------------[ cut here ]------------
WARNING: CPU: 1 PID: 18 at kernel/rcu/tree_stall.h:1050 rcu_check_gp_start_stall.part.0+0x1c4/0x4b0 kernel/rcu/tree_stall.h:1050
Modules linked in:
CPU: 1 UID: 0 PID: 18 Comm: rcu_exp_gp_kthr Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:rcu_check_gp_start_stall.part.0+0x1c4/0x4b0 kernel/rcu/tree_stall.h:1050
Code: 88 61 01 00 00 be 04 00 00 00 48 c7 c7 00 c0 e5 9a e8 50 b0 7f 00 b8 01 00 00 00 87 05 c5 f5 44 19 85 c0 0f 85 3d 01 00 00 90 <0f> 0b 90 48 c7 c3 34 d6 ab 90 48 81 fd 00 bf 5c 8e 74 5a 48 b8 00
RSP: 0018:ffffc90000590df0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000002904 RCX: ffffffff81a0ca30
RDX: fffffbfff35cb800 RSI: 0000000000000004 RDI: ffffffff9ae5c000
RBP: ffffffff8e5cbf00 R08: 0000000000000001 R09: fffffbfff35cb800
R10: 0000000000000003 R11: 0000000000000000 R12: 1ffffffff1c42240
R13: 0000000000000246 R14: ffffffff8e5cbf00 R15: ffff88802b33b452
FS:  0000000000000000(0000) GS:ffff8880975bd000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f3004f20 CR3: 000000004b5c5000 CR4: 0000000000352ef0
Call Trace:
 <IRQ>
 rcu_check_gp_start_stall kernel/rcu/tree_stall.h:1013 [inline]
 rcu_core+0x4cf/0x1530 kernel/rcu/tree.c:2856
 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:csd_lock kernel/smp.c:357 [inline]
RIP: 0010:smp_call_function_single+0x42f/0x6b0 kernel/smp.c:674
Code: 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 20 49 89 cf 83 e1 07 49 c1 ef 03 49 01 c7 8d 41 03 88 44 24 38 e8 b3 df 0b 00 f3 90 <41> 0f b6 07 38 44 24 38 7c 08 84 c0 0f 85 d4 01 00 00 8b 43 08 31
RSP: 0018:ffffc9000044fbc0 EFLAGS: 00000293
RAX: 0000000000000000 RBX: ffff88802b33b680 RCX: ffffffff81af2be3
RDX: ffff88801dec4880 RSI: ffffffff81af2bbd RDI: 0000000000000005
RBP: ffffc9000044fd08 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: fffffbfff1cb97ee R12: 1ffff92000089f80
R13: 0000000000000003 R14: 0000000000000001 R15: ffffed10056676d1
 __sync_rcu_exp_select_node_cpus+0x597/0xd50 kernel/rcu/tree_exp.h:420
 sync_rcu_exp_select_node_cpus kernel/rcu/tree_exp.h:455 [inline]
 sync_rcu_exp_select_cpus+0x3cb/0xab0 kernel/rcu/tree_exp.h:522
 rcu_exp_sel_wait_wake kernel/rcu/tree_exp.h:718 [inline]
 wait_rcu_exp_gp+0x2c/0x40 kernel/rcu/tree_exp.h:492
 kthread_worker_fn+0x30d/0xc50 kernel/kthread.c:1010
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
   7:	fc ff df
   a:	48 8b 4c 24 20       	mov    0x20(%rsp),%rcx
   f:	49 89 cf             	mov    %rcx,%r15
  12:	83 e1 07             	and    $0x7,%ecx
  15:	49 c1 ef 03          	shr    $0x3,%r15
  19:	49 01 c7             	add    %rax,%r15
  1c:	8d 41 03             	lea    0x3(%rcx),%eax
  1f:	88 44 24 38          	mov    %al,0x38(%rsp)
  23:	e8 b3 df 0b 00       	call   0xbdfdb
  28:	f3 90                	pause
* 2a:	41 0f b6 07          	movzbl (%r15),%eax <-- trapping instruction
  2e:	38 44 24 38          	cmp    %al,0x38(%rsp)
  32:	7c 08                	jl     0x3c
  34:	84 c0                	test   %al,%al
  36:	0f 85 d4 01 00 00    	jne    0x210
  3c:	8b 43 08             	mov    0x8(%rbx),%eax
  3f:	31                   	.byte 0x31