From: syzbot ci <syzbot+ci7d2110b831be06f6@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, apais@linux.microsoft.com,
axelrasmussen@google.com, cgroups@vger.kernel.org,
chengming.zhou@linux.dev, chenridong@huawei.com,
chenridong@huaweicloud.com, david@kernel.org,
hamzamahfooz@linux.microsoft.com, hannes@cmpxchg.org,
harry.yoo@oracle.com, hughd@google.com, imran.f.khan@oracle.com,
kamalesh.babulal@oracle.com, lance.yang@linux.dev,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
lorenzo.stoakes@oracle.com, mhocko@suse.com, mkoutny@suse.com,
muchun.song@linux.dev, nphamcs@gmail.com, qi.zheng@linux.dev,
roman.gushchin@linux.dev, shakeel.butt@linux.dev,
songmuchun@bytedance.com, weixugc@google.com,
yosry.ahmed@linux.dev, yuanchu@google.com,
zhengqi.arch@bytedance.com, ziy@nvidia.com
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: Eliminate Dying Memory Cgroup
Date: Wed, 14 Jan 2026 09:07:04 -0800 [thread overview]
Message-ID: <6967cd38.050a0220.58bed.0001.GAE@google.com> (raw)
In-Reply-To: <cover.1768389889.git.zhengqi.arch@bytedance.com>
syzbot ci has tested the following series
[v3] Eliminate Dying Memory Cgroup
https://lore.kernel.org/all/cover.1768389889.git.zhengqi.arch@bytedance.com
* [PATCH v3 01/30] mm: memcontrol: remove dead code of checking parent memory cgroup
* [PATCH v3 02/30] mm: workingset: use folio_lruvec() in workingset_refault()
* [PATCH v3 03/30] mm: rename unlock_page_lruvec_irq and its variants
* [PATCH v3 04/30] mm: vmscan: prepare for the refactoring the move_folios_to_lru()
* [PATCH v3 05/30] mm: vmscan: refactor move_folios_to_lru()
* [PATCH v3 06/30] mm: memcontrol: allocate object cgroup for non-kmem case
* [PATCH v3 07/30] mm: memcontrol: return root object cgroup for root memory cgroup
* [PATCH v3 08/30] mm: memcontrol: prevent memory cgroup release in get_mem_cgroup_from_folio()
* [PATCH v3 09/30] buffer: prevent memory cgroup release in folio_alloc_buffers()
* [PATCH v3 10/30] writeback: prevent memory cgroup release in writeback module
* [PATCH v3 11/30] mm: memcontrol: prevent memory cgroup release in count_memcg_folio_events()
* [PATCH v3 12/30] mm: page_io: prevent memory cgroup release in page_io module
* [PATCH v3 13/30] mm: migrate: prevent memory cgroup release in folio_migrate_mapping()
* [PATCH v3 14/30] mm: mglru: prevent memory cgroup release in mglru
* [PATCH v3 15/30] mm: memcontrol: prevent memory cgroup release in mem_cgroup_swap_full()
* [PATCH v3 16/30] mm: workingset: prevent memory cgroup release in lru_gen_eviction()
* [PATCH v3 17/30] mm: thp: prevent memory cgroup release in folio_split_queue_lock{_irqsave}()
* [PATCH v3 18/30] mm: zswap: prevent memory cgroup release in zswap_compress()
* [PATCH v3 19/30] mm: workingset: prevent lruvec release in workingset_refault()
* [PATCH v3 20/30] mm: zswap: prevent lruvec release in zswap_folio_swapin()
* [PATCH v3 21/30] mm: swap: prevent lruvec release in lru_gen_clear_refs()
* [PATCH v3 22/30] mm: workingset: prevent lruvec release in workingset_activation()
* [PATCH v3 23/30] mm: do not open-code lruvec lock
* [PATCH v3 24/30] mm: memcontrol: prepare for reparenting LRU pages for lruvec lock
* [PATCH v3 25/30] mm: vmscan: prepare for reparenting traditional LRU folios
* [PATCH v3 26/30] mm: vmscan: prepare for reparenting MGLRU folios
* [PATCH v3 27/30] mm: memcontrol: refactor memcg_reparent_objcgs()
* [PATCH v3 28/30] mm: memcontrol: prepare for reparenting state_local
* [PATCH v3 29/30] mm: memcontrol: eliminate the problem of dying memory cgroup for LRU folios
* [PATCH v3 30/30] mm: lru: add VM_WARN_ON_ONCE_FOLIO to lru maintenance helpers
and found the following issue:
UBSAN: array-index-out-of-bounds in reparent_memcg_lruvec_state_local
Full report is available here:
https://ci.syzbot.org/series/45c0b58d-255a-4579-9880-497bdbd4fb99
***
UBSAN: array-index-out-of-bounds in reparent_memcg_lruvec_state_local
tree: linux-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next
base: b775e489bec70895b7ef6b66927886bbac79598f
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/4d8819ab-0f94-42e8-bd70-87c7e83c37d2/config
syz repro: https://ci.syzbot.org/findings/7850f5dd-4ac7-4b74-85ff-a75ddddebbee/syz_repro
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in mm/memcontrol.c:530:3
index 33 is out of range for type 'long[33]'
CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: cgroup_offline css_killed_work_fn
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
reparent_memcg_lruvec_state_local+0x34f/0x460 mm/memcontrol.c:530
reparent_memcg1_lruvec_state_local+0xa7/0xc0 mm/memcontrol-v1.c:1917
reparent_state_local mm/memcontrol.c:242 [inline]
memcg_reparent_objcgs mm/memcontrol.c:299 [inline]
mem_cgroup_css_offline+0xc7c/0xc90 mm/memcontrol.c:4054
offline_css kernel/cgroup/cgroup.c:5760 [inline]
css_killed_work_fn+0x12f/0x570 kernel/cgroup/cgroup.c:6055
process_one_work+0x949/0x15a0 kernel/workqueue.c:3279
process_scheduled_works kernel/workqueue.c:3362 [inline]
worker_thread+0x9af/0xee0 kernel/workqueue.c:3443
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
---[ end trace ]---
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: cgroup_offline css_killed_work_fn
Call Trace:
<TASK>
vpanic+0x1e0/0x670 kernel/panic.c:490
panic+0xc5/0xd0 kernel/panic.c:627
check_panic_on_warn+0x89/0xb0 kernel/panic.c:377
__ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
reparent_memcg_lruvec_state_local+0x34f/0x460 mm/memcontrol.c:530
reparent_memcg1_lruvec_state_local+0xa7/0xc0 mm/memcontrol-v1.c:1917
reparent_state_local mm/memcontrol.c:242 [inline]
memcg_reparent_objcgs mm/memcontrol.c:299 [inline]
mem_cgroup_css_offline+0xc7c/0xc90 mm/memcontrol.c:4054
offline_css kernel/cgroup/cgroup.c:5760 [inline]
css_killed_work_fn+0x12f/0x570 kernel/cgroup/cgroup.c:6055
process_one_work+0x949/0x15a0 kernel/workqueue.c:3279
process_scheduled_works kernel/workqueue.c:3362 [inline]
worker_thread+0x9af/0xee0 kernel/workqueue.c:3443
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
next prev parent reply other threads:[~2026-01-14 17:07 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-14 11:26 [PATCH v3 00/30] Eliminate Dying Memory Cgroup Qi Zheng
2026-01-14 11:26 ` [PATCH v3 01/30] mm: memcontrol: remove dead code of checking parent memory cgroup Qi Zheng
2026-01-14 11:26 ` [PATCH v3 02/30] mm: workingset: use folio_lruvec() in workingset_refault() Qi Zheng
2026-01-14 11:26 ` [PATCH v3 03/30] mm: rename unlock_page_lruvec_irq and its variants Qi Zheng
2026-01-14 11:26 ` [PATCH v3 04/30] mm: vmscan: prepare for the refactoring the move_folios_to_lru() Qi Zheng
2026-01-16 9:10 ` Harry Yoo
2026-01-16 9:14 ` Muchun Song
2026-01-14 11:26 ` [PATCH v3 05/30] mm: vmscan: refactor move_folios_to_lru() Qi Zheng
2026-01-16 11:31 ` Harry Yoo
2026-01-14 11:26 ` [PATCH v3 06/30] mm: memcontrol: allocate object cgroup for non-kmem case Qi Zheng
2026-01-14 11:32 ` [PATCH v3 07/30] mm: memcontrol: return root object cgroup for root memory cgroup Qi Zheng
2026-01-16 12:53 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 08/30] mm: memcontrol: prevent memory cgroup release in get_mem_cgroup_from_folio() Qi Zheng
2026-01-17 20:00 ` Shakeel Butt
2026-01-18 0:31 ` Shakeel Butt
2026-01-19 3:20 ` Qi Zheng
2026-01-19 8:53 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 09/30] buffer: prevent memory cgroup release in folio_alloc_buffers() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 10/30] writeback: prevent memory cgroup release in writeback module Qi Zheng
2026-01-14 11:32 ` [PATCH v3 11/30] mm: memcontrol: prevent memory cgroup release in count_memcg_folio_events() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 12/30] mm: page_io: prevent memory cgroup release in page_io module Qi Zheng
2026-01-14 11:32 ` [PATCH v3 13/30] mm: migrate: prevent memory cgroup release in folio_migrate_mapping() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 14/30] mm: mglru: prevent memory cgroup release in mglru Qi Zheng
2026-01-17 22:46 ` Shakeel Butt
2026-01-19 9:25 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 15/30] mm: memcontrol: prevent memory cgroup release in mem_cgroup_swap_full() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 16/30] mm: workingset: prevent memory cgroup release in lru_gen_eviction() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 17/30] mm: thp: prevent memory cgroup release in folio_split_queue_lock{_irqsave}() Qi Zheng
2026-01-16 9:15 ` Muchun Song
2026-01-14 11:32 ` [PATCH v3 18/30] mm: zswap: prevent memory cgroup release in zswap_compress() Qi Zheng
2026-01-16 9:18 ` Muchun Song
2026-01-20 7:47 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 19/30] mm: workingset: prevent lruvec release in workingset_refault() Qi Zheng
2026-01-17 23:02 ` Shakeel Butt
2026-01-14 11:32 ` [PATCH v3 20/30] mm: zswap: prevent lruvec release in zswap_folio_swapin() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 21/30] mm: swap: prevent lruvec release in lru_gen_clear_refs() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 22/30] mm: workingset: prevent lruvec release in workingset_activation() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 23/30] mm: do not open-code lruvec lock Qi Zheng
2026-01-15 9:26 ` Baoquan He
2026-01-15 9:31 ` Qi Zheng
2026-01-16 9:20 ` Muchun Song
2026-01-17 23:08 ` Shakeel Butt
2026-01-20 7:58 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 24/30] mm: memcontrol: prepare for reparenting LRU pages for " Qi Zheng
2026-01-15 12:34 ` kernel test robot
2026-01-16 8:16 ` Qi Zheng
2026-01-16 10:41 ` Philip Li
2026-01-16 11:06 ` Qi Zheng
2026-01-15 12:44 ` kernel test robot
2026-01-16 6:29 ` kernel test robot
2026-01-16 9:43 ` Muchun Song
2026-01-16 9:50 ` Qi Zheng
2026-01-18 0:44 ` Shakeel Butt
2026-01-19 3:44 ` Qi Zheng
2026-01-20 15:54 ` Shakeel Butt
2026-01-18 0:46 ` Shakeel Butt
2026-01-20 8:21 ` Harry Yoo
2026-01-20 11:51 ` Qi Zheng
2026-01-20 12:50 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 25/30] mm: vmscan: prepare for reparenting traditional LRU folios Qi Zheng
2026-01-16 9:49 ` Muchun Song
2026-01-18 1:11 ` Shakeel Butt
2026-01-19 3:24 ` Qi Zheng
2026-01-14 11:32 ` [PATCH v3 26/30] mm: vmscan: prepare for reparenting MGLRU folios Qi Zheng
2026-01-15 10:44 ` [PATCH v3 26/30 fix] mm: mglru: do not call update_lru_size() during reparenting Qi Zheng
2026-01-15 17:46 ` Andrew Morton
2026-01-21 3:53 ` Harry Yoo
2026-01-21 4:19 ` Harry Yoo
2026-01-21 11:21 ` Qi Zheng
2026-01-18 3:25 ` [PATCH v3 26/30] mm: vmscan: prepare for reparenting MGLRU folios Shakeel Butt
2026-01-18 3:29 ` Shakeel Butt
2026-01-19 3:39 ` Qi Zheng
2026-01-14 11:32 ` [PATCH v3 27/30] mm: memcontrol: refactor memcg_reparent_objcgs() Qi Zheng
2026-01-18 2:31 ` Shakeel Butt
2026-01-22 9:04 ` Harry Yoo
2026-01-22 9:13 ` Muchun Song
2026-01-14 11:32 ` [PATCH v3 28/30] mm: memcontrol: prepare for reparenting state_local Qi Zheng
2026-01-15 10:41 ` [PATCH v3 28/30 fix 1/2] mm: memcontrol: fix lruvec_stats->state_local reparenting Qi Zheng
2026-01-15 10:41 ` [PATCH v3 28/30 fix 2/2] mm: memcontrol: change state_locals to atomic_long_t type Qi Zheng
2026-01-15 17:47 ` [PATCH v3 28/30 fix 1/2] mm: memcontrol: fix lruvec_stats->state_local reparenting Andrew Morton
2026-01-16 3:27 ` Qi Zheng
2026-01-18 3:22 ` Shakeel Butt
2026-01-19 3:36 ` Qi Zheng
2026-01-20 7:19 ` Muchun Song
2026-01-20 18:47 ` Shakeel Butt
2026-01-21 3:43 ` Qi Zheng
2026-01-21 8:20 ` Shakeel Butt
2026-01-21 11:25 ` Qi Zheng
2026-01-18 3:20 ` [PATCH v3 28/30] mm: memcontrol: prepare for reparenting state_local Shakeel Butt
2026-01-19 3:34 ` Qi Zheng
2026-01-29 2:10 ` Harry Yoo
2026-01-29 8:50 ` Qi Zheng
2026-01-29 12:23 ` Harry Yoo
2026-01-30 7:22 ` Qi Zheng
2026-02-02 3:15 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 29/30] mm: memcontrol: eliminate the problem of dying memory cgroup for LRU folios Qi Zheng
2026-01-14 11:32 ` [PATCH v3 30/30] mm: lru: add VM_WARN_ON_ONCE_FOLIO to lru maintenance helpers Qi Zheng
2026-01-14 17:07 ` syzbot ci [this message]
2026-01-15 3:47 ` [syzbot ci] Re: Eliminate Dying Memory Cgroup Qi Zheng
2026-01-14 17:58 ` [PATCH v3 00/30] " Andrew Morton
2026-01-15 3:52 ` Qi Zheng
2026-01-15 5:59 ` Andrew Morton
2026-01-15 6:05 ` Qi Zheng
2026-01-15 12:40 ` Lorenzo Stoakes
2026-01-16 0:43 ` Andrew Morton
2026-01-16 8:33 ` Lorenzo Stoakes
2026-01-16 12:25 ` Michal Hocko
-- strict thread matches above, loose matches on Subject: below --
2025-10-28 13:58 [PATCH v1 00/26] " Qi Zheng
2025-10-28 20:58 ` [syzbot ci] " syzbot ci
2025-10-29 0:22 ` Harry Yoo
2025-10-29 3:12 ` Qi Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6967cd38.050a0220.58bed.0001.GAE@google.com \
--to=syzbot+ci7d2110b831be06f6@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=apais@linux.microsoft.com \
--cc=axelrasmussen@google.com \
--cc=cgroups@vger.kernel.org \
--cc=chengming.zhou@linux.dev \
--cc=chenridong@huawei.com \
--cc=chenridong@huaweicloud.com \
--cc=david@kernel.org \
--cc=hamzamahfooz@linux.microsoft.com \
--cc=hannes@cmpxchg.org \
--cc=harry.yoo@oracle.com \
--cc=hughd@google.com \
--cc=imran.f.khan@oracle.com \
--cc=kamalesh.babulal@oracle.com \
--cc=lance.yang@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=mkoutny@suse.com \
--cc=muchun.song@linux.dev \
--cc=nphamcs@gmail.com \
--cc=qi.zheng@linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=shakeel.butt@linux.dev \
--cc=songmuchun@bytedance.com \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=weixugc@google.com \
--cc=yosry.ahmed@linux.dev \
--cc=yuanchu@google.com \
--cc=zhengqi.arch@bytedance.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.