From: Qi Zheng <qi.zheng@linux.dev>
To: syzbot ci <syzbot+ci7d2110b831be06f6@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, apais@linux.microsoft.com,
axelrasmussen@google.com, cgroups@vger.kernel.org,
chengming.zhou@linux.dev, chenridong@huawei.com,
chenridong@huaweicloud.com, david@kernel.org,
hamzamahfooz@linux.microsoft.com, hannes@cmpxchg.org,
harry.yoo@oracle.com, hughd@google.com, imran.f.khan@oracle.com,
kamalesh.babulal@oracle.com, lance.yang@linux.dev,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
lorenzo.stoakes@oracle.com, mhocko@suse.com, mkoutny@suse.com,
muchun.song@linux.dev, nphamcs@gmail.com,
roman.gushchin@linux.dev, shakeel.butt@linux.dev,
songmuchun@bytedance.com, weixugc@google.com,
yosry.ahmed@linux.dev, yuanchu@google.com,
zhengqi.arch@bytedance.com, ziy@nvidia.com
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot ci] Re: Eliminate Dying Memory Cgroup
Date: Thu, 15 Jan 2026 11:47:06 +0800 [thread overview]
Message-ID: <e01a57e0-abbb-4c40-8264-4a212a3ec07b@linux.dev> (raw)
In-Reply-To: <6967cd38.050a0220.58bed.0001.GAE@google.com>
On 1/15/26 1:07 AM, syzbot ci wrote:
> syzbot ci has tested the following series
>
> [v3] Eliminate Dying Memory Cgroup
> https://lore.kernel.org/all/cover.1768389889.git.zhengqi.arch@bytedance.com
> * [PATCH v3 01/30] mm: memcontrol: remove dead code of checking parent memory cgroup
> * [PATCH v3 02/30] mm: workingset: use folio_lruvec() in workingset_refault()
> * [PATCH v3 03/30] mm: rename unlock_page_lruvec_irq and its variants
> * [PATCH v3 04/30] mm: vmscan: prepare for the refactoring the move_folios_to_lru()
> * [PATCH v3 05/30] mm: vmscan: refactor move_folios_to_lru()
> * [PATCH v3 06/30] mm: memcontrol: allocate object cgroup for non-kmem case
> * [PATCH v3 07/30] mm: memcontrol: return root object cgroup for root memory cgroup
> * [PATCH v3 08/30] mm: memcontrol: prevent memory cgroup release in get_mem_cgroup_from_folio()
> * [PATCH v3 09/30] buffer: prevent memory cgroup release in folio_alloc_buffers()
> * [PATCH v3 10/30] writeback: prevent memory cgroup release in writeback module
> * [PATCH v3 11/30] mm: memcontrol: prevent memory cgroup release in count_memcg_folio_events()
> * [PATCH v3 12/30] mm: page_io: prevent memory cgroup release in page_io module
> * [PATCH v3 13/30] mm: migrate: prevent memory cgroup release in folio_migrate_mapping()
> * [PATCH v3 14/30] mm: mglru: prevent memory cgroup release in mglru
> * [PATCH v3 15/30] mm: memcontrol: prevent memory cgroup release in mem_cgroup_swap_full()
> * [PATCH v3 16/30] mm: workingset: prevent memory cgroup release in lru_gen_eviction()
> * [PATCH v3 17/30] mm: thp: prevent memory cgroup release in folio_split_queue_lock{_irqsave}()
> * [PATCH v3 18/30] mm: zswap: prevent memory cgroup release in zswap_compress()
> * [PATCH v3 19/30] mm: workingset: prevent lruvec release in workingset_refault()
> * [PATCH v3 20/30] mm: zswap: prevent lruvec release in zswap_folio_swapin()
> * [PATCH v3 21/30] mm: swap: prevent lruvec release in lru_gen_clear_refs()
> * [PATCH v3 22/30] mm: workingset: prevent lruvec release in workingset_activation()
> * [PATCH v3 23/30] mm: do not open-code lruvec lock
> * [PATCH v3 24/30] mm: memcontrol: prepare for reparenting LRU pages for lruvec lock
> * [PATCH v3 25/30] mm: vmscan: prepare for reparenting traditional LRU folios
> * [PATCH v3 26/30] mm: vmscan: prepare for reparenting MGLRU folios
> * [PATCH v3 27/30] mm: memcontrol: refactor memcg_reparent_objcgs()
> * [PATCH v3 28/30] mm: memcontrol: prepare for reparenting state_local
> * [PATCH v3 29/30] mm: memcontrol: eliminate the problem of dying memory cgroup for LRU folios
> * [PATCH v3 30/30] mm: lru: add VM_WARN_ON_ONCE_FOLIO to lru maintenance helpers
>
> and found the following issue:
> UBSAN: array-index-out-of-bounds in reparent_memcg_lruvec_state_local
>
> Full report is available here:
> https://ci.syzbot.org/series/45c0b58d-255a-4579-9880-497bdbd4fb99
>
> ***
>
> UBSAN: array-index-out-of-bounds in reparent_memcg_lruvec_state_local
>
> tree: linux-next
> URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next
> base: b775e489bec70895b7ef6b66927886bbac79598f
> arch: amd64
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> config: https://ci.syzbot.org/builds/4d8819ab-0f94-42e8-bd70-87c7e83c37d2/config
> syz repro: https://ci.syzbot.org/findings/7850f5dd-4ac7-4b74-85ff-a75ddddebbee/syz_repro
>
> ------------[ cut here ]------------
> UBSAN: array-index-out-of-bounds in mm/memcontrol.c:530:3
> index 33 is out of range for type 'long[33]'
Oh, the size of lruvec_stats->state_local is NR_MEMCG_NODE_STAT_ITEMS,
but memcg1_stats contains MEMCG_SWAP, which is outside the array range.
It seems that only the following items need to be reparented:
1). NR_LRU_LISTS
2). NR_SLAB_RECLAIMABLE_B + NR_SLAB_UNRECLAIMABLE_B
But for 2), since we reparented the slab page a long time ago, it seems
there has always been a problem. So this patchset will only handle 1).
> CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Workqueue: cgroup_offline css_killed_work_fn
> Call Trace:
> <TASK>
> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
> ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
> __ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
> reparent_memcg_lruvec_state_local+0x34f/0x460 mm/memcontrol.c:530
> reparent_memcg1_lruvec_state_local+0xa7/0xc0 mm/memcontrol-v1.c:1917
> reparent_state_local mm/memcontrol.c:242 [inline]
> memcg_reparent_objcgs mm/memcontrol.c:299 [inline]
> mem_cgroup_css_offline+0xc7c/0xc90 mm/memcontrol.c:4054
> offline_css kernel/cgroup/cgroup.c:5760 [inline]
> css_killed_work_fn+0x12f/0x570 kernel/cgroup/cgroup.c:6055
> process_one_work+0x949/0x15a0 kernel/workqueue.c:3279
> process_scheduled_works kernel/workqueue.c:3362 [inline]
> worker_thread+0x9af/0xee0 kernel/workqueue.c:3443
> kthread+0x388/0x470 kernel/kthread.c:467
> ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> </TASK>
> ---[ end trace ]---
> Kernel panic - not syncing: UBSAN: panic_on_warn set ...
> CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Workqueue: cgroup_offline css_killed_work_fn
> Call Trace:
> <TASK>
> vpanic+0x1e0/0x670 kernel/panic.c:490
> panic+0xc5/0xd0 kernel/panic.c:627
> check_panic_on_warn+0x89/0xb0 kernel/panic.c:377
> __ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
> reparent_memcg_lruvec_state_local+0x34f/0x460 mm/memcontrol.c:530
> reparent_memcg1_lruvec_state_local+0xa7/0xc0 mm/memcontrol-v1.c:1917
> reparent_state_local mm/memcontrol.c:242 [inline]
> memcg_reparent_objcgs mm/memcontrol.c:299 [inline]
> mem_cgroup_css_offline+0xc7c/0xc90 mm/memcontrol.c:4054
> offline_css kernel/cgroup/cgroup.c:5760 [inline]
> css_killed_work_fn+0x12f/0x570 kernel/cgroup/cgroup.c:6055
> process_one_work+0x949/0x15a0 kernel/workqueue.c:3279
> process_scheduled_works kernel/workqueue.c:3362 [inline]
> worker_thread+0x9af/0xee0 kernel/workqueue.c:3443
> kthread+0x388/0x470 kernel/kthread.c:467
> ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> </TASK>
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ***
>
> If these findings have caused you to resend the series or submit a
> separate fix, please add the following tag to your commit message:
> Tested-by: syzbot@syzkaller.appspotmail.com
>
> ---
> This report is generated by a bot. It may contain errors.
> syzbot ci engineers can be reached at syzkaller@googlegroups.com.
next prev parent reply other threads:[~2026-01-15 3:47 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-14 11:26 [PATCH v3 00/30] Eliminate Dying Memory Cgroup Qi Zheng
2026-01-14 11:26 ` [PATCH v3 01/30] mm: memcontrol: remove dead code of checking parent memory cgroup Qi Zheng
2026-01-14 11:26 ` [PATCH v3 02/30] mm: workingset: use folio_lruvec() in workingset_refault() Qi Zheng
2026-01-14 11:26 ` [PATCH v3 03/30] mm: rename unlock_page_lruvec_irq and its variants Qi Zheng
2026-01-14 11:26 ` [PATCH v3 04/30] mm: vmscan: prepare for the refactoring the move_folios_to_lru() Qi Zheng
2026-01-16 9:10 ` Harry Yoo
2026-01-16 9:14 ` Muchun Song
2026-01-14 11:26 ` [PATCH v3 05/30] mm: vmscan: refactor move_folios_to_lru() Qi Zheng
2026-01-16 11:31 ` Harry Yoo
2026-01-14 11:26 ` [PATCH v3 06/30] mm: memcontrol: allocate object cgroup for non-kmem case Qi Zheng
2026-01-14 11:32 ` [PATCH v3 07/30] mm: memcontrol: return root object cgroup for root memory cgroup Qi Zheng
2026-01-16 12:53 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 08/30] mm: memcontrol: prevent memory cgroup release in get_mem_cgroup_from_folio() Qi Zheng
2026-01-17 20:00 ` Shakeel Butt
2026-01-18 0:31 ` Shakeel Butt
2026-01-19 3:20 ` Qi Zheng
2026-01-19 8:53 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 09/30] buffer: prevent memory cgroup release in folio_alloc_buffers() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 10/30] writeback: prevent memory cgroup release in writeback module Qi Zheng
2026-01-14 11:32 ` [PATCH v3 11/30] mm: memcontrol: prevent memory cgroup release in count_memcg_folio_events() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 12/30] mm: page_io: prevent memory cgroup release in page_io module Qi Zheng
2026-01-14 11:32 ` [PATCH v3 13/30] mm: migrate: prevent memory cgroup release in folio_migrate_mapping() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 14/30] mm: mglru: prevent memory cgroup release in mglru Qi Zheng
2026-01-17 22:46 ` Shakeel Butt
2026-01-19 9:25 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 15/30] mm: memcontrol: prevent memory cgroup release in mem_cgroup_swap_full() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 16/30] mm: workingset: prevent memory cgroup release in lru_gen_eviction() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 17/30] mm: thp: prevent memory cgroup release in folio_split_queue_lock{_irqsave}() Qi Zheng
2026-01-16 9:15 ` Muchun Song
2026-01-14 11:32 ` [PATCH v3 18/30] mm: zswap: prevent memory cgroup release in zswap_compress() Qi Zheng
2026-01-16 9:18 ` Muchun Song
2026-01-20 7:47 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 19/30] mm: workingset: prevent lruvec release in workingset_refault() Qi Zheng
2026-01-17 23:02 ` Shakeel Butt
2026-01-14 11:32 ` [PATCH v3 20/30] mm: zswap: prevent lruvec release in zswap_folio_swapin() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 21/30] mm: swap: prevent lruvec release in lru_gen_clear_refs() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 22/30] mm: workingset: prevent lruvec release in workingset_activation() Qi Zheng
2026-01-14 11:32 ` [PATCH v3 23/30] mm: do not open-code lruvec lock Qi Zheng
2026-01-15 9:26 ` Baoquan He
2026-01-15 9:31 ` Qi Zheng
2026-01-16 9:20 ` Muchun Song
2026-01-17 23:08 ` Shakeel Butt
2026-01-20 7:58 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 24/30] mm: memcontrol: prepare for reparenting LRU pages for " Qi Zheng
2026-01-15 12:34 ` kernel test robot
2026-01-16 8:16 ` Qi Zheng
2026-01-16 10:41 ` Philip Li
2026-01-16 11:06 ` Qi Zheng
2026-01-15 12:44 ` kernel test robot
2026-01-16 6:29 ` kernel test robot
2026-01-16 9:43 ` Muchun Song
2026-01-16 9:50 ` Qi Zheng
2026-01-18 0:44 ` Shakeel Butt
2026-01-19 3:44 ` Qi Zheng
2026-01-20 15:54 ` Shakeel Butt
2026-01-18 0:46 ` Shakeel Butt
2026-01-20 8:21 ` Harry Yoo
2026-01-20 11:51 ` Qi Zheng
2026-01-20 12:50 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 25/30] mm: vmscan: prepare for reparenting traditional LRU folios Qi Zheng
2026-01-16 9:49 ` Muchun Song
2026-01-18 1:11 ` Shakeel Butt
2026-01-19 3:24 ` Qi Zheng
2026-01-14 11:32 ` [PATCH v3 26/30] mm: vmscan: prepare for reparenting MGLRU folios Qi Zheng
2026-01-15 10:44 ` [PATCH v3 26/30 fix] mm: mglru: do not call update_lru_size() during reparenting Qi Zheng
2026-01-15 17:46 ` Andrew Morton
2026-01-21 3:53 ` Harry Yoo
2026-01-21 4:19 ` Harry Yoo
2026-01-21 11:21 ` Qi Zheng
2026-01-18 3:25 ` [PATCH v3 26/30] mm: vmscan: prepare for reparenting MGLRU folios Shakeel Butt
2026-01-18 3:29 ` Shakeel Butt
2026-01-19 3:39 ` Qi Zheng
2026-01-14 11:32 ` [PATCH v3 27/30] mm: memcontrol: refactor memcg_reparent_objcgs() Qi Zheng
2026-01-18 2:31 ` Shakeel Butt
2026-01-22 9:04 ` Harry Yoo
2026-01-22 9:13 ` Muchun Song
2026-01-14 11:32 ` [PATCH v3 28/30] mm: memcontrol: prepare for reparenting state_local Qi Zheng
2026-01-15 10:41 ` [PATCH v3 28/30 fix 1/2] mm: memcontrol: fix lruvec_stats->state_local reparenting Qi Zheng
2026-01-15 10:41 ` [PATCH v3 28/30 fix 2/2] mm: memcontrol: change state_locals to atomic_long_t type Qi Zheng
2026-01-15 17:47 ` [PATCH v3 28/30 fix 1/2] mm: memcontrol: fix lruvec_stats->state_local reparenting Andrew Morton
2026-01-16 3:27 ` Qi Zheng
2026-01-18 3:22 ` Shakeel Butt
2026-01-19 3:36 ` Qi Zheng
2026-01-20 7:19 ` Muchun Song
2026-01-20 18:47 ` Shakeel Butt
2026-01-21 3:43 ` Qi Zheng
2026-01-21 8:20 ` Shakeel Butt
2026-01-21 11:25 ` Qi Zheng
2026-01-18 3:20 ` [PATCH v3 28/30] mm: memcontrol: prepare for reparenting state_local Shakeel Butt
2026-01-19 3:34 ` Qi Zheng
2026-01-29 2:10 ` Harry Yoo
2026-01-29 8:50 ` Qi Zheng
2026-01-29 12:23 ` Harry Yoo
2026-01-30 7:22 ` Qi Zheng
2026-02-02 3:15 ` Harry Yoo
2026-01-14 11:32 ` [PATCH v3 29/30] mm: memcontrol: eliminate the problem of dying memory cgroup for LRU folios Qi Zheng
2026-01-14 11:32 ` [PATCH v3 30/30] mm: lru: add VM_WARN_ON_ONCE_FOLIO to lru maintenance helpers Qi Zheng
2026-01-14 17:07 ` [syzbot ci] Re: Eliminate Dying Memory Cgroup syzbot ci
2026-01-15 3:47 ` Qi Zheng [this message]
2026-01-14 17:58 ` [PATCH v3 00/30] " Andrew Morton
2026-01-15 3:52 ` Qi Zheng
2026-01-15 5:59 ` Andrew Morton
2026-01-15 6:05 ` Qi Zheng
2026-01-15 12:40 ` Lorenzo Stoakes
2026-01-16 0:43 ` Andrew Morton
2026-01-16 8:33 ` Lorenzo Stoakes
2026-01-16 12:25 ` Michal Hocko
-- strict thread matches above, loose matches on Subject: below --
2025-10-28 13:58 [PATCH v1 00/26] " Qi Zheng
2025-10-28 20:58 ` [syzbot ci] " syzbot ci
2025-10-29 0:22 ` Harry Yoo
2025-10-29 3:12 ` Qi Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e01a57e0-abbb-4c40-8264-4a212a3ec07b@linux.dev \
--to=qi.zheng@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=apais@linux.microsoft.com \
--cc=axelrasmussen@google.com \
--cc=cgroups@vger.kernel.org \
--cc=chengming.zhou@linux.dev \
--cc=chenridong@huawei.com \
--cc=chenridong@huaweicloud.com \
--cc=david@kernel.org \
--cc=hamzamahfooz@linux.microsoft.com \
--cc=hannes@cmpxchg.org \
--cc=harry.yoo@oracle.com \
--cc=hughd@google.com \
--cc=imran.f.khan@oracle.com \
--cc=kamalesh.babulal@oracle.com \
--cc=lance.yang@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=mkoutny@suse.com \
--cc=muchun.song@linux.dev \
--cc=nphamcs@gmail.com \
--cc=roman.gushchin@linux.dev \
--cc=shakeel.butt@linux.dev \
--cc=songmuchun@bytedance.com \
--cc=syzbot+ci7d2110b831be06f6@syzkaller.appspotmail.com \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=weixugc@google.com \
--cc=yosry.ahmed@linux.dev \
--cc=yuanchu@google.com \
--cc=zhengqi.arch@bytedance.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.