==================================================================
BUG: KCSAN: data-race in mem_cgroup_flush_stats_ratelimited / tick_do_update_jiffies64

read-write to 0xffffffff868099c0 of 8 bytes by interrupt on cpu 0:
 tick_do_update_jiffies64+0x113/0x1c0 kernel/time/tick-sched.c:118
 tick_sched_do_timer kernel/time/tick-sched.c:232 [inline]
 tick_nohz_handler+0x7f/0x2d0 kernel/time/tick-sched.c:290
 __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
 __hrtimer_run_queues+0x20f/0x5a0 kernel/time/hrtimer.c:1841
 hrtimer_interrupt+0x21a/0x460 kernel/time/hrtimer.c:1903
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
 __sysvec_apic_timer_interrupt+0x5f/0x1d0 arch/x86/kernel/apic/apic.c:1058
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0x6f/0x80 arch/x86/kernel/apic/apic.c:1052
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
 kcsan_setup_watchpoint+0x415/0x430 kernel/kcsan/core.c:705
 zap_present_folio_ptes include/linux/page-flags.h:-1 [inline]
 zap_present_ptes mm/memory.c:1709 [inline]
 do_zap_pte_range mm/memory.c:1810 [inline]
 zap_pte_range mm/memory.c:1854 [inline]
 zap_pmd_range mm/memory.c:1946 [inline]
 zap_pud_range mm/memory.c:1975 [inline]
 zap_p4d_range mm/memory.c:1996 [inline]
 unmap_page_range+0xd40/0x25c0 mm/memory.c:2017
 unmap_single_vma mm/memory.c:2060 [inline]
 unmap_vmas+0x23d/0x3a0 mm/memory.c:2104
 exit_mmap+0x1b0/0x6c0 mm/mmap.c:1280
 __mmput+0x28/0x1c0 kernel/fork.c:1133
 mmput+0x40/0x50 kernel/fork.c:1156
 exit_mm+0xe4/0x180 kernel/exit.c:582
 do_exit+0x417/0x15c0 kernel/exit.c:954
 do_group_exit+0x139/0x140 kernel/exit.c:1107
 __do_sys_exit_group kernel/exit.c:1118 [inline]
 __se_sys_exit_group kernel/exit.c:1116 [inline]
 __x64_sys_exit_group+0x1f/0x20 kernel/exit.c:1116
 x64_sys_call+0x2ff1/0x3000 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffffff868099c0 of 8 bytes by task 7340 on cpu 1:
 mem_cgroup_flush_stats_ratelimited+0x29/0x70 mm/memcontrol.c:635
 count_shadow_nodes+0x6a/0x230 mm/workingset.c:678
 do_shrink_slab+0x63/0x680 mm/shrinker.c:384
 shrink_slab_memcg mm/shrinker.c:550 [inline]
 shrink_slab+0x448/0x760 mm/shrinker.c:628
 shrink_node_memcgs mm/vmscan.c:6056 [inline]
 shrink_node+0x6c3/0x2120 mm/vmscan.c:6095
 shrink_zones mm/vmscan.c:6339 [inline]
 do_try_to_free_pages+0x3f6/0xcd0 mm/vmscan.c:6401
 try_to_free_mem_cgroup_pages+0x1ab/0x410 mm/vmscan.c:6729
 try_charge_memcg+0x383/0xa10 mm/memcontrol.c:2356
 try_charge mm/memcontrol.c:2498 [inline]
 charge_memcg+0x51/0xc0 mm/memcontrol.c:4701
 __mem_cgroup_charge+0x28/0xb0 mm/memcontrol.c:4718
 mem_cgroup_charge include/linux/memcontrol.h:662 [inline]
 shmem_alloc_and_add_folio mm/shmem.c:1920 [inline]
 shmem_get_folio_gfp+0x470/0xd60 mm/shmem.c:2533
 shmem_get_folio mm/shmem.c:2639 [inline]
 shmem_write_begin+0xa8/0x190 mm/shmem.c:3289
 generic_perform_write+0x184/0x490 mm/filemap.c:4242
 shmem_file_write_iter+0xc5/0xf0 mm/shmem.c:3464
 __kernel_write_iter+0x2d6/0x540 fs/read_write.c:619
 dump_emit_page fs/coredump.c:1298 [inline]
 dump_user_range+0x61e/0x8f0 fs/coredump.c:1372
 elf_core_dump+0x1de7/0x1f80 fs/binfmt_elf.c:2111
 coredump_write+0xb12/0xe30 fs/coredump.c:1049
 vfs_coredump+0x143a/0x20d0 fs/coredump.c:1170
 get_signal+0xd84/0xf70 kernel/signal.c:3019
 arch_do_signal_or_restart+0x96/0x440 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:40 [inline]
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 irqentry_exit_to_user_mode+0x5b/0xa0 kernel/entry/common.c:73
 irqentry_exit+0x12/0x50 kernel/entry/common.c:191
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618

value changed: 0x00000000ffffc1e5 -> 0x00000000ffffc1e6

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 7340 Comm: syz.4.1178 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
==================================================================
syz.4.1178 invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=1000
CPU: 1 UID: 0 PID: 7340 Comm: syz.4.1178 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack+0x1d/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0xe8/0x140 lib/dump_stack.c:120
 dump_stack+0x15/0x1b lib/dump_stack.c:129
 dump_header+0x81/0x220 mm/oom_kill.c:467
 oom_kill_process+0x342/0x400 mm/oom_kill.c:1046
 out_of_memory+0x979/0xb80 mm/oom_kill.c:1184
 mem_cgroup_out_of_memory mm/memcontrol.c:1650 [inline]
 mem_cgroup_oom mm/memcontrol.c:1673 [inline]
 try_charge_memcg+0x610/0xa10 mm/memcontrol.c:2398
 try_charge mm/memcontrol.c:2498 [inline]
 charge_memcg+0x51/0xc0 mm/memcontrol.c:4701
 __mem_cgroup_charge+0x28/0xb0 mm/memcontrol.c:4718
 mem_cgroup_charge include/linux/memcontrol.h:662 [inline]
 shmem_alloc_and_add_folio mm/shmem.c:1920 [inline]
 shmem_get_folio_gfp+0x470/0xd60 mm/shmem.c:2533
 shmem_get_folio mm/shmem.c:2639 [inline]
 shmem_write_begin+0xa8/0x190 mm/shmem.c:3289
 generic_perform_write+0x184/0x490 mm/filemap.c:4242
 shmem_file_write_iter+0xc5/0xf0 mm/shmem.c:3464
 __kernel_write_iter+0x2d6/0x540 fs/read_write.c:619
 dump_emit_page fs/coredump.c:1298 [inline]
 dump_user_range+0x61e/0x8f0 fs/coredump.c:1372
 elf_core_dump+0x1de7/0x1f80 fs/binfmt_elf.c:2111
 coredump_write+0xb12/0xe30 fs/coredump.c:1049
 vfs_coredump+0x143a/0x20d0 fs/coredump.c:1170
 get_signal+0xd84/0xf70 kernel/signal.c:3019
 arch_do_signal_or_restart+0x96/0x440 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:40 [inline]
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 irqentry_exit_to_user_mode+0x5b/0xa0 kernel/entry/common.c:73
 irqentry_exit+0x12/0x50 kernel/entry/common.c:191
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f7ac6dff6b7
Code: 88 15 42 60 ec 00 88 05 3f 60 ec 00 c3 50 48 8d 35 e9 28 1c 00 48 8d 3d ef 28 1c 00 31 c0 e8 20 f7 ff ff 53 89 fb 48 83 ec 10 <64> 8b 04 25 94 ff ff ff 85 c0 74 2a 89 fe 31 c0 bf 3c 00 00 00 e8
RSP: 002b:00007f7ac5967060 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f7ac6f3f6c9
RDX: 00007f7ac5967080 RSI: 00007f7ac59671b0 RDI: 000000000000000b
RBP: 00007f7ac6fc1f91 R08: 0000000000000000 R09: 0000000000000058
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7ac7196128 R14: 00007f7ac7196090 R15: 00007fff146c1df8
 </TASK>
memory: usage 307192kB, limit 307200kB, failcnt 36679
memory+swap: usage 422876kB, limit 9007199254740988kB, failcnt 0
kmem: usage 5748kB, limit 9007199254740988kB, failcnt 0
Memory cgroup stats for /syz4:
cache 304623616
rss 245760
shmem 300441600
mapped_file 3657728
dirty 0
writeback 0
workingset_refault_anon 12
workingset_refault_file 4532
swap 127975424
swapcached 20480
pgpgin 292579
pgpgout 218143
pgfault 137566
pgmajfault 67
inactive_anon 29949952
active_anon 270622720
inactive_file 0
active_file 4071424
unevictable 0
hierarchical_memory_limit 314572800
hierarchical_memsw_limit 9223372036854771712
total_cache 304623616
total_rss 245760
total_shmem 300441600
total_mapped_file 3657728
total_dirty 0
total_writeback 0
total_workingset_refault_anon 12
total_workingset_refault_file 4532
total_swap 127975424
total_swapcached 20480
total_pgpgin 292579
total_pgpgout 218143
total_pgfault 137566
total_pgmajfault 67
total_inactive_anon 29949952
total_active_anon 270622720
total_inactive_file 0
total_active_file 4071424
total_unevictable 0
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/syz4,task_memcg=/syz4,task=syz.4.1178,pid=7323,uid=0
Memory cgroup out of memory: Killed process 7323 (syz.4.1178) total-vm:90248kB, anon-rss:1292kB, file-rss:57136kB, shmem-rss:0kB, UID:0 pgtables:192kB oom_score_adj:1000
syz.4.1178 invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=1000
CPU: 1 UID: 0 PID: 7340 Comm: syz.4.1178 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack+0x1d/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0xe8/0x140 lib/dump_stack.c:120
 dump_stack+0x15/0x1b lib/dump_stack.c:129
 dump_header+0x81/0x220 mm/oom_kill.c:467
 oom_kill_process+0x342/0x400 mm/oom_kill.c:1046
 out_of_memory+0x979/0xb80 mm/oom_kill.c:1184
 mem_cgroup_out_of_memory mm/memcontrol.c:1650 [inline]
 mem_cgroup_oom mm/memcontrol.c:1673 [inline]
 try_charge_memcg+0x610/0xa10 mm/memcontrol.c:2398
 try_charge mm/memcontrol.c:2498 [inline]
 charge_memcg+0x51/0xc0 mm/memcontrol.c:4701
 __mem_cgroup_charge+0x28/0xb0 mm/memcontrol.c:4718
 mem_cgroup_charge include/linux/memcontrol.h:662 [inline]
 filemap_add_folio+0x111/0x360 mm/filemap.c:971
 __filemap_get_folio+0x31e/0x650 mm/filemap.c:2022
 filemap_fault+0x447/0xb60 mm/filemap.c:3499
 __do_fault+0xbc/0x200 mm/memory.c:5280
 do_read_fault mm/memory.c:5698 [inline]
 do_fault mm/memory.c:5832 [inline]
 do_pte_missing mm/memory.c:4361 [inline]
 handle_pte_fault mm/memory.c:6177 [inline]
 __handle_mm_fault mm/memory.c:6318 [inline]
 handle_mm_fault+0xf78/0x2be0 mm/memory.c:6487
 faultin_page mm/gup.c:1126 [inline]
 __get_user_pages+0x102a/0x1ed0 mm/gup.c:1428
 __get_user_pages_locked mm/gup.c:1692 [inline]
 get_dump_page+0xb5/0x250 mm/gup.c:2192
 dump_user_range+0x145/0x8f0 fs/coredump.c:1366
 elf_core_dump+0x1de7/0x1f80 fs/binfmt_elf.c:2111
 coredump_write+0xb12/0xe30 fs/coredump.c:1049
 vfs_coredump+0x143a/0x20d0 fs/coredump.c:1170
 get_signal+0xd84/0xf70 kernel/signal.c:3019
 arch_do_signal_or_restart+0x96/0x440 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:40 [inline]
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 irqentry_exit_to_user_mode+0x5b/0xa0 kernel/entry/common.c:73
 irqentry_exit+0x12/0x50 kernel/entry/common.c:191
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f7ac6dff6b7
Code: 88 15 42 60 ec 00 88 05 3f 60 ec 00 c3 50 48 8d 35 e9 28 1c 00 48 8d 3d ef 28 1c 00 31 c0 e8 20 f7 ff ff 53 89 fb 48 83 ec 10 <64> 8b 04 25 94 ff ff ff 85 c0 74 2a 89 fe 31 c0 bf 3c 00 00 00 e8
RSP: 002b:00007f7ac5967060 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f7ac6f3f6c9
RDX: 00007f7ac5967080 RSI: 00007f7ac59671b0 RDI: 000000000000000b
RBP: 00007f7ac6fc1f91 R08: 0000000000000000 R09: 0000000000000058
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7ac7196128 R14: 00007f7ac7196090 R15: 00007fff146c1df8
 </TASK>
memory: usage 307200kB, limit 307200kB, failcnt 47841
memory+swap: usage 398600kB, limit 9007199254740988kB, failcnt 0
kmem: usage 4928kB, limit 9007199254740988kB, failcnt 0
Memory cgroup stats for /syz4:
cache 283037696
rss 319488
shmem 278843392
mapped_file 3670016
dirty 0
writeback 303104
workingset_refault_anon 223
workingset_refault_file 12086
swap 118964224
swapcached 421888
pgpgin 335371
pgpgout 266097
pgfault 139843
pgmajfault 241
inactive_anon 41852928
active_anon 237498368
inactive_file 0
active_file 4173824
unevictable 0
hierarchical_memory_limit 314572800
hierarchical_memsw_limit 9223372036854771712
total_cache 283037696
total_rss 319488
total_shmem 278843392
total_mapped_file 3670016
total_dirty 0
total_writeback 303104
total_workingset_refault_anon 223
total_workingset_refault_file 12086
total_swap 118964224
total_swapcached 421888
total_pgpgin 335371
total_pgpgout 266097
total_pgfault 139843
total_pgmajfault 241
total_inactive_anon 41852928
total_active_anon 237498368
total_inactive_file 0
total_active_file 4173824
total_unevictable 0
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/syz4,task_memcg=/syz4,task=syz.4.1178,pid=7328,uid=0
Memory cgroup out of memory: Killed process 7328 (syz.4.1178) total-vm:90248kB, anon-rss:1164kB, file-rss:54048kB, shmem-rss:0kB, UID:0 pgtables:188kB oom_score_adj:1000