From: syzbot <syzbot+e008db2ac01e282550ee@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Date: Sun, 07 Dec 2025 04:44:49 -0800 [thread overview]
Message-ID: <693576c1.a70a0220.38f243.0050.GAE@google.com> (raw)
In-Reply-To: <693540fe.a70a0220.38f243.004c.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with a NULL memcg
triggers a crash because the inline function's code calculates
memcg->nodeinfo offset (0x4e00) before the NULL check can execute,
causing a NULL pointer dereference that KASAN detects.
Although mem_cgroup_lruvec() has a NULL check internally, compiler
inlining and optimization causes the offset calculation to occur
first, making the internal check unreachable.
The fix adds an explicit NULL check after mem_cgroup_from_id() and
falls back to root_mem_cgroup, which is consistent with how
mem_cgroup_lruvec() itself handles NULL pointers.
Reproducer triggers this via:
procfs_procmap_ioctl() -> do_procmap_query() -> __build_id_parse() ->
freader_get_folio() -> filemap_add_folio() -> workingset_refault() ->
lru_gen_refault() -> lru_gen_test_recent()
KASAN report:
general protection fault in mem_cgroup_lruvec
RIP: mem_cgroup_lruvec+0xee/0x320 include/linux/memcontrol.h:720
Call Trace:
lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
Reported-by: syzbot+e008db2ac01e282550ee@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..8b6332cfb4f0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg)
+ memcg = root_mem_cgroup;
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
next prev parent reply other threads:[~2025-12-07 12:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-07 8:55 [syzbot] [mm?] general protection fault in lru_gen_test_recent (2) syzbot
2025-12-07 12:44 ` syzbot [this message]
2025-12-07 14:35 ` Forwarded: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent syzbot
2025-12-07 15:05 ` syzbot
2025-12-07 15:31 ` syzbot
2025-12-07 15:38 ` syzbot
2025-12-07 16:07 ` syzbot
2025-12-08 2:31 ` Forwarded: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent() syzbot
2025-12-08 2:47 ` syzbot
2025-12-08 3:56 ` Forwarded: [PATCH] mm/workingset: add debug for corrupted shadow entry investigation syzbot
2025-12-08 4:49 ` Forwarded: [PATCH] mm/workingset: fix crash from corrupted shadow entries in lru_gen syzbot
2025-12-08 5:14 ` syzbot
2025-12-09 5:35 ` Forwarded: [PATCH] mm/workingset: add debug instrumentation for MGLRU shadow corruption syzbot
2025-12-09 5:44 ` Forwarded: [PATCH] mm/workingset: debug MGLRU shadow corruption leading to NULL deref syzbot
2025-12-09 6:28 ` Forwarded: [PATCH] mm/workingset: fix NULL deref from invalid node ID in shadow syzbot
2025-12-23 9:38 ` Forwarded: [PATCH] for test syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=693576c1.a70a0220.38f243.0050.GAE@google.com \
--to=syzbot+e008db2ac01e282550ee@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.