[syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)
0 views
Skip to first unread message
syzbot
2:24 AM (15 hours ago) 2:24 AM
to ak...@linux-foundation.org, cgr...@vger.kernel.org, han...@cmpxchg.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, muchu...@linux.dev, roman.g...@linux.dev, shakee...@linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 18f7fcd5e69a Linux 6.19-rc8
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e12bd9...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029
CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
__swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
swap_pte_batch+0x3c3/0x720 mm/internal.h:390
zap_nonpresent_ptes mm/memory.c:1749 [inline]
do_zap_pte_range mm/memory.c:1818 [inline]
zap_pte_range mm/memory.c:1858 [inline]
zap_pmd_range mm/memory.c:1950 [inline]
zap_pud_range mm/memory.c:1978 [inline]
zap_p4d_range mm/memory.c:1999 [inline]
unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
unmap_single_vma+0x153/0x240 mm/memory.c:2062
unmap_vmas+0x218/0x470 mm/memory.c:2104
exit_mmap+0x181/0xae0 mm/mmap.c:1277
__mmput+0x12a/0x410 kernel/fork.c:1173
mmput+0x67/0x80 kernel/fork.c:1196
exit_mm kernel/exit.c:581 [inline]
do_exit+0x78a/0x2a30 kernel/exit.c:959
do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2f8f19aeb9
Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 18f7fcd5e69a Linux 6.19-rc8
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e12bd9...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029
CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
__swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
swap_pte_batch+0x3c3/0x720 mm/internal.h:390
zap_nonpresent_ptes mm/memory.c:1749 [inline]
do_zap_pte_range mm/memory.c:1818 [inline]
zap_pte_range mm/memory.c:1858 [inline]
zap_pmd_range mm/memory.c:1950 [inline]
zap_pud_range mm/memory.c:1978 [inline]
zap_p4d_range mm/memory.c:1999 [inline]
unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
unmap_single_vma+0x153/0x240 mm/memory.c:2062
unmap_vmas+0x218/0x470 mm/memory.c:2104
exit_mmap+0x181/0xae0 mm/mmap.c:1277
__mmput+0x12a/0x410 kernel/fork.c:1173
mmput+0x67/0x80 kernel/fork.c:1196
exit_mm kernel/exit.c:581 [inline]
do_exit+0x78a/0x2a30 kernel/exit.c:959
do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2f8f19aeb9
Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Dmitry Vyukov
2:31 AM (15 hours ago) 2:31 AM
to syzbot, ak...@linux-foundation.org, cgr...@vger.kernel.org, han...@cmpxchg.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, muchu...@linux.dev, roman.g...@linux.dev, shakee...@linux.dev, syzkall...@googlegroups.com
https://lore.kernel.org/all/67d04360.050a022...@google.com/T/
and now 2 more times.
All reports look similar: exit_mm -> zap_p4d_range
And all access addresses look the same: top 13 bits are zeros, then
some garbage (0007fffffffffffc).
I am pretty sure it's telling us something, some kind of tricky race,
rather than a previous corruption. Swp entry is somehow invalid?
Shakeel Butt
12:30 PM (5 hours ago) 12:30 PM
to Dmitry Vyukov, syzbot, ak...@linux-foundation.org, cgr...@vger.kernel.org, han...@cmpxchg.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, muchu...@linux.dev, roman.g...@linux.dev, syzkall...@googlegroups.com, kas...@tencent.com
+Kairui
Thanks for the report. It would be good to have a reproducer. I will dig
deeper later but good to have eyes from Kairui who has recent changes
in the area.
deeper later but good to have eyes from Kairui who has recent changes
in the area.
Reply all
Reply to author
Forward
0 new messages