[syzbot] [mm?] WARNING in copy_process

[syzbot] [mm?] WARNING in copy_process

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    41cd3fd15263 Merge tag 'pci-v6.17-fixes-2' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b3bc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fecbb496f75d3d61
dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ea83f558e101/disk-41cd3fd1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a35b75cdd97b/vmlinux-41cd3fd1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/37d76e9636c2/bzImage-41cd3fd1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69c74d38464686431506@syzkaller.appspotmail.com

oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0-1,oom_memcg=/syz1,task_memcg=/syz1,task=syz.1.3237,pid=23388,uid=0
Memory cgroup out of memory: Killed process 23388 (syz.1.3237) total-vm:101828kB, anon-rss:940kB, file-rss:21532kB, shmem-rss:0kB, UID:0 pgtables:116kB oom_score_adj:1000
------------[ cut here ]------------
pvqspinlock: lock 0xffff88803512c0c0 has corrupted value 0x0!
WARNING: CPU: 0 PID: 23388 at kernel/locking/qspinlock_paravirt.h:504 __pv_queued_spin_unlock_slowpath+0x237/0x330 kernel/locking/qspinlock_paravirt.h:504
Modules linked in:
CPU: 0 UID: 0 PID: 23388 Comm: syz.1.3237 Tainted: G     U              syzkaller #0 PREEMPT(full) 
Tainted: [U]=USER
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__pv_queued_spin_unlock_slowpath+0x237/0x330 kernel/locking/qspinlock_paravirt.h:504
Code: 03 0f b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 67 41 8b 55 00 4c 89 ee 48 c7 c7 00 81 ad 8b e8 fa aa e6 f5 90 <0f> 0b 90 90 e9 64 ff ff ff 90 0f 0b 48 89 df 4c 89 04 24 e8 71 15
RSP: 0018:ffffc9000e9c79c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803512c0c0 RCX: ffffffff817a02c8
RDX: ffff88802fa9bc00 RSI: ffffffff817a02d5 RDI: 0000000000000001
RBP: ffff88803512c0c8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 00000000000d4550 R12: ffff88803512c0d0
R13: ffff88803512c0c0 R14: 00000000003d0f00 R15: ffff88802ab43c00
FS:  0000555568154500(0000) GS:ffff8881246c4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86cc8e86ec CR3: 0000000060c0e000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __raw_callee_save___pv_queued_spin_unlock_slowpath+0x15/0x30
 .slowpath+0x9/0x18
 pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:562 [inline]
 queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline]
 do_raw_spin_unlock+0x172/0x230 kernel/locking/spinlock_debug.c:142
 __raw_spin_unlock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 copy_process+0x6b72/0x7690 kernel/fork.c:2432
 kernel_clone+0xfc/0x930 kernel/fork.c:2605
 __do_sys_clone3+0x212/0x290 kernel/fork.c:2909
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f86cbbc3449
Code: d7 08 00 48 8d 3d fc d7 08 00 e8 02 29 f6 ff 66 90 b8 ea ff ff ff 48 85 ff 74 2c 48 85 d2 74 27 49 89 c8 b8 b3 01 00 00 0f 05 <48> 85 c0 7c 18 74 01 c3 31 ed 48 83 e4 f0 4c 89 c7 ff d2 48 89 c7
RSP: 002b:00007ffe52a9ff08 EFLAGS: 00000206 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007f86cbb45850 RCX: 00007f86cbbc3449
RDX: 00007f86cbb45850 RSI: 0000000000000058 RDI: 00007ffe52a9ff50
RBP: 00007f86c9dee6c0 R08: 00007f86c9dee6c0 R09: 00007ffe52aa0037
R10: 0000000000000008 R11: 0000000000000206 R12: ffffffffffffffa8
R13: 000000000000000b R14: 00007ffe52a9ff50 R15: 00007ffe52aa0038
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] WARNING in copy_process

[David Hildenbrand]

On 25.08.25 05:00, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    41cd3fd15263 Merge tag 'pci-v6.17-fixes-2' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b3bc580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fecbb496f75d3d61
> dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ea83f558e101/disk-41cd3fd1.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/a35b75cdd97b/vmlinux-41cd3fd1.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/37d76e9636c2/bzImage-41cd3fd1.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+69c74d38464686431506@syzkaller.appspotmail.com
> 
> oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0-1,oom_memcg=/syz1,task_memcg=/syz1,task=syz.1.3237,pid=23388,uid=0
> Memory cgroup out of memory: Killed process 23388 (syz.1.3237) total-vm:101828kB, anon-rss:940kB, file-rss:21532kB, shmem-rss:0kB, UID:0 pgtables:116kB oom_score_adj:1000

Here we are killing 23388 (syz.1.3237)

> ------------[ cut here ]------------
> pvqspinlock: lock 0xffff88803512c0c0 has corrupted value 0x0!
> WARNING: CPU: 0 PID: 23388 at kernel/locking/qspinlock_paravirt.h:504 __pv_queued_spin_unlock_slowpath+0x237/0x330 kernel/locking/qspinlock_paravirt.h:504
> Modules linked in:
> CPU: 0 UID: 0 PID: 23388 Comm: syz.1.3237 Tainted: G     U              syzkaller #0 PREEMPT(full)

And here we are still in the process ...

> Tainted: [U]=USER
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> RIP: 0010:__pv_queued_spin_unlock_slowpath+0x237/0x330 kernel/locking/qspinlock_paravirt.h:504
> Code: 03 0f b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 67 41 8b 55 00 4c 89 ee 48 c7 c7 00 81 ad 8b e8 fa aa e6 f5 90 <0f> 0b 90 90 e9 64 ff ff ff 90 0f 0b 48 89 df 4c 89 04 24 e8 71 15
> RSP: 0018:ffffc9000e9c79c8 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: ffff88803512c0c0 RCX: ffffffff817a02c8
> RDX: ffff88802fa9bc00 RSI: ffffffff817a02d5 RDI: 0000000000000001
> RBP: ffff88803512c0c8 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: 00000000000d4550 R12: ffff88803512c0d0
> R13: ffff88803512c0c0 R14: 00000000003d0f00 R15: ffff88802ab43c00
> FS:  0000555568154500(0000) GS:ffff8881246c4000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f86cc8e86ec CR3: 0000000060c0e000 CR4: 00000000003526f0
> Call Trace:
>   <TASK>
>   __raw_callee_save___pv_queued_spin_unlock_slowpath+0x15/0x30
>   .slowpath+0x9/0x18
>   pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:562 [inline]
>   queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline]
>   do_raw_spin_unlock+0x172/0x230 kernel/locking/spinlock_debug.c:142
>   __raw_spin_unlock include/linux/spinlock_api_smp.h:142 [inline]
>   _raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186
>   spin_unlock include/linux/spinlock.h:391 [inline]

... busy during clone.

I assume that it is 23388 calling clone() and not getting cloned (it 
should not get scheduled yet).

So likely, the OOM is shooting something down that kernel_clone() still 
depends on ... maybe?



-- 
Cheers

David / dhildenb

Re: [syzbot] [mm?] WARNING in copy_process

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    7fa4d8dc380f Add linux-next specific files for 20250821
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1036def0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ae76068823a236b3
dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13595c62580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178c6ef3f8/disk-7fa4d8dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c5c27b0841e0/vmlinux-7fa4d8dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a8832715cca/bzImage-7fa4d8dc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69c74d38464686431506@syzkaller.appspotmail.com

------------[ cut here ]------------
pvqspinlock: lock 0xffff8881c5419bc0 has corrupted value 0x0!
WARNING: kernel/locking/qspinlock_paravirt.h:506 at __pv_queued_spin_unlock_slowpath+0x1fe/0x2a0 kernel/locking/qspinlock_paravirt.h:504, CPU#1: syz.6.106/8286
Modules linked in:
CPU: 1 UID: 0 PID: 8286 Comm: syz.6.106 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__pv_queued_spin_unlock_slowpath+0x1fe/0x2a0 kernel/locking/qspinlock_paravirt.h:504
Code: f8 a8 9b f6 48 89 d8 48 c1 e8 03 42 0f b6 04 28 84 c0 0f 85 93 00 00 00 8b 13 48 c7 c7 00 0c ab 8b 48 89 de e8 73 9c fb f5 90 <0f> 0b 90 90 eb 95 48 c7 c7 90 e4 40 8e 4c 89 f6 4c 89 fa e8 fa c5
RSP: 0018:ffffc900100c78c0 EFLAGS: 00010246
RAX: 9e0501aa69750800 RBX: ffff8881c5419bc0 RCX: ffff8881921f9e00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 1ffff11038a83379 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1c7a604 R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff8881c5419bd0 R15: ffff8881c5419bc8
FS:  0000555565514500(0000) GS:ffff8881258c4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8801a12e9c CR3: 00000001d6f0c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __raw_callee_save___pv_queued_spin_unlock_slowpath+0x15/0x30
 .slowpath+0x9/0x18
 pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:562 [inline]
 queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline]
 do_raw_spin_unlock+0x122/0x240 kernel/locking/spinlock_debug.c:142
 __raw_spin_unlock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 copy_process+0x2793/0x3c00 kernel/fork.c:2435
 kernel_clone+0x21e/0x840 kernel/fork.c:2608
 __do_sys_clone3 kernel/fork.c:2912 [inline]
 __se_sys_clone3+0x256/0x2d0 kernel/fork.c:2891
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb44b1c3449
Code: d7 08 00 48 8d 3d fc d7 08 00 e8 12 29 f6 ff 66 90 b8 ea ff ff ff 48 85 ff 74 2c 48 85 d2 74 27 49 89 c8 b8 b3 01 00 00 0f 05 <48> 85 c0 7c 18 74 01 c3 31 ed 48 83 e4 f0 4c 89 c7 ff d2 48 89 c7
RSP: 002b:00007ffc514a7578 EFLAGS: 00000206 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007fb44b145860 RCX: 00007fb44b1c3449
RDX: 00007fb44b145860 RSI: 0000000000000058 RDI: 00007ffc514a75c0
RBP: 00007fb44a7fe6c0 R08: 00007fb44a7fe6c0 R09: 00007ffc514a76a7
R10: 0000000000000008 R11: 0000000000000206 R12: ffffffffffffffa8
R13: 000000000000000b R14: 00007ffc514a75c0 R15: 00007ffc514a76a8
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [mm?] WARNING in copy_process

[Hillf Danton]

> Date: Wed, 27 Aug 2025 16:15:31 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    7fa4d8dc380f Add linux-next specific files for 20250821
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1036def0580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ae76068823a236b3
> dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13595c62580000

#syz test

--- x/mm/oom_kill.c
+++ y/mm/oom_kill.c
@@ -997,6 +997,8 @@ static void __oom_kill_process(struct ta
 		queue_oom_reaper(victim);
 
 	mmdrop(mm);
+	write_lock_irq(&tasklist_lock);
+	write_unlock_irq(&tasklist_lock);
 	put_task_struct(victim);
 }
 
@@ -1031,6 +1033,8 @@ static void oom_kill_process(struct oom_
 		mark_oom_victim(victim);
 		queue_oom_reaper(victim);
 		task_unlock(victim);
+		write_lock_irq(&tasklist_lock);
+		write_unlock_irq(&tasklist_lock);
 		put_task_struct(victim);
 		return;
 	}
--

Re: [syzbot] [mm?] WARNING in copy_process

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:


[   24.839186][    T1] evm: security.SMACK64MMAP (disabled)
[   24.844657][    T1] evm: security.apparmor
[   24.848870][    T1] evm: security.ima
[   24.852666][    T1] evm: security.capability
[   24.857068][    T1] evm: HMAC attrs: 0x1
[   24.863496][    T1] PM:   Magic number: 5:98:676
[   24.868417][    T1] vidtv vidtv.0: hash matches
[   24.873486][    T1] vtconsole vtcon1: hash matches
[   24.878824][    T1] netconsole: network logging started
[   24.885707][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   24.898123][    T1] rdma_rxe: loaded
[   24.903786][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   24.914903][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   24.923018][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   24.932846][    T1] clk: Disabling unused clocks
[   24.936188][ T1074] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[   24.937797][    T1] ALSA device list:
[   24.947507][ T1074] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
[   24.951295][    T1]   #0: Dummy 1
[   24.963561][    T1]   #1: Loopback 1
[   24.967283][    T1]   #2: Virtual MIDI Card 1
[   24.975146][    T1] check access for rdinit=/init failed: -2, ignoring
[   24.981931][    T1] md: Waiting for all devices to be available before autodetect
[   24.989601][    T1] md: If you don't use raid, use raid=noautodetect
[   24.996129][    T1] md: Autodetecting RAID arrays.
[   25.001152][    T1] md: autorun ...
[   25.004810][    T1] md: ... autorun DONE.
[   25.148807][    T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[   25.157214][    T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[   25.169949][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   25.179896][    T1] devtmpfs: mounted
[   25.258340][    T1] Freeing unused kernel image (initmem) memory: 26240K
[   25.269309][    T1] Write protecting the kernel read-only data: 215040k
[   25.289080][    T1] Freeing unused kernel image (text/rodata gap) memory: 1324K
[   25.302433][    T1] Freeing unused kernel image (rodata/data gap) memory: 1172K
[   25.415374][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   25.423477][    T1] x86/mm: Checking user space page tables
[   25.519340][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   25.532019][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   25.541904][    T1] Run /sbin/init as init process
[   25.827231][ T5199] mount (5199) used greatest stack depth: 23848 bytes left
[   25.868863][ T5200] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   26.015900][ T5204] mount (5204) used greatest stack depth: 21672 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: [   26.784555][ T5232] logger (5232) used greatest stack depth: 20968 bytes left
OK
Populating /dev using udev: [   27.037193][ T5234] udevd[5234]: starting version 3.2.14
[   27.218556][ T5235] udevd[5235]: starting eudev-3.2.14
[   27.226019][ T5234] udevd (5234) used greatest stack depth: 18584 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-10.2.0 starting
dev: loaded udev
no interfaces have a carrier
[   49.923153][ T5530] 8021q: adding VLAN 0 to HW filter on device bond0
[   49.941046][ T5530] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting crond: OK
Starting sshd: OK


syzkaller

syzkaller login: [   61.193277][   T49] ------------[ cut here ]------------
[   61.199021][   T49] WARNING: ./include/linux/backing-dev.h:243 at __folio_start_writeback+0x9d5/0xb70, CPU#1: kworker/u8:3/49
[   61.211060][   T49] Modules linked in:
[   61.215644][   T49] CPU: 1 UID: 0 PID: 49 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full) 
[   61.225807][   T49] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   61.236905][   T49] Workqueue: writeback wb_workfn (flush-8:0)
[   61.243497][   T49] RIP: 0010:__folio_start_writeback+0x9d5/0xb70
[   61.250271][   T49] Code: 28 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 0e 02 2a 00 49 8b 07 25 ff 3f 00 00 e9 1b fa ff ff e8 8c f7 c5 ff 90 <0f> 0b 90 e9 d6 fb ff ff e8 7e f7 c5 ff 48 c7 c7 e0 fe 5f 8e 4c 89
[   61.270834][   T49] RSP: 0018:ffffc90000b96ea0 EFLAGS: 00010293
[   61.277505][   T49] RAX: ffffffff81fb0bb4 RBX: ffffea000507ff40 RCX: ffff888021ee9e00
[   61.286051][   T49] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   61.294530][   T49] RBP: ffffc90000b97010 R08: ffffc90000b96f97 R09: 0000000000000000
[   61.302593][   T49] R10: ffffc90000b96f80 R11: fffff52000172df3 R12: ffffea000507ff48
[   61.310575][   T49] R13: 0000000000000000 R14: ffff88802330fb80 R15: ffff88802330f960
[   61.318618][   T49] FS:  0000000000000000(0000) GS:ffff8881258ba000(0000) knlGS:0000000000000000
[   61.327639][   T49] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   61.334313][   T49] CR2: 00007f5df5d7c368 CR3: 000000000e338000 CR4: 00000000003526f0
[   61.342341][   T49] Call Trace:
[   61.345632][   T49]  <TASK>
[   61.348570][   T49]  ? folio_clear_dirty_for_io+0x226/0x880
[   61.354381][   T49]  ? __pfx___folio_start_writeback+0x10/0x10
[   61.360382][   T49]  ? __pfx_folio_clear_dirty_for_io+0x10/0x10
[   61.366955][   T49]  ? stack_trace_save+0x9c/0xe0
[   61.371876][   T49]  __block_write_full_folio+0x75f/0xe10
[   61.377524][   T49]  ? __pfx_blkdev_get_block+0x10/0x10
[   61.382990][   T49]  blkdev_writepages+0xd1/0x170
[   61.388034][   T49]  ? __pfx_blkdev_writepages+0x10/0x10
[   61.393613][   T49]  ? __pfx_blkdev_writepages+0x10/0x10
[   61.399100][   T49]  do_writepages+0x32e/0x550
[   61.403771][   T49]  __writeback_single_inode+0x145/0xff0
[   61.409342][   T49]  ? wbc_attach_and_unlock_inode+0x3f0/0x5d0
[   61.415796][   T49]  writeback_sb_inodes+0x6c7/0x1010
[   61.421052][   T49]  ? __pfx_writeback_sb_inodes+0x10/0x10
[   61.426785][   T49]  ? __pfx_down_read_trylock+0x10/0x10
[   61.432326][   T49]  ? __pfx___up_read+0x10/0x10
[   61.437121][   T49]  __writeback_inodes_wb+0x111/0x240
[   61.442532][   T49]  wb_writeback+0x44f/0xaf0
[   61.447153][   T49]  ? queue_io+0x301/0x590
[   61.451514][   T49]  ? __pfx_wb_writeback+0x10/0x10
[   61.456660][   T49]  wb_workfn+0xaef/0xef0
[   61.461023][   T49]  ? __pfx_wb_workfn+0x10/0x10
[   61.465874][   T49]  ? __lock_acquire+0xab9/0xd20
[   61.470765][   T49]  ? process_scheduled_works+0x9ef/0x17b0
[   61.476587][   T49]  ? _raw_spin_unlock_irq+0x23/0x50
[   61.481819][   T49]  ? process_scheduled_works+0x9ef/0x17b0
[   61.487604][   T49]  ? process_scheduled_works+0x9ef/0x17b0
[   61.493412][   T49]  process_scheduled_works+0xade/0x17b0
[   61.499293][   T49]  ? __pfx_process_scheduled_works+0x10/0x10
[   61.505356][   T49]  worker_thread+0x8a0/0xda0
[   61.510083][   T49]  kthread+0x70e/0x8a0
[   61.514242][   T49]  ? __pfx_worker_thread+0x10/0x10
[   61.519371][   T49]  ? __pfx_kthread+0x10/0x10
[   61.524014][   T49]  ? _raw_spin_unlock_irq+0x23/0x50
[   61.529226][   T49]  ? lockdep_hardirqs_on+0x9c/0x150
[   61.534487][   T49]  ? __pfx_kthread+0x10/0x10
[   61.539097][   T49]  ret_from_fork+0x47c/0x820
[   61.543750][   T49]  ? __pfx_ret_from_fork+0x10/0x10
[   61.548892][   T49]  ? __switch_to_asm+0x39/0x70
[   61.554159][   T49]  ? __switch_to_asm+0x33/0x70
[   61.558943][   T49]  ? __pfx_kthread+0x10/0x10
[   61.563593][   T49]  ret_from_fork_asm+0x1a/0x30
[   61.568400][   T49]  </TASK>
[   61.571434][   T49] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   61.578719][   T49] CPU: 1 UID: 0 PID: 49 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full) 
[   61.588013][   T49] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   61.598086][   T49] Workqueue: writeback wb_workfn (flush-8:0)
[   61.604111][   T49] Call Trace:
[   61.607477][   T49]  <TASK>
[   61.610398][   T49]  dump_stack_lvl+0x99/0x250
[   61.615000][   T49]  ? __asan_memcpy+0x40/0x70
[   61.619582][   T49]  ? __pfx_dump_stack_lvl+0x10/0x10
[   61.624789][   T49]  ? __pfx__printk+0x10/0x10
[   61.629419][   T49]  vpanic+0x229/0x6d0
[   61.633483][   T49]  ? __pfx_vpanic+0x10/0x10
[   61.637984][   T49]  ? is_bpf_text_address+0x292/0x2b0
[   61.643263][   T49]  ? is_bpf_text_address+0x26/0x2b0
[   61.648458][   T49]  panic+0xb9/0xc0
[   61.652212][   T49]  ? __pfx_panic+0x10/0x10
[   61.656633][   T49]  ? ret_from_fork_asm+0x1a/0x30
[   61.661566][   T49]  __warn+0x334/0x4c0
[   61.665629][   T49]  ? __folio_start_writeback+0x9d5/0xb70
[   61.671259][   T49]  ? __folio_start_writeback+0x9d5/0xb70
[   61.676881][   T49]  report_bug+0x2be/0x4f0
[   61.681209][   T49]  ? __folio_start_writeback+0x9d5/0xb70
[   61.686829][   T49]  ? __folio_start_writeback+0x9d5/0xb70
[   61.692461][   T49]  ? __folio_start_writeback+0x9d7/0xb70
[   61.698092][   T49]  handle_bug+0x84/0x160
[   61.702333][   T49]  exc_invalid_op+0x1a/0x50
[   61.706834][   T49]  asm_exc_invalid_op+0x1a/0x20
[   61.711672][   T49] RIP: 0010:__folio_start_writeback+0x9d5/0xb70
[   61.717906][   T49] Code: 28 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 0e 02 2a 00 49 8b 07 25 ff 3f 00 00 e9 1b fa ff ff e8 8c f7 c5 ff 90 <0f> 0b 90 e9 d6 fb ff ff e8 7e f7 c5 ff 48 c7 c7 e0 fe 5f 8e 4c 89
[   61.737513][   T49] RSP: 0018:ffffc90000b96ea0 EFLAGS: 00010293
[   61.743575][   T49] RAX: ffffffff81fb0bb4 RBX: ffffea000507ff40 RCX: ffff888021ee9e00
[   61.751536][   T49] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   61.759496][   T49] RBP: ffffc90000b97010 R08: ffffc90000b96f97 R09: 0000000000000000
[   61.767548][   T49] R10: ffffc90000b96f80 R11: fffff52000172df3 R12: ffffea000507ff48
[   61.775511][   T49] R13: 0000000000000000 R14: ffff88802330fb80 R15: ffff88802330f960
[   61.783661][   T49]  ? __folio_start_writeback+0x9d4/0xb70
[   61.789308][   T49]  ? folio_clear_dirty_for_io+0x226/0x880
[   61.795141][   T49]  ? __pfx___folio_start_writeback+0x10/0x10
[   61.801124][   T49]  ? __pfx_folio_clear_dirty_for_io+0x10/0x10
[   61.807192][   T49]  ? stack_trace_save+0x9c/0xe0
[   61.812048][   T49]  __block_write_full_folio+0x75f/0xe10
[   61.817587][   T49]  ? __pfx_blkdev_get_block+0x10/0x10
[   61.822951][   T49]  blkdev_writepages+0xd1/0x170
[   61.827793][   T49]  ? __pfx_blkdev_writepages+0x10/0x10
[   61.833265][   T49]  ? __pfx_blkdev_writepages+0x10/0x10
[   61.838887][   T49]  do_writepages+0x32e/0x550
[   61.843486][   T49]  __writeback_single_inode+0x145/0xff0
[   61.849028][   T49]  ? wbc_attach_and_unlock_inode+0x3f0/0x5d0
[   61.855009][   T49]  writeback_sb_inodes+0x6c7/0x1010
[   61.860230][   T49]  ? __pfx_writeback_sb_inodes+0x10/0x10
[   61.865887][   T49]  ? __pfx_down_read_trylock+0x10/0x10
[   61.871340][   T49]  ? __pfx___up_read+0x10/0x10
[   61.876121][   T49]  __writeback_inodes_wb+0x111/0x240
[   61.881420][   T49]  wb_writeback+0x44f/0xaf0
[   61.885923][   T49]  ? queue_io+0x301/0x590
[   61.890250][   T49]  ? __pfx_wb_writeback+0x10/0x10
[   61.895299][   T49]  wb_workfn+0xaef/0xef0
[   61.899543][   T49]  ? __pfx_wb_workfn+0x10/0x10
[   61.904300][   T49]  ? __lock_acquire+0xab9/0xd20
[   61.909152][   T49]  ? process_scheduled_works+0x9ef/0x17b0
[   61.914872][   T49]  ? _raw_spin_unlock_irq+0x23/0x50
[   61.920061][   T49]  ? process_scheduled_works+0x9ef/0x17b0
[   61.925769][   T49]  ? process_scheduled_works+0x9ef/0x17b0
[   61.931508][   T49]  process_scheduled_works+0xade/0x17b0
[   61.937069][   T49]  ? __pfx_process_scheduled_works+0x10/0x10
[   61.943066][   T49]  worker_thread+0x8a0/0xda0
[   61.947677][   T49]  kthread+0x70e/0x8a0
[   61.951745][   T49]  ? __pfx_worker_thread+0x10/0x10
[   61.956848][   T49]  ? __pfx_kthread+0x10/0x10
[   61.961434][   T49]  ? _raw_spin_unlock_irq+0x23/0x50
[   61.967056][   T49]  ? lockdep_hardirqs_on+0x9c/0x150
[   61.972244][   T49]  ? __pfx_kthread+0x10/0x10
[   61.976831][   T49]  ret_from_fork+0x47c/0x820
[   61.981502][   T49]  ? __pfx_ret_from_fork+0x10/0x10
[   61.987052][   T49]  ? __switch_to_asm+0x39/0x70
[   61.991803][   T49]  ? __switch_to_asm+0x33/0x70
[   61.996560][   T49]  ? __pfx_kthread+0x10/0x10
[   62.001202][   T49]  ret_from_fork_asm+0x1a/0x30
[   62.005975][   T49]  </TASK>
[   62.009227][   T49] Kernel Offset: disabled
[   62.013542][   T49] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4186761874=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at e12e5ba469
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e12e5ba469cd05aa76330394486b1f2a24dd4ef6 -X github.com/google/syzkaller/prog.gitRevisionDate=20250826-131543"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e12e5ba469cd05aa76330394486b1f2a24dd4ef6 -X github.com/google/syzkaller/prog.gitRevisionDate=20250826-131543"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e12e5ba469cd05aa76330394486b1f2a24dd4ef6 -X github.com/google/syzkaller/prog.gitRevisionDate=20250826-131543"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e12e5ba469cd05aa76330394486b1f2a24dd4ef6\"
/usr/bin/ld: /tmp/ccdzFu7W.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=131edc62580000


Tested on:

commit:         8cd53fb4 Add linux-next specific files for 20250828
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=b2dd1e2b1175b2be
dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17487c42580000

Re: [syzbot] [mm?] WARNING in copy_process

[Hillf Danton]

> Date: Wed, 27 Aug 2025 16:15:31 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    7fa4d8dc380f Add linux-next specific files for 20250821
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1036def0580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ae76068823a236b3
> dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13595c62580000

#syz test

--- x/mm/oom_kill.c
+++ y/mm/oom_kill.c
@@ -997,6 +997,8 @@ static void __oom_kill_process(struct ta
 		queue_oom_reaper(victim);
 
 	mmdrop(mm);
+	write_lock_irq(&tasklist_lock);
+	write_unlock_irq(&tasklist_lock);
 	put_task_struct(victim);
 }
 
@@ -1031,6 +1033,8 @@ static void oom_kill_process(struct oom_
 		mark_oom_victim(victim);
 		queue_oom_reaper(victim);
 		task_unlock(victim);
+		write_lock_irq(&tasklist_lock);
+		write_unlock_irq(&tasklist_lock);
 		put_task_struct(victim);
 		return;
 	}
--- x/mm/page-writeback.c
+++ y/mm/page-writeback.c
@@ -3014,7 +3014,7 @@ bool __folio_end_writeback(struct folio
 
 	if (mapping && mapping_use_writeback_tags(mapping)) {
 		struct inode *inode = mapping->host;
-		struct bdi_writeback *wb = inode_to_wb(inode);
+		struct bdi_writeback *wb;
 		unsigned long flags;
 
 		xa_lock_irqsave(&mapping->i_pages, flags);
@@ -3022,6 +3022,7 @@ bool __folio_end_writeback(struct folio
 		__xa_clear_mark(&mapping->i_pages, folio_index(folio),
 					PAGECACHE_TAG_WRITEBACK);
 
+		wb = inode_to_wb(inode);
 		wb_stat_mod(wb, WB_WRITEBACK, -nr);
 		__wb_writeout_add(wb, nr);
 		if (!mapping_tagged(mapping, PAGECACHE_TAG_WRITEBACK)) {
@@ -3054,7 +3055,7 @@ void __folio_start_writeback(struct foli
 	if (mapping && mapping_use_writeback_tags(mapping)) {
 		XA_STATE(xas, &mapping->i_pages, folio_index(folio));
 		struct inode *inode = mapping->host;
-		struct bdi_writeback *wb = inode_to_wb(inode);
+		struct bdi_writeback *wb;
 		unsigned long flags;
 		bool on_wblist;
 
@@ -3065,6 +3066,7 @@ void __folio_start_writeback(struct foli
 		on_wblist = mapping_tagged(mapping, PAGECACHE_TAG_WRITEBACK);
 
 		xas_set_mark(&xas, PAGECACHE_TAG_WRITEBACK);
+		wb = inode_to_wb(inode);
 		wb_stat_mod(wb, WB_WRITEBACK, nr);
 		if (!on_wblist) {
 			wb_inode_writeback_start(wb);
--

Re: [syzbot] [mm?] WARNING in copy_process

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+69c74d38464686431506@syzkaller.appspotmail.com
Tested-by: syzbot+69c74d38464686431506@syzkaller.appspotmail.com

Tested on:

commit:         8cd53fb4 Add linux-next specific files for 20250828
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13053ef0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e373077dd6283453
dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16a93ef0580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] WARNING in copy_process

[Hillf Danton]

On Mon, 25 Aug 2025 17:50:15 +0200 David Hildenbrand wrote:
> On 25.08.25 05:00, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    41cd3fd15263 Merge tag 'pci-v6.17-fixes-2' of git://git.ke..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b3bc580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=fecbb496f75d3d61
> > dashboard link: https://syzkaller.appspot.com/bug?extid=69c74d38464686431506
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > 
> > Unfortunately, I don't have any reproducer for this issue yet.
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/ea83f558e101/disk-41cd3fd1.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/a35b75cdd97b/vmlinux-41cd3fd1.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/37d76e9636c2/bzImage-41cd3fd1.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+69c74d38464686431506@syzkaller.appspotmail.com
> > 
> > oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0-1,oom_memcg=/syz1,task_memcg=/syz1,task=syz.1.3237,pid=23388,uid=0
> > Memory cgroup out of memory: Killed process 23388 (syz.1.3237) total-vm:101828kB, anon-rss:940kB, file-rss:21532kB, shmem-rss:0kB, UID:0 pgtables:116kB oom_score_adj:1000
> 
> Here we are killing 23388 (syz.1.3237)
> 
> > ------------[ cut here ]------------
> > pvqspinlock: lock 0xffff88803512c0c0 has corrupted value 0x0!
> > WARNING: CPU: 0 PID: 23388 at kernel/locking/qspinlock_paravirt.h:504 __pv_queued_spin_unlock_slowpath+0x237/0x330 kernel/locking/qspinlock_paravirt.h:504
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 23388 Comm: syz.1.3237 Tainted: G     U              syzkaller #0 PREEMPT(full)
> 
> And here we are still in the process ...
> 
> > Tainted: [U]=USER
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> > RIP: 0010:__pv_queued_spin_unlock_slowpath+0x237/0x330 kernel/locking/qspinlock_paravirt.h:504
> > Code: 03 0f b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 67 41 8b 55 00 4c 89 ee 48 c7 c7 00 81 ad 8b e8 fa aa e6 f5 90 <0f> 0b 90 90 e9 64 ff ff ff 90 0f 0b 48 89 df 4c 89 04 24 e8 71 15
> > RSP: 0018:ffffc9000e9c79c8 EFLAGS: 00010286
> > RAX: 0000000000000000 RBX: ffff88803512c0c0 RCX: ffffffff817a02c8
> > RDX: ffff88802fa9bc00 RSI: ffffffff817a02d5 RDI: 0000000000000001
> > RBP: ffff88803512c0c8 R08: 0000000000000001 R09: 0000000000000000
> > R10: 0000000000000000 R11: 00000000000d4550 R12: ffff88803512c0d0
> > R13: ffff88803512c0c0 R14: 00000000003d0f00 R15: ffff88802ab43c00
> > FS:  0000555568154500(0000) GS:ffff8881246c4000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f86cc8e86ec CR3: 0000000060c0e000 CR4: 00000000003526f0
> > Call Trace:
> >   <TASK>
> >   __raw_callee_save___pv_queued_spin_unlock_slowpath+0x15/0x30
> >   .slowpath+0x9/0x18
> >   pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:562 [inline]
> >   queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline]
> >   do_raw_spin_unlock+0x172/0x230 kernel/locking/spinlock_debug.c:142
> >   __raw_spin_unlock include/linux/spinlock_api_smp.h:142 [inline]
> >   _raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186
> >   spin_unlock include/linux/spinlock.h:391 [inline]
> 
> ... busy during clone.
> 
> I assume that it is 23388 calling clone() and not getting cloned (it 
> should not get scheduled yet).
> 
> So likely, the OOM is shooting something down that kernel_clone() still 
> depends on ... maybe?
> 
Difficult to understand the oom shot given tasklist_lock held for write
also in release_task(), weird.