From: Michal Hocko <mhocko@suse.com>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: hannes@cmpxchg.org, roman.gushchin@linux.dev,
shakeel.butt@linux.dev, muchun.song@linux.dev,
akpm@linux-foundation.org, cgroups@vger.kernel.org,
linux-mm@kvack.org,
syzbot+d97580a8cceb9b03c13e@syzkaller.appspotmail.com
Subject: Re: [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record
Date: Mon, 12 Jan 2026 14:57:26 +0100 [thread overview]
Message-ID: <aWT9xnrRQsvMLVkL@tiehlicka> (raw)
In-Reply-To: <20260110064613.606532-1-kartikey406@gmail.com>
On Sat 10-01-26 12:16:13, Deepanshu Kartikey wrote:
> When using MADV_PAGEOUT, pages can remain in swapcache with their swap
> entries assigned. If MADV_PAGEOUT is called again on these pages, they
> reuse the same swap entries, causing memcg1_swapout() to call
> swap_cgroup_record() with an already-recorded entry.
>
> The existing code assumes swap entries are always being recorded for the
> first time (oldid == 0), triggering VM_BUG_ON when it encounters an
> already-recorded entry:
>
> ------------[ cut here ]------------
> kernel BUG at mm/swap_cgroup.c:78!
> Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
> CPU: 0 UID: 0 PID: 6176 Comm: syz.0.30 Not tainted
> RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78
> Call Trace:
> memcg1_swapout+0x2fa/0x830 mm/memcontrol-v1.c:623
> __remove_mapping+0xac5/0xe30 mm/vmscan.c:773
> shrink_folio_list+0x2786/0x4f40 mm/vmscan.c:1528
> reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2208
> reclaim_pages+0x454/0x520 mm/vmscan.c:2245
> madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563
> ...
> do_madvise+0x1bc/0x270 mm/madvise.c:2030
> __do_sys_madvise mm/madvise.c:2039
>
> This bug occurs because pages in swapcache can be targeted by
> MADV_PAGEOUT multiple times without being swapped in between. Each time,
> the same swap entry is reused, but swap_cgroup_record() expects to only
> record new, unused entries.
Shouldn't madvise path avoid paging out swap cache pages instead? IIRC
this is what the normal reclaim path does.
> Fix this by checking if the swap entry already has the correct cgroup ID
> recorded before attempting to record it. Use the existing
> lookup_swap_cgroup_id() to read the current cgroup ID, and return early
> from memcg1_swapout() if the entry is already correctly recorded. Only
> call swap_cgroup_record() when the entry needs to be set or updated.
>
> This approach avoids unnecessary atomic operations, reference count
> manipulations, and statistics updates when the entry is already correct.
>
> Link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
> Reported-by: syzbot+d97580a8cceb9b03c13e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
> Tested-by: syzbot+d97580a8cceb9b03c13e@syzkaller.appspotmail.com
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
I would use
Fixes: 1a4e58cce84e ("mm: introduce MADV_PAGEOUT")
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2026-01-12 13:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-10 6:46 [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record Deepanshu Kartikey
2026-01-10 23:29 ` Andrew Morton
2026-01-12 13:57 ` Michal Hocko [this message]
2026-01-12 15:27 ` Johannes Weiner
2026-01-12 16:16 ` Kairui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWT9xnrRQsvMLVkL@tiehlicka \
--to=mhocko@suse.com \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=kartikey406@gmail.com \
--cc=linux-mm@kvack.org \
--cc=muchun.song@linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=shakeel.butt@linux.dev \
--cc=syzbot+d97580a8cceb9b03c13e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.