From: Shakeel Butt <shakeel.butt@linux.dev>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, cgroups@vger.kernel.org,
hannes@cmpxchg.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, mhocko@kernel.org, muchun.song@linux.dev,
roman.gushchin@linux.dev, syzkaller-bugs@googlegroups.com,
kasong@tencent.com
Subject: Re: [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)
Date: Fri, 6 Feb 2026 09:30:28 -0800 [thread overview]
Message-ID: <aYYkvaqYGLXD3_P-@linux.dev> (raw)
In-Reply-To: <CACT4Y+bd+PcL=XzkehM-bmsfAB95UA2y9jr5JY2ov8zVOp1DWA@mail.gmail.com>
+Kairui
On Fri, Feb 06, 2026 at 08:31:19AM +0100, Dmitry Vyukov wrote:
> On Fri, 6 Feb 2026 at 08:24, syzbot
> <syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 18f7fcd5e69a Linux 6.19-rc8
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
> > compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> > BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> > BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
> > BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
> > Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029
> >
> > CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G L syzkaller #0 PREEMPT(full)
> > Tainted: [L]=SOFTLOCKUP
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > Call Trace:
> > <TASK>
> > __dump_stack lib/dump_stack.c:94 [inline]
> > dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
> > kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
> > check_region_inline mm/kasan/generic.c:186 [inline]
> > kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
> > instrument_atomic_read include/linux/instrumented.h:68 [inline]
> > atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> > __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
> > lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
> > swap_pte_batch+0x3c3/0x720 mm/internal.h:390
> > zap_nonpresent_ptes mm/memory.c:1749 [inline]
> > do_zap_pte_range mm/memory.c:1818 [inline]
> > zap_pte_range mm/memory.c:1858 [inline]
> > zap_pmd_range mm/memory.c:1950 [inline]
> > zap_pud_range mm/memory.c:1978 [inline]
> > zap_p4d_range mm/memory.c:1999 [inline]
> > unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
> > unmap_single_vma+0x153/0x240 mm/memory.c:2062
> > unmap_vmas+0x218/0x470 mm/memory.c:2104
> > exit_mmap+0x181/0xae0 mm/mmap.c:1277
> > __mmput+0x12a/0x410 kernel/fork.c:1173
> > mmput+0x67/0x80 kernel/fork.c:1196
> > exit_mm kernel/exit.c:581 [inline]
> > do_exit+0x78a/0x2a30 kernel/exit.c:959
> > do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
> > get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
> > arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
> > __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
> > exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
> > __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
> > syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
> > syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
> > syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
> > do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f2f8f19aeb9
> > Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
> > RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> > RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
> > RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
> > RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
> > </TASK>
> > ==================================================================
>
> This happened before:
> https://lore.kernel.org/all/67d04360.050a0220.1939a6.000e.GAE@google.com/T/
> and now 2 more times.
> All reports look similar: exit_mm -> zap_p4d_range
> And all access addresses look the same: top 13 bits are zeros, then
> some garbage (0007fffffffffffc).
> I am pretty sure it's telling us something, some kind of tricky race,
> rather than a previous corruption. Swp entry is somehow invalid?
Thanks for the report. It would be good to have a reproducer. I will dig
deeper later but good to have eyes from Kairui who has recent changes
in the area.
next prev parent reply other threads:[~2026-02-06 17:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 7:24 [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) syzbot
2026-02-06 7:31 ` Dmitry Vyukov
2026-02-06 17:30 ` Shakeel Butt [this message]
2026-02-13 16:04 ` Kairui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYYkvaqYGLXD3_P-@linux.dev \
--to=shakeel.butt@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=dvyukov@google.com \
--cc=hannes@cmpxchg.org \
--cc=kasong@tencent.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=muchun.song@linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.