------------[ cut here ]------------
WARNING: CPU: 0 PID: 4365 at kernel/workqueue.c:1441 __queue_work+0xddc/0xf90
Modules linked in:
CPU: 0 PID: 4365 Comm: syz-executor Tainted: G        W          6.1.121-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__queue_work+0xddc/0xf90 kernel/workqueue.c:1441
Code: 8b 3c 24 e8 46 7f 88 00 e9 d9 fc ff ff e8 ac f4 30 00 89 ee 48 c7 c7 00 9a 1d 8d e8 ae ef 15 03 e9 1e fc ff ff e8 94 f4 30 00 <0f> 0b 48 83 c4 50 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 7e f4 30 00
RSP: 0000:ffffc90000007af8 EFLAGS: 00010046
RAX: ffffffff8159a7dc RBX: 00000000000b0012 RCX: ffff88801af78000
RDX: 0000000000000100 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000010000 R08: ffffffff815a9585 R09: fffffbfff1d3608e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: dffffc0000000000 R14: 0000000000000008 R15: ffff888076635800
FS:  00005555855d1500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555855e4468 CR3: 000000001db87000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 call_timer_fn+0x1ad/0x6b0 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1544 [inline]
 __run_timers+0x6a8/0x890 kernel/time/timer.c:1820
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1833
 handle_softirqs+0x2ee/0xa40 kernel/softirq.c:571
 __do_softirq kernel/softirq.c:605 [inline]
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x157/0x240 kernel/softirq.c:654
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:666
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:prepare_alloc_pages+0x561/0x5b0
Code: 00 00 00 00 00 fc ff df 48 8b 4c 24 18 80 3c 01 00 74 0a 48 8b 7c 24 08 e8 4c 14 0c 00 48 8b 44 24 08 48 89 18 e9 de fb ff ff <48> 8b 4c 24 10 80 e1 07 80 c1 03 38 c1 0f 8c 49 ff ff ff 48 8b 7c
RSP: 0000:ffffc900032e7a28 EFLAGS: 00000202
RAX: 0000000000000004 RBX: ffffc900032e7b18 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc900032e7b1c
RBP: 0000000000000001 R08: ffffc900032e7b00 R09: ffffc900032e7af0
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffc900032e7b00 R14: 0000000000140dca R15: 0000000000000008
 __alloc_pages+0x16a/0x770 mm/page_alloc.c:5594
 __folio_alloc+0xf/0x30 mm/page_alloc.c:5637
 vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2243
 alloc_page_vma include/linux/gfp.h:284 [inline]
 do_anonymous_page mm/memory.c:4189 [inline]
 handle_pte_fault mm/memory.c:5027 [inline]
 __handle_mm_fault mm/memory.c:5171 [inline]
 handle_mm_fault+0x2e8e/0x5340 mm/memory.c:5292
 do_user_addr_fault arch/x86/mm/fault.c:1340 [inline]
 handle_page_fault arch/x86/mm/fault.c:1431 [inline]
 exc_page_fault+0x26f/0x620 arch/x86/mm/fault.c:1487
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7fe42fd441af
Code: 8d 34 19 48 39 d5 48 89 75 60 0f 95 c2 48 29 d8 48 83 c1 10 0f b6 d2 48 83 c8 01 48 c1 e2 02 48 09 da 48 83 ca 01 48 89 51 f8 <48> 89 46 08 eb 80 48 8d 0d 91 2c 0e 00 48 8d 15 95 3e 0e 00 bf 01
RSP: 002b:00007ffc9fa3fa90 EFLAGS: 00010206
RAX: 000000000000eba1 RBX: 0000000000011c10 RCX: 00005555855d2860
RDX: 0000000000011c11 RSI: 00005555855e4460 RDI: 0000000000000004
RBP: 00007fe42ff4bca0 R08: 00005555855d2810 R09: 00005555855d2830
R10: 0000000000000005 R11: 00000000000011bf R12: 0000000000011c00
R13: 0000000000000079 R14: 00007fe42ff4bd00 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess), 7 bytes skipped:
   0:	df 48 8b             	fisttps -0x75(%rax)
   3:	4c 24 18             	rex.WR and $0x18,%al
   6:	80 3c 01 00          	cmpb   $0x0,(%rcx,%rax,1)
   a:	74 0a                	je     0x16
   c:	48 8b 7c 24 08       	mov    0x8(%rsp),%rdi
  11:	e8 4c 14 0c 00       	call   0xc1462
  16:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  1b:	48 89 18             	mov    %rbx,(%rax)
  1e:	e9 de fb ff ff       	jmp    0xfffffc01
* 23:	48 8b 4c 24 10       	mov    0x10(%rsp),%rcx <-- trapping instruction
  28:	80 e1 07             	and    $0x7,%cl
  2b:	80 c1 03             	add    $0x3,%cl
  2e:	38 c1                	cmp    %al,%cl
  30:	0f 8c 49 ff ff ff    	jl     0xffffff7f
  36:	48                   	rex.W
  37:	8b                   	.byte 0x8b
  38:	7c                   	.byte 0x7c