[syzbot] [mm?] general protection fault in lru_gen_test_recent (2)
1 view
Skip to first unread message
syzbot
3:55 AM (9 hours ago) 3:55 AM
to ak...@linux-foundation.org, axelra...@google.com, da...@kernel.org, han...@cmpxchg.org, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, mho...@kernel.org, shakee...@linux.dev, syzkall...@googlegroups.com, wei...@google.com, yua...@google.com, zhengq...@bytedance.com
Hello,
syzbot found the following issue on:
HEAD commit: c06c303832ec ocfs2: fix xattr array entry __counted_by error
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cbfc1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5aef7d5187304591
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127f2992580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cf4eb4580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c06c3038.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a5115eeda38/vmlinux-c06c3038.xz
kernel image: https://storage.googleapis.com/syzbot-assets/98eb17e54bb8/bzImage-c06c3038.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 2 UID: 0 PID: 6121 Comm: syz.0.27 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:296 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6360f8f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6361dfa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f63611e5fa0 RCX: 00007f6360f8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f6361013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f63611e6038 R14: 00007f63611e5fa0 R15: 00007ffe36ff8138
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 38 80 b5 ff 48 85 cmp %al,-0x7ab7004b(%rax)
6: db 0f fisttpl (%rdi)
8: 84 79 01 test %bh,0x1(%rcx)
b: 00 00 add %al,(%rax)
d: e8 2a 80 b5 ff call 0xffb5803c
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e a3 01 00 00 jle 0x1dd
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c06c303832ec ocfs2: fix xattr array entry __counted_by error
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cbfc1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5aef7d5187304591
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127f2992580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cf4eb4580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c06c3038.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a5115eeda38/vmlinux-c06c3038.xz
kernel image: https://storage.googleapis.com/syzbot-assets/98eb17e54bb8/bzImage-c06c3038.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 2 UID: 0 PID: 6121 Comm: syz.0.27 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:296 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6360f8f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6361dfa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f63611e5fa0 RCX: 00007f6360f8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f6361013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f63611e6038 R14: 00007f63611e5fa0 R15: 00007ffe36ff8138
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 38 80 b5 ff 48 85 cmp %al,-0x7ab7004b(%rax)
6: db 0f fisttpl (%rdi)
8: 84 79 01 test %bh,0x1(%rcx)
b: 00 00 add %al,(%rax)
d: e8 2a 80 b5 ff call 0xffb5803c
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e a3 01 00 00 jle 0x1dd
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
7:44 AM (5 hours ago) 7:44 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with a NULL memcg
triggers a crash because the inline function's code calculates
memcg->nodeinfo offset (0x4e00) before the NULL check can execute,
causing a NULL pointer dereference that KASAN detects.
Although mem_cgroup_lruvec() has a NULL check internally, compiler
inlining and optimization causes the offset calculation to occur
first, making the internal check unreachable.
The fix adds an explicit NULL check after mem_cgroup_from_id() and
falls back to root_mem_cgroup, which is consistent with how
mem_cgroup_lruvec() itself handles NULL pointers.
Reproducer triggers this via:
procfs_procmap_ioctl() -> do_procmap_query() -> __build_id_parse() ->
freader_get_folio() -> filemap_add_folio() -> workingset_refault() ->
lru_gen_refault() -> lru_gen_test_recent()
KASAN report:
general protection fault in mem_cgroup_lruvec
RIP: mem_cgroup_lruvec+0xee/0x320 include/linux/memcontrol.h:720
Call Trace:
lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..8b6332cfb4f0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg)
+ memcg = root_mem_cgroup;
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with a NULL memcg
triggers a crash because the inline function's code calculates
memcg->nodeinfo offset (0x4e00) before the NULL check can execute,
causing a NULL pointer dereference that KASAN detects.
Although mem_cgroup_lruvec() has a NULL check internally, compiler
inlining and optimization causes the offset calculation to occur
first, making the internal check unreachable.
The fix adds an explicit NULL check after mem_cgroup_from_id() and
falls back to root_mem_cgroup, which is consistent with how
mem_cgroup_lruvec() itself handles NULL pointers.
Reproducer triggers this via:
procfs_procmap_ioctl() -> do_procmap_query() -> __build_id_parse() ->
freader_get_folio() -> filemap_add_folio() -> workingset_refault() ->
lru_gen_refault() -> lru_gen_test_recent()
KASAN report:
general protection fault in mem_cgroup_lruvec
RIP: mem_cgroup_lruvec+0xee/0x320 include/linux/memcontrol.h:720
Call Trace:
lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..8b6332cfb4f0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg)
+ memcg = root_mem_cgroup;
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
syzbot
8:10 AM (5 hours ago) 8:10 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 0 UID: 0 PID: 6513 Comm: syz.0.29 Not tainted syzkaller #0 PREEMPT(full)
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:298 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:548
RAX: ffffffffffffffda RBX: 00007f7ae73e5fa0 RCX: 00007f7ae718f7c9
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6ceb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 000000002e141000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:298 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:548
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7ae718f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7ae8064038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7ae73e5fa0 RCX: 00007f7ae718f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f7ae7213f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7ae73e6038 R14: 00007f7ae73e5fa0 R15: 00007ffdab92bc98
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 000000002e141000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
Code disassembly (best guess):
6: db 0f fisttpl (%rdi)
8: 84 a9 01 00 00 e8 test %ch,-0x17ffffff(%rcx)
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6ceb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1336a992580000
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
9:35 AM (3 hours ago) 9:35 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with NULL memcg
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
triggers a crash.
Although mem_cgroup_lruvec() has an internal NULL check, the crash
occurs before reaching it due to compiler optimization. Since
mem_cgroup_lruvec() is an inline function, the compiler calculates
the offset memcg->nodeinfo (0x4e00) before the function's NULL check
can execute, causing a NULL pointer dereference.
Fix this by introducing an effective_memcg variable that is explicitly
set to root_mem_cgroup when memcg is NULL. This approach forces the
compiler to use a separate register/memory location, preventing the
premature offset calculation that caused the crash with a simple
in-place NULL check.
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
mm/workingset.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..dad8b16af105 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -266,13 +266,14 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
{
int memcg_id;
unsigned long max_seq;
- struct mem_cgroup *memcg;
+ struct mem_cgroup *memcg, *effective_memcg;
struct pglist_data *pgdat;
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ effective_memcg = memcg ? : root_mem_cgroup;
+ *lruvec = mem_cgroup_lruvec(effective_memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
max_seq &= EVICTION_MASK >> LRU_REFS_WIDTH;
--
2.43.0
syzbot
9:50 AM (3 hours ago) 9:50 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 3 UID: 0 PID: 6430 Comm: syz.0.26 Not tainted syzkaller #0 PREEMPT(full)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:276
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000325f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffc9000325f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000325f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802ed4d4b0 R12: ffffc9000325f8e0
R13: 0000000000000000 R14: ffffc9000325f8b0 R15: 0000000000000000
FS: 00007f03a13f86c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ec36aadde8 CR3: 0000000055323000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:297 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:547
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f03a058f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f03a13f8038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f03a07e5fa0 RCX: 00007f03a058f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f03a0613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f03a07e6038 R14: 00007f03a07e5fa0 R15: 00007ffc40446548
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:276
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000325f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffc9000325f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000325f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802ed4d4b0 R12: ffffc9000325f8e0
R13: 0000000000000000 R14: ffffc9000325f8b0 R15: 0000000000000000
FS: 00007f03a13f86c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ec36aadde8 CR3: 0000000055323000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
6: db 0f fisttpl (%rdi)
8: 84 a9 01 00 00 e8 test %ch,-0x17ffffff(%rcx)
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16d4f21a580000
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
6: db 0f fisttpl (%rdi)
8: 84 a9 01 00 00 e8 test %ch,-0x17ffffff(%rcx)
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1145a992580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
10:05 AM (3 hours ago) 10:05 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..847580173fb0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,8 +272,15 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ pr_warn("DEBUG: memcg_id=%d memcg=%p root_mem_cgroup=%p\n",memcg_id, memcg, root_mem_cgroup);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg) {
+ pr_warn("DEBUG: memcg is NULL, using root_mem_cgroup\n");
+ memcg = root_mem_cgroup;
+ pr_warn("DEBUG: after assignment memcg=%p\n", memcg);
+ }
+ pr_warn("DEBUG: about to call mem_cgroup_lruvec with memcg=%p\n", memcg);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
-
+ pr_warn("DEBUG: mem_cgroup_lruvec returned successfully\n");
syzbot
10:22 AM (3 hours ago) 10:22 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
DEBUG: memcg_id=0 memcg=0000000000000000 root_mem_cgroup=ffff88801cac8000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
DEBUG: memcg is NULL, using root_mem_cgroup
DEBUG: after assignment memcg=ffff88801cac8000
DEBUG: about to call mem_cgroup_lruvec with memcg=ffff88801cac8000
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 0 UID: 0 PID: 6414 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full)
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0x14a/0x420 mm/workingset.c:282
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: dc 7f b5 ff 48 85 db 0f 84 a4 01 00 00 e8 ce 7f b5 ff 49 8d be 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 10 02 00 00 4d 63 ae 00 4e 00
RSP: 0018:ffffc9000177f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffffff819c8d55
RDX: 00000000000009c0 RSI: ffffffff820964a2 RDI: 0000000000004e00
RBP: ffffc9000177f8c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: ffff888026ad8b30 R12: ffffc9000177f8e0
R13: ffffffff90882820 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb55eb846c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000022e91000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:303 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:553
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb55dd8f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb55eb84038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb55dfe5fa0 RCX: 00007fb55dd8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fb55de13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb55dfe6038 R14: 00007fb55dfe5fa0 R15: 00007ffd3962a3c8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0x14a/0x420 mm/workingset.c:282
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: dc 7f b5 ff 48 85 db 0f 84 a4 01 00 00 e8 ce 7f b5 ff 49 8d be 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 10 02 00 00 4d 63 ae 00 4e 00
RSP: 0018:ffffc9000177f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffffff819c8d55
RDX: 00000000000009c0 RSI: ffffffff820964a2 RDI: 0000000000004e00
RBP: ffffc9000177f8c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: ffff888026ad8b30 R12: ffffc9000177f8e0
R13: ffffffff90882820 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb55eb846c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000022e91000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: dc 7f b5 fdivrl -0x4b(%rdi)
Code disassembly (best guess):
3: ff 48 85 decl -0x7b(%rax)
6: db 0f fisttpl (%rdi)
8: 84 a4 01 00 00 e8 ce test %ah,-0x31180000(%rcx,%rax,1)
f: 7f b5 jg 0xffffffc6
11: ff 49 8d decl -0x73(%rcx)
14: be 00 4e 00 00 mov $0x4e00,%esi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e 10 02 00 00 jle 0x24a
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: ae scas %es:(%rdi),%al
3b: 63 .byte 0x63
3d: 00 4e 00 add %cl,0x0(%rsi)
Tested on:
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f5a992580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
10:31 AM (2 hours ago) 10:31 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
Fixes: ac35a4902374 ("mm: multi-gen LRU: minimal implementation")
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
1 file changed, 2 insertions(+)
index e9f05634747a..8166793b38dc 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (unlikely(!memcg))
memcg = mem_cgroup_from_id(memcg_id);
+ WRITE_ONCE(memcg, root_mem_cgroup);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
syzbot
10:38 AM (2 hours ago) 10:38 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..4fa33b57f0ca 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,7 +272,11 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
memcg = mem_cgroup_from_id(memcg_id);
- *lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ if(unlikely(!memcg)) {
+ *lruvec = &pgdat->__lruvec;
+ } else {
+ *lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ }
syzbot
10:45 AM (2 hours ago) 10:45 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 0 UID: 0 PID: 6460 Comm: syz.0.36 Not tainted syzkaller #0 PREEMPT(full)
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
Code: 2a 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000313f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc9000313f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000313f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8880280f0b30 R12: ffffc9000313f8e0
R13: 0000000000000000 R14: ffffc9000313f8b0 R15: 0000000000000000
FS: 00007fb06f8496c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000057f81000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:298 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:548
workingset_refault+0x251/0xca0 mm/workingset.c:548
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb06e98f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb06f849038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb06ebe5fa0 RCX: 00007fb06e98f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fb06ea13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb06ebe6038 R14: 00007fb06ebe5fa0 R15: 00007ffd239d7168
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
Code: 2a 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000313f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc9000313f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000313f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8880280f0b30 R12: ffffc9000313f8e0
R13: 0000000000000000 R14: ffffc9000313f8b0 R15: 0000000000000000
FS: 00007fb06f8496c0(0000) GS:ffff8880d6a09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb06e973460 CR3: 0000000057f81000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
6: db 0f fisttpl (%rdi)
8: 84 79 01 test %bh,0x1(%rcx)
b: 00 00 add %al,(%rax)
d: e8 1c 80 b5 ff call 0xffb5802e
b: 00 00 add %al,(%rax)
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
3a: 4d rex.WRB
3b: 63 .byte 0x63
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
commit: 9e906a9d Merge tag 'perf-tools-for-v6.19-2025-12-06' o..
3e: 4e rex.WRX
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1601521a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1202f21a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
11:00 AM (2 hours ago) 11:00 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000a4f: 0000 [#1] SMP KASAN NOPTI
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
KASAN: probably user-memory-access in range [0x0000000000005278-0x000000000000527f]
CPU: 2 UID: 0 PID: 6563 Comm: syz.0.66 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:lru_gen_test_recent+0x1a4/0x2f0 mm/workingset.c:281
Code: 48 c1 ea 03 80 3c 02 00 0f 85 17 01 00 00 48 8d bb c0 00 00 00 49 89 1c 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 01 00 00 48 8b 9b c0 00 00 00 48 89 ea 48 b8
RSP: 0018:ffffc900027ef828 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 00000000000051b8 RCX: ffffc900027ef72c
RDX: 0000000000000a4f RSI: ffffffff820964dd RDI: 0000000000005278
RBP: ffffc900027ef8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802c77aff0 R12: ffffc900027ef8e0
R13: 0000000000000000 R14: ffffc900027ef8b0 R15: 0000000000000000
FS: 00007ff4529496c0(0000) GS:ffff8880d6b09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000055b8f000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:300 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:550
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff451b8f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff452949038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff451de5fa0 RCX: 00007ff451b8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007ff451c13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ff451de6038 R14: 00007ff451de5fa0 R15: 00007ffda7f04458
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lru_gen_test_recent+0x1a4/0x2f0 mm/workingset.c:281
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 48 c1 ea 03 80 3c 02 00 0f 85 17 01 00 00 48 8d bb c0 00 00 00 49 89 1c 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 01 00 00 48 8b 9b c0 00 00 00 48 89 ea 48 b8
RSP: 0018:ffffc900027ef828 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 00000000000051b8 RCX: ffffc900027ef72c
RDX: 0000000000000a4f RSI: ffffffff820964dd RDI: 0000000000005278
RBP: ffffc900027ef8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802c77aff0 R12: ffffc900027ef8e0
R13: 0000000000000000 R14: ffffc900027ef8b0 R15: 0000000000000000
FS: 00007ff4529496c0(0000) GS:ffff8880d6a09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff451b73460 CR3: 0000000055b8f000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 48 c1 ea 03 shr $0x3,%rdx
Code disassembly (best guess):
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 17 01 00 00 jne 0x125
e: 48 8d bb c0 00 00 00 lea 0xc0(%rbx),%rdi
15: 49 89 1c 24 mov %rbx,(%r12)
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2e: 0f 85 21 01 00 00 jne 0x155
34: 48 8b 9b c0 00 00 00 mov 0xc0(%rbx),%rbx
3b: 48 89 ea mov %rbp,%rdx
3e: 48 rex.W
3f: b8 .byte 0xb8
Tested on:
commit: 9e906a9d Merge tag 'perf-tools-for-v6.19-2025-12-06' o..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=168666c2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
11:08 AM (2 hours ago) 11:08 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..6a45e98317e9 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,8 +272,13 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (unlikely(!memcg)) {
memcg = mem_cgroup_from_id(memcg_id);
+ pr_warn("DEBUG: memcg is NULL (memcg_id=%d), pgdat=%p, returning false\n",memcg_id, pgdat);
+ pr_warn("DEBUG: shadow=%p token=%lx workingset=%d\n",shadow, *token, *workingset);
+ return false;
+ }
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
-
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ pr_warn("DEBUG: memcg=%p, lruvec=%p, continuing normally\n", memcg, *lruvec);
syzbot
11:23 AM (2 hours ago) 11:23 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
DEBUG: memcg is NULL (memcg_id=0), pgdat=0000000000000000, returning false
DEBUG: shadow=0000000000000013 token=0 workingset=1
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 36e08067 P4D 36e08067 PUD 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 6417 Comm: syz.0.25 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000444f988 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888036dfc980 RSI: ffffea00011b2b00 RDI: ffff8880329bbdc0
RBP: ffffea00011b2b00 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000889f32
R13: ffff8880329bbdc0 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f75eb5a26c0(0000) GS:ffff8880d6b09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005576a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f75ea78f7c9
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f75eb5a2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f75ea9e5fa0 RCX: 00007f75ea78f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f75ea813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f75ea9e6038 R14: 00007f75ea9e5fa0 R15: 00007fff20402df8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000444f988 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888036dfc980 RSI: ffffea00011b2b00 RDI: ffff8880329bbdc0
RBP: ffffea00011b2b00 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000889f32
R13: ffff8880329bbdc0 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f75eb5a26c0(0000) GS:ffff8880d6b09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005576a000 CR4: 0000000000352ef0
Tested on:
commit: 9e906a9d Merge tag 'perf-tools-for-v6.19-2025-12-06' o..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14b1521a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages