syzbot

==================================================================
BUG: KCSAN: data-race in mem_cgroup_flush_stats_ratelimited / tick_do_update_jiffies64

read-write to 0xffffffff868099c0 of 8 bytes by interrupt on cpu 1:
 tick_do_update_jiffies64+0x113/0x1c0 kernel/time/tick-sched.c:118
 tick_sched_do_timer kernel/time/tick-sched.c:232 [inline]
 tick_nohz_handler+0x7f/0x2d0 kernel/time/tick-sched.c:290
 __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
 __hrtimer_run_queues+0x20f/0x5a0 kernel/time/hrtimer.c:1841
 hrtimer_interrupt+0x21a/0x460 kernel/time/hrtimer.c:1903
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
 __sysvec_apic_timer_interrupt+0x5f/0x1d0 arch/x86/kernel/apic/apic.c:1058
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1052
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 kcsan_setup_watchpoint+0x415/0x430 kernel/kcsan/core.c:705
 nf_sockopt_find net/netfilter/nf_sockopt.c:68 [inline]
 nf_getsockopt+0xfc/0x1b0 net/netfilter/nf_sockopt.c:113
 ipv6_getsockopt+0x178/0x1e0 net/ipv6/ipv6_sockglue.c:1473
 tcp_getsockopt+0xad/0xe0 net/ipv4/tcp.c:4810
 sock_common_getsockopt+0x60/0x70 net/core/sock.c:3885
 do_sock_getsockopt+0x200/0x240 net/socket.c:2421
 __sys_getsockopt net/socket.c:2450 [inline]
 __do_sys_getsockopt net/socket.c:2457 [inline]
 __se_sys_getsockopt net/socket.c:2454 [inline]
 __x64_sys_getsockopt+0x11e/0x1a0 net/socket.c:2454
 x64_sys_call+0x2bca/0x3000 arch/x86/include/generated/asm/syscalls_64.h:56
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffffff868099c0 of 8 bytes by task 3555 on cpu 0:
 mem_cgroup_flush_stats_ratelimited+0x29/0x70 mm/memcontrol.c:635
 count_shadow_nodes+0x6a/0x230 mm/workingset.c:678
 do_shrink_slab+0x63/0x680 mm/shrinker.c:384
 shrink_slab_memcg mm/shrinker.c:550 [inline]
 shrink_slab+0x448/0x760 mm/shrinker.c:628
 shrink_node_memcgs mm/vmscan.c:6056 [inline]
 shrink_node+0x6c3/0x2120 mm/vmscan.c:6095
 shrink_zones mm/vmscan.c:6339 [inline]
 do_try_to_free_pages+0x3f6/0xcd0 mm/vmscan.c:6401
 try_to_free_mem_cgroup_pages+0x1ab/0x410 mm/vmscan.c:6729
 try_charge_memcg+0x383/0xa10 mm/memcontrol.c:2356
 obj_cgroup_charge_pages+0xa6/0x150 mm/memcontrol.c:2799
 __memcg_kmem_charge_page+0x9f/0x170 mm/memcontrol.c:2843
 __alloc_frozen_pages_noprof+0x188/0x360 mm/page_alloc.c:5195
 alloc_pages_mpol+0xb3/0x260 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0x90/0x130 mm/mempolicy.c:2507
 vm_area_alloc_pages mm/vmalloc.c:3647 [inline]
 __vmalloc_area_node mm/vmalloc.c:3724 [inline]
 __vmalloc_node_range_noprof+0x7a5/0xed0 mm/vmalloc.c:3897
 __kvmalloc_node_noprof+0x483/0x670 mm/slub.c:7134
 ip_set_alloc+0x24/0x30 net/netfilter/ipset/ip_set_core.c:261
 hash_netiface_create+0x282/0x740 net/netfilter/ipset/ip_set_hash_gen.h:1568
 ip_set_create+0x3cc/0x970 net/netfilter/ipset/ip_set_core.c:1109
 nfnetlink_rcv_msg+0x4c6/0x590 net/netfilter/nfnetlink.c:302
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2552
 nfnetlink_rcv+0x167/0x16c0 net/netfilter/nfnetlink.c:669
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4e0 net/socket.c:2630
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2684
 __sys_sendmsg net/socket.c:2716 [inline]
 __do_sys_sendmsg net/socket.c:2721 [inline]
 __se_sys_sendmsg net/socket.c:2719 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2719
 x64_sys_call+0x191e/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000000ffff9849 -> 0x00000000ffff984a

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 3555 Comm: syz.0.21 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
==================================================================
syz.0.21 invoked oom-killer: gfp_mask=0x402dc2(GFP_KERNEL_ACCOUNT|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), order=0, oom_score_adj=1000
CPU: 1 UID: 0 PID: 3555 Comm: syz.0.21 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack+0x1d/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0xe8/0x140 lib/dump_stack.c:120
 dump_stack+0x15/0x1b lib/dump_stack.c:129
 dump_header+0x81/0x220 mm/oom_kill.c:467
 oom_kill_process+0x342/0x400 mm/oom_kill.c:1046
 out_of_memory+0x979/0xb80 mm/oom_kill.c:1184
 mem_cgroup_out_of_memory mm/memcontrol.c:1650 [inline]
 mem_cgroup_oom mm/memcontrol.c:1673 [inline]
 try_charge_memcg+0x610/0xa10 mm/memcontrol.c:2398
 obj_cgroup_charge_pages+0xa6/0x150 mm/memcontrol.c:2799
 __memcg_kmem_charge_page+0x9f/0x170 mm/memcontrol.c:2843
 __alloc_frozen_pages_noprof+0x188/0x360 mm/page_alloc.c:5195
 alloc_pages_mpol+0xb3/0x260 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0x90/0x130 mm/mempolicy.c:2507
 vm_area_alloc_pages mm/vmalloc.c:3647 [inline]
 __vmalloc_area_node mm/vmalloc.c:3724 [inline]
 __vmalloc_node_range_noprof+0x7a5/0xed0 mm/vmalloc.c:3897
 __kvmalloc_node_noprof+0x483/0x670 mm/slub.c:7134
 ip_set_alloc+0x24/0x30 net/netfilter/ipset/ip_set_core.c:261
 hash_netiface_create+0x282/0x740 net/netfilter/ipset/ip_set_hash_gen.h:1568
 ip_set_create+0x3cc/0x970 net/netfilter/ipset/ip_set_core.c:1109
 nfnetlink_rcv_msg+0x4c6/0x590 net/netfilter/nfnetlink.c:302
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2552
 nfnetlink_rcv+0x167/0x16c0 net/netfilter/nfnetlink.c:669
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4e0 net/socket.c:2630
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2684
 __sys_sendmsg net/socket.c:2716 [inline]
 __do_sys_sendmsg net/socket.c:2721 [inline]
 __se_sys_sendmsg net/socket.c:2719 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2719
 x64_sys_call+0x191e/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f73864ef749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7384f4f038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7386745fa0 RCX: 00007f73864ef749
RDX: 0000000000000800 RSI: 0000200000000040 RDI: 0000000000000005
RBP: 00007f7386573f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7386746038 R14: 00007f7386745fa0 R15: 00007ffdba9a7418
 </TASK>
memory: usage 307200kB, limit 307200kB, failcnt 384
memory+swap: usage 308156kB, limit 9007199254740988kB, failcnt 0
kmem: usage 307168kB, limit 9007199254740988kB, failcnt 0
Memory cgroup stats for /syz0:
cache 28672
rss 0
shmem 8192
mapped_file 8192
dirty 0
writeback 0
workingset_refault_anon 38
workingset_refault_file 427
swap 983040
swapcached 4096
pgpgin 6859
pgpgout 6851
pgfault 6477
pgmajfault 21
inactive_anon 8192
active_anon 0
inactive_file 20480
active_file 0
unevictable 0
hierarchical_memory_limit 314572800
hierarchical_memsw_limit 9223372036854771712
total_cache 28672
total_rss 0
total_shmem 8192
total_mapped_file 8192
total_dirty 0
total_writeback 0
total_workingset_refault_anon 38
total_workingset_refault_file 427
total_swap 983040
total_swapcached 4096
total_pgpgin 6859
total_pgpgout 6851
total_pgfault 6477
total_pgmajfault 21
total_inactive_anon 8192
total_active_anon 0
total_inactive_file 20480
total_active_file 0
total_unevictable 0
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/syz0,task_memcg=/syz0,task=syz.0.21,pid=3554,uid=0
Memory cgroup out of memory: Killed process 3554 (syz.0.21) total-vm:94028kB, anon-rss:1132kB, file-rss:22440kB, shmem-rss:0kB, UID:0 pgtables:148kB oom_score_adj:1000
syz.0.21 (3555) used greatest stack depth: 7048 bytes left