[syzbot] [ext4?] INFO: rcu detected stall in ext4_file_mmap_prepare

[syzbot] [ext4?] INFO: rcu detected stall in ext4_file_mmap_prepare

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c3067c2c3831 Add linux-next specific files for 20250915
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15464e42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e269dbc7717119a2
dashboard link: https://syzkaller.appspot.com/bug?extid=fc241a3fa60015afb3d1
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16d7b47c580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11d7b47c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/753ebccc7349/disk-c3067c2c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/62984b0c436c/vmlinux-c3067c2c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/301e0d2bfc64/bzImage-c3067c2c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc241a3fa60015afb3d1@syzkaller.appspotmail.com

sched: DL replenish lagged too much
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	1-...!: (1 GPs behind) idle=3aa4/1/0x4000000000000000 softirq=15601/15602 fqs=59
rcu: 	(detected by 0, t=10505 jiffies, g=10297, q=397 ncpus=2)
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6042 Comm: sed Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:__lock_acquire+0x870/0xd20 kernel/locking/lockdep.c:5232
Code: f0 41 89 cf 41 c1 c7 13 29 ce 41 31 f7 01 c1 44 29 f8 44 01 f9 41 c1 c7 04 41 31 c7 49 c1 e7 20 49 09 cf 83 3d e4 f0 26 0e 00 <0f> 85 36 02 00 00 48 83 7c 24 28 00 0f 84 bc 01 00 00 41 8b 46 f8
RSP: 0018:ffffc90000a08b70 EFLAGS: 00000046
RAX: 00000000d6871fb1 RBX: 0000000000000003 RCX: 0000000079909773
RDX: 00000000001caf3d RSI: 00000000afae91f8 RDI: ffff88802c3c3c80
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff81adbfa2
R10: dffffc0000000000 R11: fffffbfff1f88787 R12: 0000000000000073
R13: ffff88802c3c47b0 R14: ffff88802c3c4828 R15: 4346289379909773
FS:  0000000000000000(0000) GS:ffff888125ae0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc34ea224e8 CR3: 00000000720e8000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
 _raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
 __run_hrtimer kernel/time/hrtimer.c:1781 [inline]
 __hrtimer_run_queues+0x602/0xc60 kernel/time/hrtimer.c:1841
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1058
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 db e5 40 f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> f3 7c 09 f6 65 8b 05 ac 68 3d 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc90002ef6fa0 EFLAGS: 00000206
RAX: c40c4dc7bc3a9000 RBX: 0000000000000a02 RCX: c40c4dc7bc3a9000
RDX: 0000000000000007 RSI: ffffffff8dbc0fba RDI: 0000000000000001
RBP: ffffc90002ef7028 R08: ffffffff8fc43c37 R09: 1ffffffff1f88786
R10: dffffc0000000000 R11: fffffbfff1f88787 R12: dffffc0000000000
R13: 0000000000000d40 R14: ffffffff8eae95b0 R15: 1ffff920005dedf4
 stack_depot_save_flags+0x41b/0x860 lib/stackdepot.c:720
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x4f/0x80 mm/kasan/common.c:77
 unpoison_slab_object mm/kasan/common.c:342 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:368
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4927 [inline]
 slab_alloc_node mm/slub.c:5226 [inline]
 kmem_cache_alloc_noprof+0x367/0x6e0 mm/slub.c:5233
 journal_alloc_journal_head fs/jbd2/journal.c:2826 [inline]
 jbd2_journal_add_journal_head+0x95/0x4b0 fs/jbd2/journal.c:2894
 jbd2_journal_get_write_access+0x1c9/0x230 fs/jbd2/transaction.c:1237
 __ext4_journal_get_write_access+0x1c3/0x570 fs/ext4/ext4_jbd2.c:242
 ext4_reserve_inode_write+0x294/0x360 fs/ext4/inode.c:6326
 __ext4_mark_inode_dirty+0x15b/0x700 fs/ext4/inode.c:6501
 ext4_dirty_inode+0xd0/0x110 fs/ext4/inode.c:6538
 __mark_inode_dirty+0x2ec/0xe10 fs/fs-writeback.c:2567
 generic_update_time fs/inode.c:2087 [inline]
 inode_update_time fs/inode.c:2100 [inline]
 touch_atime+0x59b/0x6d0 fs/inode.c:2172
 file_accessed include/linux/fs.h:2675 [inline]
 ext4_file_mmap_prepare+0x24d/0x440 fs/ext4/file.c:828
 vfs_mmap_prepare include/linux/fs.h:2412 [inline]
 call_mmap_prepare mm/vma.c:2593 [inline]
 __mmap_region mm/vma.c:2671 [inline]
 mmap_region+0xb38/0x1c70 mm/vma.c:2764
 do_mmap+0xc45/0x10d0 mm/mmap.c:558
 vm_mmap_pgoff+0x2a6/0x4d0 mm/util.c:580
 ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:604
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc34ea53242
Code: 08 00 04 00 00 eb e2 90 41 f7 c1 ff 0f 00 00 75 27 55 89 cd 53 48 89 fb 48 85 ff 74 33 41 89 ea 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5e 5b 5d c3 0f 1f 00 c7 05 46 40 01 00 16 00
RSP: 002b:00007ffc758046c8 EFLAGS: 00000206 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007fc34e7ad000 RCX: 00007fc34ea53242
RDX: 0000000000000005 RSI: 000000000014e000 RDI: 00007fc34e7ad000
RBP: 0000000000000812 R08: 0000000000000003 R09: 0000000000028000
R10: 0000000000000812 R11: 0000000000000206 R12: 00007ffc75804718
R13: 00007fc34ea275f0 R14: 00007ffc75804f00 R15: 00000fff8eb008dc
 </TASK>
rcu: rcu_preempt kthread starved for 10210 jiffies! g10297 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:26696 pid:16    tgid:16    ppid:2      task_flags:0x208040 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x1798/0x4cc0 kernel/sched/core.c:6964
 __schedule_loop kernel/sched/core.c:7046 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7061
 schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
 rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 5873 Comm: udevd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xd33/0x12d0 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 e6 7f 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 91 7b 0b 00 eb 38 f3 90 <42> 0f b6 04 2b 84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 75 7b
RSP: 0000:ffffc900039f7700 EFLAGS: 00000293
RAX: ffffffff81b457ab RBX: 1ffff110170e8005 RCX: ffff88801ffb1e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900039f7880 R08: ffffffff8fc43c37 R09: 1ffffffff1f88786
R10: dffffc0000000000 R11: fffffbfff1f88787 R12: ffff8880b8740028
R13: dffffc0000000000 R14: ffff8880b863b240 R15: 0000000000000001
FS:  00007f45a83bc880(0000) GS:ffff8881259e0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005593b3898568 CR3: 000000007210a000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1044
 __flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
 flush_tlb_multi arch/x86/mm/tlb.c:1361 [inline]
 flush_tlb_mm_range+0x6b1/0x12d0 arch/x86/mm/tlb.c:1451
 flush_tlb_page arch/x86/include/asm/tlbflush.h:324 [inline]
 ptep_clear_flush+0x120/0x170 mm/pgtable-generic.c:101
 wp_page_copy mm/memory.c:3780 [inline]
 do_wp_page+0x1bc2/0x5800 mm/memory.c:4175
 handle_pte_fault mm/memory.c:6233 [inline]
 __handle_mm_fault+0x102e/0x5440 mm/memory.c:6360
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6529
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f45a7cb5b69
Code: 10 48 81 f9 ff 03 00 00 76 28 48 8b 57 20 48 85 d2 74 1f 48 3b 7a 28 75 76 48 8b 4f 28 48 3b 79 20 75 6c 48 83 78 20 00 74 17 <48> 89 4a 28 48 89 51 20 48 83 c4 08 c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffca257670 EFLAGS: 00010202
RAX: 00007f45a7df21d0 RBX: 00005593b3898540 RCX: 00005593b3898540
RDX: 00005593b3898540 RSI: 00007f45a7df21d0 RDI: 00005593b3898540
RBP: 00007f45a7df1ac0 R08: 0000000000002760 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000049c0
R13: 00005593b389cf00 R14: 0000000000002020 R15: 00007f45a7df1ac0
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] testing

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] testing
Author: ankitkhushwaha.linux@gmail.com

Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
---

#syz test

---
 arch/x86/kernel/kvmclock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
index ca0a49eeac4a..7d1c98efa6a4 100644
--- a/arch/x86/kernel/kvmclock.c
+++ b/arch/x86/kernel/kvmclock.c
@@ -74,7 +74,7 @@ static int kvm_set_wallclock(const struct timespec64 *now)
 static u64 kvm_clock_read(void)
 {
 	u64 ret;
-
+	// 
 	preempt_disable_notrace();
 	ret = pvclock_clocksource_read_nowd(this_cpu_pvti());
 	preempt_enable_notrace();
-- 
2.51.0

Re: [syzbot] [ext4?] INFO: rcu detected stall in ext4_file_mmap_prepare

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in NF_HOOK

sched: DL replenish lagged too much
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	0-...!: (1 GPs behind) idle=0e34/1/0x4000000000000000 softirq=20725/20726 fqs=298
rcu: 	(detected by 1, t=10505 jiffies, g=15545, q=130 ncpus=2)
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:mark_usage kernel/locking/lockdep.c:4628 [inline]
RIP: 0010:__lock_acquire+0x606/0xd20 kernel/locking/lockdep.c:5191
Code: e3 51 df 0d 00 0f 84 1a 05 00 00 83 7c 24 0c 00 0f 84 a9 00 00 00 41 8b 46 20 66 85 c0 0f 88 8d 00 00 00 65 8b 0d 26 0f cf 10 <a9> 00 00 03 00 74 38 85 c9 74 1d 48 8b 3c 24 4c 89 f6 ba 01 00 00
RSP: 0018:ffffc900000060d0 EFLAGS: 00000006
RAX: 00000000000c6000 RBX: 000000000000000a RCX: 0000000000000001
RDX: 0000000000000002 RSI: 0000000000000002 RDI: ffff8881416f9e40
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8493a78a
R10: ffffc900000062b0 R11: fffff52000000c58 R12: 0000000000000002
R13: 0000000000000002 R14: ffff8881416fab00 R15: ffff8881416fab20
FS:  0000000000000000(0000) GS:ffff888125f5b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9479fc5f98 CR3: 0000000075ecc000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
 debug_object_deactivate+0x9a/0x250 lib/debugobjects.c:873
 debug_hrtimer_deactivate kernel/time/hrtimer.c:443 [inline]
 debug_deactivate+0x1d/0x200 kernel/time/hrtimer.c:483
 __run_hrtimer kernel/time/hrtimer.c:1745 [inline]
 __hrtimer_run_queues+0x2b0/0xc60 kernel/time/hrtimer.c:1841
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1058
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1052
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:ip6_ignore_linkdown include/net/addrconf.h:448 [inline]
RIP: 0010:find_match+0x13b/0xc90 net/ipv6/route.c:780
Code: 00 fc ff df 48 85 db 0f 84 12 0a 00 00 48 81 c3 58 06 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 3f 0a 00 00 8b 1b <31> ff 89 de e8 7c 4f c4 f7 85 db 74 45 e8 33 4b c4 f7 43 0f b6 04
RSP: 0018:ffffc900000066c0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881416f9e40
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 1ffff110081da099 R08: ffffc900000069c0 R09: ffffc900000069d0
R10: ffffc90000006820 R11: fffff52000000d06 R12: dffffc0000000000
R13: 0000000000000003 R14: 1ffff110081da09b R15: ffff888040ed04df
 __find_rr_leaf+0x23a/0x6d0 net/ipv6/route.c:868
 find_rr_leaf net/ipv6/route.c:889 [inline]
 rt6_select net/ipv6/route.c:933 [inline]
 fib6_table_lookup+0x39f/0xa80 net/ipv6/route.c:2233
 ip6_pol_route+0x222/0x1180 net/ipv6/route.c:2269
 pol_lookup_func include/net/ip6_fib.h:617 [inline]
 fib6_rule_lookup+0x52f/0x6f0 net/ipv6/fib6_rules.c:120
 ip6_route_input_lookup net/ipv6/route.c:2338 [inline]
 ip6_route_input+0x6de/0xad0 net/ipv6/route.c:2641
 ip6_rcv_finish+0x141/0x2e0 net/ipv6/ip6_input.c:77
 ip_sabotage_in+0x1e1/0x270 net/bridge/br_netfilter_hooks.c:990
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x206/0x3a0 include/linux/netfilter.h:316
 __netif_receive_skb_one_core net/core/dev.c:6126 [inline]
 __netif_receive_skb+0xd3/0x380 net/core/dev.c:6239
 netif_receive_skb_internal net/core/dev.c:6325 [inline]
 netif_receive_skb+0x1cb/0x790 net/core/dev.c:6384
 NF_HOOK+0xa0/0x390 include/linux/netfilter.h:319
 br_handle_frame_finish+0x15c6/0x1c50 net/bridge/br_input.c:235
 br_nf_hook_thresh+0x3c6/0x4a0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0x999/0xd60 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x37e/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x982/0x14c0 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:6013
 __netif_receive_skb_one_core net/core/dev.c:6124 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6239
 process_backlog+0x60e/0x14f0 net/core/dev.c:6591
 __napi_poll+0xc7/0x360 net/core/dev.c:7641
 napi_poll net/core/dev.c:7704 [inline]
 net_rx_action+0x5f7/0xdf0 net/core/dev.c:7831
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 do_softirq+0xec/0x180 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
 __dev_queue_xmit+0x1bfb/0x3740 net/core/dev.c:4837
 neigh_output include/net/neighbour.h:547 [inline]
 ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ndisc_send_skb+0xbce/0x1510 net/ipv6/ndisc.c:512
 ndisc_send_ns+0xcb/0x150 net/ipv6/ndisc.c:670
 addrconf_dad_work+0xaae/0x14b0 net/ipv6/addrconf.c:4282
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: rcu_preempt kthread starved for 9015 jiffies! g15545 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:27128 pid:16    tgid:16    ppid:2      task_flags:0x208040 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5254 [inline]
 __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
 __schedule_loop kernel/sched/core.c:6944 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6959
 schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
 rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 1 UID: 0 PID: 6326 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xd33/0x12d0 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 56 70 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 01 6c 0b 00 eb 38 f3 90 <42> 0f b6 04 2b 84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 e5 6b
RSP: 0018:ffffc90003457340 EFLAGS: 00000293
RAX: ffffffff81b4709b RBX: 1ffff110170c8439 RCX: ffff88807dd58000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900034574c0 R08: ffffffff8f7c9f77 R09: 1ffffffff1ef93ee
R10: dffffc0000000000 R11: fffffbfff1ef93ef R12: ffff8880b86421c8
R13: dffffc0000000000 R14: ffff8880b873b1c0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88812605b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000600 CR3: 000000000dd38000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043
 __flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
 flush_tlb_multi arch/x86/mm/tlb.c:1381 [inline]
 flush_tlb_mm_range+0x6b1/0x12d0 arch/x86/mm/tlb.c:1471
 tlb_flush arch/x86/include/asm/tlb.h:23 [inline]
 tlb_flush_mmu_tlbonly include/asm-generic/tlb.h:490 [inline]
 tlb_flush_mmu+0x1a7/0x680 mm/mmu_gather.c:403
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 free_ldt_pgtables+0x17b/0x320 arch/x86/kernel/ldt.c:411
 arch_exit_mmap arch/x86/include/asm/mmu_context.h:234 [inline]
 exit_mmap+0x174/0xb40 mm/mmap.c:1263
 __mmput+0x118/0x430 kernel/fork.c:1133
 exit_mm+0x1da/0x2c0 kernel/exit.c:582
 do_exit+0x648/0x2300 kernel/exit.c:954
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1107
 get_signal+0x1285/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0xa0/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x72/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9479184dd3
Code: Unable to access opcode bytes at 0x7f9479184da9.
RSP: 002b:00007ffee8c31198 EFLAGS: 00000202 ORIG_RAX: 000000000000003d
RAX: fffffffffffffe00 RBX: 00000000000018b9 RCX: 00007f9479184dd3
RDX: 0000000040000000 RSI: 00007ffee8c311ac RDI: 00000000ffffffff
RBP: 00007ffee8c311ac R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffee8c31230
R13: 00007ffee8c31238 R14: 0000000000000009 R15: 0000000000000000
 </TASK>


Tested on:

commit:         aaa9c355 Add linux-next specific files for 20251022
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=141353e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4db31502c80669bd
dashboard link: https://syzkaller.appspot.com/bug?extid=fc241a3fa60015afb3d1
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10c77c58580000