syzbot

oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/syz0,task_memcg=/syz0,task=syz.0.833,pid=6096,uid=0
Memory cgroup out of memory: Killed process 6096 (syz.0.833) total-vm:96084kB, anon-rss:1232kB, file-rss:28324kB, shmem-rss:0kB, UID:0 pgtables:212kB oom_score_adj:1000
==================================================================
BUG: KCSAN: data-race in mem_cgroup_flush_stats_ratelimited / tick_do_update_jiffies64

read-write to 0xffffffff86c07a00 of 8 bytes by interrupt on cpu 0:
 tick_do_update_jiffies64+0x113/0x1c0 kernel/time/tick-sched.c:118
 tick_sched_do_timer kernel/time/tick-sched.c:253 [inline]
 tick_nohz_handler+0x8d/0x3d0 kernel/time/tick-sched.c:312
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x276/0x4f0 kernel/time/hrtimer.c:1994
 hrtimer_interrupt+0x261/0x850 kernel/time/hrtimer.c:2113
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 __sysvec_apic_timer_interrupt+0x5f/0x1c0 arch/x86/kernel/apic/apic.c:1067
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 should_watch kernel/kcsan/core.c:280 [inline]
 check_access kernel/kcsan/core.c:752 [inline]
 __tsan_read8+0x117/0x190 kernel/kcsan/core.c:1025
 xas_next_entry include/linux/xarray.h:1719 [inline]
 next_uptodate_folio+0x3a/0x7e0 mm/filemap.c:3705
 filemap_map_pages+0xa00/0xea0 mm/filemap.c:3940
 do_fault_around mm/memory.c:5867 [inline]
 do_read_fault mm/memory.c:5900 [inline]
 do_fault mm/memory.c:6043 [inline]
 do_pte_missing mm/memory.c:4566 [inline]
 handle_pte_fault mm/memory.c:6427 [inline]
 __handle_mm_fault mm/memory.c:6565 [inline]
 handle_mm_fault+0x1508/0x2e70 mm/memory.c:6734
 faultin_page mm/gup.c:1126 [inline]
 __get_user_pages+0x1290/0x1f10 mm/gup.c:1428
 populate_vma_page_range mm/gup.c:1860 [inline]
 __mm_populate+0x242/0x390 mm/gup.c:1963
 mm_populate include/linux/mm.h:4137 [inline]
 vm_mmap_pgoff+0x23b/0x2d0 mm/util.c:586
 ksys_mmap_pgoff+0xc1/0x310 mm/mmap.c:606
 x64_sys_call+0x14df/0x3020 arch/x86/include/generated/asm/syscalls_64.h:10
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffffff86c07a00 of 8 bytes by task 6149 on cpu 1:
 mem_cgroup_flush_stats_ratelimited+0x29/0x50 mm/memcontrol.c:743
 count_shadow_nodes+0x6a/0x250 mm/workingset.c:692
 do_shrink_slab+0x63/0x660 mm/shrinker.c:382
 shrink_slab_memcg mm/shrinker.c:553 [inline]
 shrink_slab+0x545/0x8f0 mm/shrinker.c:631
 shrink_node_memcgs mm/vmscan.c:6173 [inline]
 shrink_node+0x6d4/0x20a0 mm/vmscan.c:6215
 shrink_zones mm/vmscan.c:6454 [inline]
 do_try_to_free_pages+0x408/0xc90 mm/vmscan.c:6516
 try_to_free_mem_cgroup_pages+0x201/0x420 mm/vmscan.c:6838
 try_charge_memcg+0x373/0xa10 mm/memcontrol.c:2630
 obj_cgroup_charge_pages mm/memcontrol.c:3072 [inline]
 __memcg_kmem_charge_page+0x1ce/0x3d0 mm/memcontrol.c:3116
 __alloc_frozen_pages_noprof+0x18a/0x350 mm/page_alloc.c:5238
 alloc_pages_mpol+0xb3/0x260 mm/mempolicy.c:2490
 alloc_frozen_pages_noprof mm/mempolicy.c:2561 [inline]
 alloc_pages_noprof+0x8f/0x140 mm/mempolicy.c:2581
 vm_area_alloc_pages mm/vmalloc.c:3728 [inline]
 __vmalloc_area_node mm/vmalloc.c:3878 [inline]
 __vmalloc_node_range_noprof+0xaed/0x11c0 mm/vmalloc.c:4064
 __kvmalloc_node_noprof+0x3d4/0x640 mm/slub.c:6861
 futex_hash_allocate+0x190/0x9a0 kernel/futex/core.c:1815
 futex_hash_prctl+0xd8/0xf0 kernel/futex/core.c:1961
 __do_sys_prctl kernel/sys.c:2885 [inline]
 __se_sys_prctl+0x4f4/0x1400 kernel/sys.c:2534
 __x64_sys_prctl+0x67/0x80 kernel/sys.c:2534
 x64_sys_call+0x2533/0x3020 arch/x86/include/generated/asm/syscalls_64.h:158
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000000ffffc791 -> 0x00000000ffffc792

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 6149 Comm: syz.0.851 Not tainted syzkaller #0 PREEMPT(lazy) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
==================================================================
syz.0.851 invoked oom-killer: gfp_mask=0x402dc2(GFP_KERNEL_ACCOUNT|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), order=0, oom_score_adj=1000
CPU: 1 UID: 0 PID: 6149 Comm: syz.0.851 Not tainted syzkaller #0 PREEMPT(lazy) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <TASK>
 __dump_stack+0x1d/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0x95/0xd0 lib/dump_stack.c:120
 dump_stack+0x15/0x1b lib/dump_stack.c:129
 dump_header+0x80/0x240 mm/oom_kill.c:464
 oom_kill_process+0x295/0x350 mm/oom_kill.c:1031
 out_of_memory+0x97d/0xb80 mm/oom_kill.c:1169
 mem_cgroup_out_of_memory mm/memcontrol.c:1907 [inline]
 mem_cgroup_oom mm/memcontrol.c:1930 [inline]
 try_charge_memcg+0x62f/0xa10 mm/memcontrol.c:2672
 obj_cgroup_charge_pages mm/memcontrol.c:3072 [inline]
 __memcg_kmem_charge_page+0x1ce/0x3d0 mm/memcontrol.c:3116
 __alloc_frozen_pages_noprof+0x18a/0x350 mm/page_alloc.c:5238
 alloc_pages_mpol+0xb3/0x260 mm/mempolicy.c:2490
 alloc_frozen_pages_noprof mm/mempolicy.c:2561 [inline]
 alloc_pages_noprof+0x8f/0x140 mm/mempolicy.c:2581
 vm_area_alloc_pages mm/vmalloc.c:3728 [inline]
 __vmalloc_area_node mm/vmalloc.c:3878 [inline]
 __vmalloc_node_range_noprof+0xaed/0x11c0 mm/vmalloc.c:4064
 __kvmalloc_node_noprof+0x3d4/0x640 mm/slub.c:6861
 futex_hash_allocate+0x190/0x9a0 kernel/futex/core.c:1815
 futex_hash_prctl+0xd8/0xf0 kernel/futex/core.c:1961
 __do_sys_prctl kernel/sys.c:2885 [inline]
 __se_sys_prctl+0x4f4/0x1400 kernel/sys.c:2534
 __x64_sys_prctl+0x67/0x80 kernel/sys.c:2534
 x64_sys_call+0x2533/0x3020 arch/x86/include/generated/asm/syscalls_64.h:158
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f12f5c6ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f12f467d028 EFLAGS: 00000246 ORIG_RAX: 000000000000009d
RAX: ffffffffffffffda RBX: 00007f12f5ee6180 RCX: 00007f12f5c6ce59
RDX: 0000000001000000 RSI: 0000000000000001 RDI: 000000000000004e
RBP: 00007f12f5d02d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f12f5ee6218 R14: 00007f12f5ee6180 R15: 00007ffe707587d8
 </TASK>
memory: usage 239600kB, limit 307200kB, failcnt 2728
memory+swap: usage 289084kB, limit 9007199254740988kB, failcnt 0
kmem: usage 231676kB, limit 9007199254740988kB, failcnt 0
Memory cgroup stats for /syz0:
cache 0
rss 28672
shmem 0
mapped_file 0
dirty 0
writeback 0
workingset_refault_anon 433
workingset_refault_file 4690
swap 58658816
swapcached 204529664
pgpgin 172365
pgpgout 172357
pgfault 97902
pgmajfault 318
inactive_anon 0
active_anon 16384
inactive_file 0
active_file 0
unevictable 0
hierarchical_memory_limit 314572800
hierarchical_memsw_limit 9223372036854771712
total_cache 0
total_rss 28672
total_shmem 0
total_mapped_file 0
total_dirty 0
total_writeback 0
total_workingset_refault_anon 433
total_workingset_refault_file 4690
total_swap 58658816
total_swapcached 204529664
total_pgpgin 172365
total_pgpgout 172357
total_pgfault 97902
total_pgmajfault 318
total_inactive_anon 0
total_active_anon 16384
total_inactive_file 0
total_active_file 0
total_unevictable 0
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/syz0,task_memcg=/syz0,task=syz.0.851,pid=6144,uid=0
Memory cgroup out of memory: Killed process 6149 (syz.0.851) total-vm:96348kB, anon-rss:1260kB, file-rss:22356kB, shmem-rss:0kB, UID:0 pgtables:148kB oom_score_adj:1000