000000df38000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1052
 on_each_cpu include/linux/smp.h:71 [inline]
 smp_text_poke_sync_each_cpu arch/x86/kernel/alternative.c:2691 [inline]
 smp_text_poke_batch_finish+0x5e0/0x1100 arch/x86/kernel/alternative.c:2901
 arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
 static_key_enable_cpuslocked+0x128/0x250 kernel/jump_label.c:210
 static_key_enable+0x1a/0x20 kernel/jump_label.c:223
 toggle_allocation_gate+0xad/0x240 mm/kfence/core.c:850
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>