[syzbot] [mm?] [cgroups?] kernel BUG in swap_cgroup_record (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: f8f97927abf7 Add linux-next specific files for 20260105
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=131ff69a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a0672dd8d69c3235
dashboard link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17065efc580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=176c9e9a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1837bbc8e23e/disk-f8f97927.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/07390717f7e4/vmlinux-f8f97927.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f4a72ec80dc/bzImage-f8f97927.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d97580...@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at mm/swap_cgroup.c:78!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6176 Comm: syz.0.30 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78
Code: 02 e9 6d ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 35 ff ff ff 4c 89 f7 e8 cf 84 f6 ff e9 28 ff ff ff e8 e5 c1 8f ff 90 <0f> 0b e8 dd c1 8f ff 4c 89 f7 48 c7 c6 80 f6 98 8b e8 de d4 f6 fe
RSP: 0018:ffffc90003176720 EFLAGS: 00010093
RAX: ffffffff8231359b RBX: 0000000000001b88 RCX: ffff8880351f9e40
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff5200062ecd4 R12: dffffc0000000000
R13: 0000000000000000 R14: ffffc900041b1000 R15: 0000000000000002
FS: 00007feeba18f6c0(0000) GS:ffff8881259c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007feeba18ef98 CR3: 0000000077742000 CR4: 00000000003526f0
Call Trace:
<TASK>
memcg1_swapout+0x2fa/0x830 mm/memcontrol-v1.c:623
__remove_mapping+0xac5/0xe30 mm/vmscan.c:773
shrink_folio_list+0x2786/0x4f40 mm/vmscan.c:1528
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2208
reclaim_pages+0x454/0x520 mm/vmscan.c:2245
madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563
walk_pmd_range mm/pagewalk.c:130 [inline]
walk_pud_range mm/pagewalk.c:224 [inline]
walk_p4d_range mm/pagewalk.c:262 [inline]
walk_pgd_range+0x1037/0x1d30 mm/pagewalk.c:303
__walk_page_range+0x14c/0x710 mm/pagewalk.c:410
walk_page_range_vma_unsafe+0x34c/0x400 mm/pagewalk.c:714
madvise_pageout_page_range mm/madvise.c:622 [inline]
madvise_pageout mm/madvise.c:647 [inline]
madvise_vma_behavior+0x3132/0x4170 mm/madvise.c:1366
madvise_walk_vmas+0x575/0xaf0 mm/madvise.c:1721
madvise_do_behavior+0x38e/0x550 mm/madvise.c:1937
do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039 [inline]
__se_sys_madvise mm/madvise.c:2037 [inline]
__x64_sys_madvise+0xa7/0xc0 mm/madvise.c:2037
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7feeb938f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feeba18f038 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007feeb95e6090 RCX: 00007feeb938f749
RDX: 0000000000000015 RSI: 0000000000800000 RDI: 0000200000000000
RBP: 00007feeb9413f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007feeb95e6128 R14: 00007feeb95e6090 R15: 00007ffd48399048
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78
Code: 02 e9 6d ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 35 ff ff ff 4c 89 f7 e8 cf 84 f6 ff e9 28 ff ff ff e8 e5 c1 8f ff 90 <0f> 0b e8 dd c1 8f ff 4c 89 f7 48 c7 c6 80 f6 98 8b e8 de d4 f6 fe
RSP: 0018:ffffc90003176720 EFLAGS: 00010093
RAX: ffffffff8231359b RBX: 0000000000001b88 RCX: ffff8880351f9e40
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff5200062ecd4 R12: dffffc0000000000
R13: 0000000000000000 R14: ffffc900041b1000 R15: 0000000000000002
FS: 00007feeba18f6c0(0000) GS:ffff8881259c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007feeba18ef98 CR3: 0000000077742000 CR4: 00000000003526f0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

When using MADV_PAGEOUT, pages can remain in swapcache with their swap
entries assigned. If MADV_PAGEOUT is called again on these pages, they
reuse the same swap entries, causing memcg1_swapout() to call
swap_cgroup_record() with an already-recorded entry.

The existing code assumes swap entries are always being recorded for the
first time (oldid == 0), triggering VM_BUG_ON when it encounters an
already-recorded entry:

------------[ cut here ]------------
kernel BUG at mm/swap_cgroup.c:78!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6176 Comm: syz.0.30 Not tainted

RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78

Call Trace:

memcg1_swapout+0x2fa/0x830 mm/memcontrol-v1.c:623
__remove_mapping+0xac5/0xe30 mm/vmscan.c:773
shrink_folio_list+0x2786/0x4f40 mm/vmscan.c:1528
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2208
reclaim_pages+0x454/0x520 mm/vmscan.c:2245
madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563

...

do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039

This bug occurs because pages in swapcache can be targeted by
MADV_PAGEOUT multiple times without being swapped in between. Each time,
the same swap entry is reused, but swap_cgroup_record() expects to only
record new, unused entries.

Fix this by checking if the swap entry already has the correct cgroup ID
recorded before attempting to record it. Add a new helper function
swap_cgroup_lookup() to read the current cgroup ID without modifying it.
In memcg1_swapout(), check if the entry is already correctly recorded and
return early if so, avoiding unnecessary work and the crash. Only call
swap_cgroup_record() when the entry needs to be set or updated.

This approach is more efficient than making swap_cgroup_record()
idempotent, as it avoids unnecessary atomic operations, reference count
manipulations, and statistics updates when the entry is already correct.

Link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
Reported-by: syzbot+d97580...@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
include/linux/swap_cgroup.h | 6 ++++++
mm/memcontrol-v1.c | 7 +++++++
mm/swap_cgroup.c | 18 ++++++++++++++++++
3 files changed, 31 insertions(+)

diff --git a/include/linux/swap_cgroup.h b/include/linux/swap_cgroup.h
index 91cdf12190a0..fd79e7bf8917 100644
--- a/include/linux/swap_cgroup.h
+++ b/include/linux/swap_cgroup.h
@@ -7,6 +7,7 @@
#if defined(CONFIG_MEMCG) && defined(CONFIG_SWAP)

extern void swap_cgroup_record(struct folio *folio, unsigned short id, swp_entry_t ent);
+extern unsigned short swap_cgroup_lookup(swp_entry_t ent);
extern unsigned short swap_cgroup_clear(swp_entry_t ent, unsigned int nr_ents);
extern unsigned short lookup_swap_cgroup_id(swp_entry_t ent);
extern int swap_cgroup_swapon(int type, unsigned long max_pages);
@@ -19,6 +20,11 @@ void swap_cgroup_record(struct folio *folio, unsigned short id, swp_entry_t ent)
{
}

+static inline unsigned short swap_cgroup_lookup(swp_entry_t ent)
+{
+ return 0;
+}
+
static inline
unsigned short swap_cgroup_clear(swp_entry_t ent, unsigned int nr_ents)
{
diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c
index 56d27baf93ab..37899d156b2a 100644
--- a/mm/memcontrol-v1.c
+++ b/mm/memcontrol-v1.c
@@ -614,6 +614,7 @@ void memcg1_swapout(struct folio *folio, swp_entry_t entry)
{
struct mem_cgroup *memcg, *swap_memcg;
unsigned int nr_entries;
+ unsigned short oldid;

VM_BUG_ON_FOLIO(folio_test_lru(folio), folio);
VM_BUG_ON_FOLIO(folio_ref_count(folio), folio);
@@ -630,6 +631,12 @@ void memcg1_swapout(struct folio *folio, swp_entry_t entry)
if (!memcg)
return;

+ oldid = swap_cgroup_lookup(entry);
+ if (oldid == mem_cgroup_id(memcg)) {
+ return;
+ }
+ VM_WARN_ON_ONCE(oldid != 0);
+
/*
* In case the memcg owning these pages has been offlined and doesn't
* have an ID allocated to it anymore, charge the closest online
diff --git a/mm/swap_cgroup.c b/mm/swap_cgroup.c
index de779fed8c21..083eda4b67d6 100644
--- a/mm/swap_cgroup.c
+++ b/mm/swap_cgroup.c
@@ -51,6 +51,24 @@ static unsigned short __swap_cgroup_id_xchg(struct swap_cgroup *map,
return old_id;
}

+unsigned short swap_cgroup_lookup(swp_entry_t ent)
+{
+ struct swap_cgroup *sc;
+ unsigned short id;
+ pgoff_t offset = swp_offset(ent);
+ unsigned short type = swp_type(ent);
+
+ if (type >= MAX_SWAPFILES)
+ return 0;
+
+ sc = swap_cgroup_ctrl[type].map;
+ if (!sc)
+ return 0;
+ id = (unsigned short)atomic_read(&sc[offset].ids);
+ return id;
+
+}
+
/**
* swap_cgroup_record - record mem_cgroup for a set of swap entries.
* These entries must belong to one single folio, and that folio
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in swap_cgroup_lookup

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: vmalloc-out-of-bounds in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: vmalloc-out-of-bounds in swap_cgroup_lookup+0x89/0xd0 mm/swap_cgroup.c:67
Read of size 4 at addr ffffc900034e0800 by task syz.0.17/6463

CPU: 0 UID: 0 PID: 6463 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
swap_cgroup_lookup+0x89/0xd0 mm/swap_cgroup.c:67
memcg1_swapout+0x235/0x8c0 mm/memcontrol-v1.c:634
__remove_mapping+0xac5/0xe30 mm/vmscan.c:764
shrink_folio_list+0x28a8/0x5200 mm/vmscan.c:1523
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2203
reclaim_pages+0x454/0x520 mm/vmscan.c:2240

madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563
walk_pmd_range mm/pagewalk.c:130 [inline]
walk_pud_range mm/pagewalk.c:224 [inline]
walk_p4d_range mm/pagewalk.c:262 [inline]
walk_pgd_range+0x1037/0x1d30 mm/pagewalk.c:303
__walk_page_range+0x14c/0x710 mm/pagewalk.c:410
walk_page_range_vma_unsafe+0x34c/0x400 mm/pagewalk.c:714
madvise_pageout_page_range mm/madvise.c:622 [inline]
madvise_pageout mm/madvise.c:647 [inline]
madvise_vma_behavior+0x3132/0x4170 mm/madvise.c:1366
madvise_walk_vmas+0x575/0xaf0 mm/madvise.c:1721
madvise_do_behavior+0x38e/0x550 mm/madvise.c:1937

do_madvise+0x1bc/0x270 mm/madvise.c:2030

__do_sys_madvise mm/madvise.c:2039 [inline]
__se_sys_madvise mm/madvise.c:2037 [inline]
__x64_sys_madvise+0xa7/0xc0 mm/madvise.c:2037
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f6b0fb8f749

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f6b10aca038 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f6b0fde6090 RCX: 00007f6b0fb8f749

RDX: 0000000000000015 RSI: 0000000000800000 RDI: 0000200000000000

RBP: 00007f6b0fc13f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f6b0fde6128 R14: 00007f6b0fde6090 R15: 00007ffcdb080178
</TASK>

The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffffc900034e0700: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900034e0780: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc900034e0800: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc900034e0880: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900034e0900: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


Tested on:

commit: f417b7ff Add linux-next specific files for 20260109
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=138f919a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9abcd50d16f3c8b5

dashboard link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15dab19a580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

When using MADV_PAGEOUT, pages can remain in swapcache with their swap
entries assigned. If MADV_PAGEOUT is called again on these pages, they
reuse the same swap entries, causing memcg1_swapout() to call
swap_cgroup_record() with an already-recorded entry.

The existing code assumes swap entries are always being recorded for the
first time (oldid == 0), triggering VM_BUG_ON when it encounters an
already-recorded entry:

------------[ cut here ]------------
kernel BUG at mm/swap_cgroup.c:78!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6176 Comm: syz.0.30 Not tainted

RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78

Call Trace:

memcg1_swapout+0x2fa/0x830 mm/memcontrol-v1.c:623
__remove_mapping+0xac5/0xe30 mm/vmscan.c:773
shrink_folio_list+0x2786/0x4f40 mm/vmscan.c:1528
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2208
reclaim_pages+0x454/0x520 mm/vmscan.c:2245
madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563

...

do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039

This bug occurs because pages in swapcache can be targeted by
MADV_PAGEOUT multiple times without being swapped in between. Each time,
the same swap entry is reused, but swap_cgroup_record() expects to only
record new, unused entries.

Fix this by checking if the swap entry already has the correct cgroup ID

recorded before attempting to record it. Use the existing
lookup_swap_cgroup_id() to read the current cgroup ID, and return early
from memcg1_swapout() if the entry is already correctly recorded. Only

call swap_cgroup_record() when the entry needs to be set or updated.

This approach avoids unnecessary atomic operations, reference count

manipulations, and statistics updates when the entry is already correct.

Link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
Reported-by: syzbot+d97580...@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

mm/memcontrol-v1.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c
index 56d27baf93ab..982cfe5af225 100644

--- a/mm/memcontrol-v1.c
+++ b/mm/memcontrol-v1.c
@@ -614,6 +614,7 @@ void memcg1_swapout(struct folio *folio, swp_entry_t entry)
{
struct mem_cgroup *memcg, *swap_memcg;
unsigned int nr_entries;
+ unsigned short oldid;

VM_BUG_ON_FOLIO(folio_test_lru(folio), folio);
VM_BUG_ON_FOLIO(folio_ref_count(folio), folio);

@@ -630,6 +631,16 @@ void memcg1_swapout(struct folio *folio, swp_entry_t entry)
if (!memcg)
return;

+ /*
+ * Check if this swap entry is already recorded. This can happen
+ * when MADV_PAGEOUT is called multiple times on pages that remain
+ * in swapcache, reusing the same swap entries.
+ */
+ oldid = lookup_swap_cgroup_id(entry);

+ if (oldid == mem_cgroup_id(memcg))
+ return;
+ VM_WARN_ON_ONCE(oldid != 0);
+
/*
* In case the memcg owning these pages has been offlined and doesn't
* have an ID allocated to it anymore, charge the closest online

--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

SYZFAIL: failed to recv rpc

SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)


Warning: Permanently added '10.128.0.242' (ED25519) to the list of known hosts.
2026/01/10 03:09:35 parsed 1 programs
[ 88.711272][ T5822] cgroup: Unknown subsys name 'net'
[ 88.843176][ T5822] cgroup: Unknown subsys name 'cpuset'
[ 88.852142][ T5822] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 90.461442][ T5822] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 91.871113][ T24] cfg80211: failed to load regulatory.db
[ 93.600337][ T5836] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 95.440430][ T5868] chnl_net:caif_netlink_parms(): no params data found
[ 95.527893][ T5868] bridge0: port 1(bridge_slave_0) entered blocking state
[ 95.535931][ T5868] bridge0: port 1(bridge_slave_0) entered disabled state
[ 95.543456][ T5868] bridge_slave_0: entered allmulticast mode
[ 95.550859][ T5868] bridge_slave_0: entered promiscuous mode
[ 95.563396][ T5868] bridge0: port 2(bridge_slave_1) entered blocking state
[ 95.570815][ T5868] bridge0: port 2(bridge_slave_1) entered disabled state
[ 95.578026][ T5868] bridge_slave_1: entered allmulticast mode
[ 95.586755][ T5868] bridge_slave_1: entered promiscuous mode
[ 95.626344][ T5868] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 95.638893][ T5868] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 95.673144][ T5868] team0: Port device team_slave_0 added
[ 95.681936][ T5868] team0: Port device team_slave_1 added
[ 95.708970][ T5868] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 95.716159][ T5868] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 95.742335][ T5868] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 95.755810][ T5868] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 95.762876][ T5868] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 95.791065][ T5868] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 95.834850][ T5868] hsr_slave_0: entered promiscuous mode
[ 95.841687][ T5868] hsr_slave_1: entered promiscuous mode
[ 96.001076][ T5868] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 96.014149][ T5868] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 96.025138][ T5868] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 96.035535][ T5868] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 96.066548][ T5868] bridge0: port 2(bridge_slave_1) entered blocking state
[ 96.073872][ T5868] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 96.128341][ T5868] 8021q: adding VLAN 0 to HW filter on device bond0
[ 96.146621][ T59] bridge0: port 2(bridge_slave_1) entered disabled state
[ 96.167349][ T5868] 8021q: adding VLAN 0 to HW filter on device team0
[ 96.181939][ T270] bridge0: port 1(bridge_slave_0) entered blocking state
[ 96.189056][ T270] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 96.203674][ T270] bridge0: port 2(bridge_slave_1) entered blocking state
[ 96.210860][ T270] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 96.381576][ T5868] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 96.428743][ T5868] veth0_vlan: entered promiscuous mode
[ 96.439922][ T5868] veth1_vlan: entered promiscuous mode
[ 96.471394][ T5868] veth0_macvtap: entered promiscuous mode
[ 96.481411][ T5868] veth1_macvtap: entered promiscuous mode
[ 96.502984][ T5868] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 96.524832][ T5868] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 96.540909][ T59] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 96.551008][ T59] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 96.560641][ T59] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 96.571492][ T59] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 96.743657][ T12] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 96.832582][ T12] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 96.896908][ T12] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 97.033956][ T12] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 97.365778][ T59] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 97.381230][ T59] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 97.411764][ T1139] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 97.421103][ T1139] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 97.695376][ T5912] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 97.703571][ T5912] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 97.713201][ T5912] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 97.722480][ T5912] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 97.730298][ T5912] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
2026/01/10 03:09:48 executed programs: 0
[ 98.868274][ T5912] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 98.877916][ T5912] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 98.887261][ T5912] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 98.895276][ T5912] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 98.903259][ T5912] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 99.060866][ T5932] chnl_net:caif_netlink_parms(): no params data found
[ 99.138845][ T5932] bridge0: port 1(bridge_slave_0) entered blocking state
[ 99.147157][ T5932] bridge0: port 1(bridge_slave_0) entered disabled state
[ 99.154595][ T5932] bridge_slave_0: entered allmulticast mode
[ 99.161781][ T5932] bridge_slave_0: entered promiscuous mode
[ 99.169948][ T5932] bridge0: port 2(bridge_slave_1) entered blocking state
[ 99.177093][ T5932] bridge0: port 2(bridge_slave_1) entered disabled state
[ 99.185026][ T5932] bridge_slave_1: entered allmulticast mode
[ 99.192340][ T5932] bridge_slave_1: entered promiscuous mode
[ 99.225243][ T5932] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 99.237126][ T5932] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 99.270116][ T5932] team0: Port device team_slave_0 added
[ 99.278386][ T5932] team0: Port device team_slave_1 added
[ 99.306257][ T5932] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 99.314231][ T5932] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 99.340169][ T5932] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 99.352165][ T5932] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 99.359289][ T5932] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 99.385220][ T5932] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 99.430574][ T5932] hsr_slave_0: entered promiscuous mode
[ 99.439595][ T5932] hsr_slave_1: entered promiscuous mode
[ 99.445741][ T5932] debugfs: 'hsr0' already exists in 'hsr'
[ 99.452235][ T5932] Cannot create hsr debugfs directory
[ 99.622568][ T12] bridge_slave_1: left allmulticast mode
[ 99.629935][ T12] bridge_slave_1: left promiscuous mode
[ 99.636169][ T12] bridge0: port 2(bridge_slave_1) entered disabled state
[ 99.651867][ T12] bridge_slave_0: left allmulticast mode
[ 99.657517][ T12] bridge_slave_0: left promiscuous mode
[ 99.664260][ T12] bridge0: port 1(bridge_slave_0) entered disabled state
[ 99.883035][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 99.894158][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 99.904243][ T12] bond0 (unregistering): Released all slaves
[ 100.011269][ T12] hsr_slave_0: left promiscuous mode
[ 100.019048][ T12] hsr_slave_1: left promiscuous mode
[ 100.028507][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 100.037408][ T12] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 100.047364][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 100.055101][ T12] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 100.077283][ T12] veth1_macvtap: left promiscuous mode
[ 100.087766][ T12] veth0_macvtap: left promiscuous mode
[ 100.094117][ T12] veth1_vlan: left promiscuous mode
[ 100.099830][ T12] veth0_vlan: left promiscuous mode
[ 100.587324][ T12] team0 (unregistering): Port device team_slave_1 removed
[ 100.613018][ T12] team0 (unregistering): Port device team_slave_0 removed
[ 100.990032][ T5141] Bluetooth: hci0: command tx timeout
[ 101.261953][ T5932] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 101.283832][ T5932] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 101.296306][ T5932] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 101.317158][ T5932] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 101.896074][ T5932] 8021q: adding VLAN 0 to HW filter on device bond0
[ 101.961367][ T5932] 8021q: adding VLAN 0 to HW filter on device team0
[ 102.024829][ T1139] bridge0: port 1(bridge_slave_0) entered blocking state
[ 102.032094][ T1139] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 102.136814][ T1139] bridge0: port 2(bridge_slave_1) entered blocking state
[ 102.144085][ T1139] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 102.627847][ T5932] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 102.726619][ T5932] veth0_vlan: entered promiscuous mode
[ 102.750192][ T5932] veth1_vlan: entered promiscuous mode
[ 102.799601][ T5932] veth0_macvtap: entered promiscuous mode
[ 102.811637][ T5932] veth1_macvtap: entered promiscuous mode
[ 102.840912][ T5932] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 102.870006][ T5932] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 102.902211][ T12] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 102.922171][ T12] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 102.935105][ T12] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 102.958747][ T12] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 103.045786][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 103.059702][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 103.069711][ T5141] Bluetooth: hci0: command tx timeout
[ 103.115541][ T270] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 103.125601][ T270] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 103.767902][ T1139] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2111104491=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at d6526ea3e
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d6526ea3e6ad9081c902859bbb80f9f840377cb4\"
/usr/bin/ld: /tmp/ccTDVhZE.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null

Tested on:

commit: f417b7ff Add linux-next specific files for 20260109
git tree: linux-next

kernel config: https://syzkaller.appspot.com/x/.config?x=9abcd50d16f3c8b5
dashboard link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1786619a580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

When using MADV_PAGEOUT, pages can remain in swapcache with their swap
entries assigned. If MADV_PAGEOUT is called again on these pages, they
reuse the same swap entries, causing memcg1_swapout() to call
swap_cgroup_record() with an already-recorded entry.

The existing code assumes swap entries are always being recorded for the
first time (oldid == 0), triggering VM_BUG_ON when it encounters an
already-recorded entry:

------------[ cut here ]------------
kernel BUG at mm/swap_cgroup.c:78!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6176 Comm: syz.0.30 Not tainted

RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78

Call Trace:

memcg1_swapout+0x2fa/0x830 mm/memcontrol-v1.c:623
__remove_mapping+0xac5/0xe30 mm/vmscan.c:773
shrink_folio_list+0x2786/0x4f40 mm/vmscan.c:1528
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2208
reclaim_pages+0x454/0x520 mm/vmscan.c:2245
madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563

...

do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d97580...@syzkaller.appspotmail.com
Tested-by: syzbot+d97580...@syzkaller.appspotmail.com

Tested on:

commit: f417b7ff Add linux-next specific files for 20260109
git tree: linux-next

console output: https://syzkaller.appspot.com/x/log.txt?x=179249fc580000

kernel config: https://syzkaller.appspot.com/x/.config?x=9abcd50d16f3c8b5
dashboard link: https://syzkaller.appspot.com/bug?extid=d97580a8cceb9b03c13e
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=107a3f92580000

Note: testing is done by a robot and is best-effort only.