syzbot

oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=syz3,mems_allowed=0,oom_memcg=/syz3,task_memcg=/syz3,task=syz-executor.3,pid=27133,uid=0
Memory cgroup out of memory: Killed process 27139 (syz-executor.3) total-vm:46608kB, anon-rss:388kB, file-rss:8832kB, shmem-rss:0kB, UID:0 pgtables:84kB oom_score_adj:1000
==================================================================
BUG: KCSAN: data-race in mem_cgroup_flush_stats_ratelimited / tick_do_update_jiffies64

read-write to 0xffffffff860079c0 of 8 bytes by interrupt on cpu 1:
 tick_do_update_jiffies64+0x112/0x1b0 kernel/time/tick-sched.c:118
 tick_sched_do_timer kernel/time/tick-sched.c:232 [inline]
 tick_nohz_handler+0x7c/0x2d0 kernel/time/tick-sched.c:290
 __run_hrtimer kernel/time/hrtimer.c:1692 [inline]
 __hrtimer_run_queues+0x214/0x5e0 kernel/time/hrtimer.c:1756
 hrtimer_interrupt+0x210/0x7b0 kernel/time/hrtimer.c:1818
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x5c/0x1a0 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x6e/0x80 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
 check_access kernel/kcsan/core.c:787 [inline]
 __tsan_unaligned_volatile_read8+0x12a/0x190 kernel/kcsan/core.c:1086
 arch_atomic64_read arch/x86/include/asm/atomic64_64.h:15 [inline]
 raw_atomic64_read include/linux/atomic/atomic-arch-fallback.h:2583 [inline]
 raw_atomic_long_read include/linux/atomic/atomic-long.h:38 [inline]
 atomic_long_read include/linux/atomic/atomic-instrumented.h:3189 [inline]
 zone_managed_pages include/linux/mmzone.h:1019 [inline]
 managed_zone include/linux/mmzone.h:1495 [inline]
 lruvec_lru_size mm/vmscan.c:375 [inline]
 get_scan_count mm/vmscan.c:2429 [inline]
 shrink_lruvec+0x34e/0x1640 mm/vmscan.c:5657
 shrink_node_memcgs mm/vmscan.c:5873 [inline]
 shrink_node+0xa78/0x15a0 mm/vmscan.c:5908
 shrink_zones mm/vmscan.c:6152 [inline]
 do_try_to_free_pages+0x3cc/0xca0 mm/vmscan.c:6214
 try_to_free_mem_cgroup_pages+0x1eb/0x4e0 mm/vmscan.c:6529
 try_charge_memcg+0x279/0xd10 mm/memcontrol.c:2783
 try_charge mm/memcontrol.c:2931 [inline]
 charge_memcg mm/memcontrol.c:7284 [inline]
 mem_cgroup_swapin_charge_folio+0x107/0x1a0 mm/memcontrol.c:7369
 __read_swap_cache_async+0x2b9/0x520 mm/swap_state.c:514
 swap_cluster_readahead+0x276/0x3f0 mm/swap_state.c:678
 swapin_readahead+0xe2/0x7a0 mm/swap_state.c:904
 do_swap_page+0x3bb/0x15f0 mm/memory.c:4048
 handle_pte_fault mm/memory.c:5303 [inline]
 __handle_mm_fault mm/memory.c:5441 [inline]
 handle_mm_fault+0x7fa/0x27e0 mm/memory.c:5606
 do_user_addr_fault arch/x86/mm/fault.c:1362 [inline]
 handle_page_fault arch/x86/mm/fault.c:1505 [inline]
 exc_page_fault+0x3eb/0x6d0 arch/x86/mm/fault.c:1563
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

read to 0xffffffff860079c0 of 8 bytes by task 20862 on cpu 0:
 mem_cgroup_flush_stats_ratelimited+0x29/0x100 mm/memcontrol.c:772
 count_shadow_nodes+0x69/0x3d0 mm/workingset.c:684
 do_shrink_slab+0x5a/0x690 mm/shrinker.c:382
 shrink_slab_memcg mm/shrinker.c:548 [inline]
 shrink_slab+0x4f7/0x870 mm/shrinker.c:626
 shrink_node_memcgs mm/vmscan.c:5875 [inline]
 shrink_node+0xab2/0x15a0 mm/vmscan.c:5908
 shrink_zones mm/vmscan.c:6152 [inline]
 do_try_to_free_pages+0x3cc/0xca0 mm/vmscan.c:6214
 try_to_free_mem_cgroup_pages+0x1eb/0x4e0 mm/vmscan.c:6529
 try_charge_memcg+0x279/0xd10 mm/memcontrol.c:2783
 obj_cgroup_charge_pages+0xbd/0x1d0 mm/memcontrol.c:3302
 __memcg_kmem_charge_page+0x9d/0x170 mm/memcontrol.c:3328
 __alloc_pages+0x1bc/0x360 mm/page_alloc.c:4592
 alloc_pages_mpol+0xb1/0x1e0 mm/mempolicy.c:2264
 alloc_pages+0xe1/0x100 mm/mempolicy.c:2335
 vm_area_alloc_pages mm/vmalloc.c:3561 [inline]
 __vmalloc_area_node mm/vmalloc.c:3637 [inline]
 __vmalloc_node_range+0x6f2/0xee0 mm/vmalloc.c:3818
 kvmalloc_node+0x121/0x170 mm/util.c:659
 kvmalloc include/linux/slab.h:766 [inline]
 kvzalloc include/linux/slab.h:774 [inline]
 ip_set_alloc+0x1f/0x30 net/netfilter/ipset/ip_set_core.c:255
 hash_netiface_create+0x277/0x740 net/netfilter/ipset/ip_set_hash_gen.h:1568
 ip_set_create+0x359/0x8a0 net/netfilter/ipset/ip_set_core.c:1103
 nfnetlink_rcv_msg+0x4a9/0x570 net/netfilter/nfnetlink.c:302
 netlink_rcv_skb+0x12c/0x230 net/netlink/af_netlink.c:2559
 nfnetlink_rcv+0x170/0x13e0 net/netfilter/nfnetlink.c:659
 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
 netlink_unicast+0x58d/0x660 net/netlink/af_netlink.c:1361
 netlink_sendmsg+0x5d3/0x6e0 net/netlink/af_netlink.c:1905
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x140/0x180 net/socket.c:745
 ____sys_sendmsg+0x312/0x410 net/socket.c:2584
 ___sys_sendmsg net/socket.c:2638 [inline]
 __sys_sendmsg+0x1e9/0x280 net/socket.c:2667
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674
 x64_sys_call+0xae9/0x2d30 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x0000000100024bc1 -> 0x0000000100024bc2

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 20862 Comm: syz-executor.3 Tainted: G        W          6.9.0-rc5-syzkaller-00159-gc942a0cd3603 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
==================================================================