[syzbot] [cgroups?] [mm?] WARNING in memcg1_swapout
0 views
Skip to first unread message
syzbot
Jan 17, 2026, 4:30:28 AM (24 hours ago) Jan 17
to ak...@linux-foundation.org, cgr...@vger.kernel.org, han...@cmpxchg.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, muchu...@linux.dev, roman.g...@linux.dev, shakee...@linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0f853ca2a798 Add linux-next specific files for 20260113
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14f7259a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d6e5303d96e21b5
dashboard link: https://syzkaller.appspot.com/bug?extid=079a3b213add54dd18a7
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167ef922580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d295fa580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/480cd223f3f6/disk-0f853ca2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ca2f0dbb7cc/vmlinux-0f853ca2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/60a0fef5805b/bzImage-0f853ca2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+079a3b...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: mm/memcontrol-v1.c:642 at memcg1_swapout+0x6c2/0x8d0 mm/memcontrol-v1.c:642, CPU#0: syz.4.233/6746
Modules linked in:
CPU: 0 UID: 0 PID: 6746 Comm: syz.4.233 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:memcg1_swapout+0x6c2/0x8d0 mm/memcontrol-v1.c:642
Code: 6d 5d 0d 00 0f 85 01 fa ff ff 48 89 df 48 c7 c6 a0 c3 98 8b e8 bf 8c f8 fe c6 05 77 6d 5d 0d 01 90 0f 0b 90 e9 e2 f9 ff ff 90 <0f> 0b 90 e9 eb fb ff ff 90 0f 0b 90 41 80 3c 2e 00 0f 85 d5 fe ff
RSP: 0018:ffffc9000bbae718 EFLAGS: 00010002
RAX: 0000000000000004 RBX: ffffea00017e9100 RCX: ffff888021f5c150
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffc9000b59b404
RBP: dffffc0000000000 R08: ffffc9000b59b407 R09: 1ffff920016b3680
R10: dffffc0000000000 R11: fffff520016b3681 R12: ffffea00017e9108
R13: 1ffffd40002fd220 R14: 1ffffd40002fd221 R15: ffff88805398b178
FS: 00007fdd6c81a6c0(0000) GS:ffff888125bf7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000020000009a000 CR3: 0000000075930000 CR4: 00000000003526f0
Call Trace:
<TASK>
__remove_mapping+0xac5/0xe30 mm/vmscan.c:764
shrink_folio_list+0x28d8/0x5320 mm/vmscan.c:1542
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2222
reclaim_pages+0x454/0x520 mm/vmscan.c:2259
madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563
walk_pmd_range mm/pagewalk.c:130 [inline]
walk_pud_range mm/pagewalk.c:224 [inline]
walk_p4d_range mm/pagewalk.c:262 [inline]
walk_pgd_range+0x1037/0x1d30 mm/pagewalk.c:303
__walk_page_range+0x14c/0x710 mm/pagewalk.c:410
walk_page_range_vma_unsafe+0x34c/0x400 mm/pagewalk.c:714
madvise_pageout_page_range mm/madvise.c:622 [inline]
madvise_pageout mm/madvise.c:647 [inline]
madvise_vma_behavior+0x30c7/0x4420 mm/madvise.c:1366
madvise_walk_vmas+0x575/0xaf0 mm/madvise.c:1721
madvise_do_behavior+0x38e/0x550 mm/madvise.c:1937
do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039 [inline]
__se_sys_madvise mm/madvise.c:2037 [inline]
__x64_sys_madvise+0xa7/0xc0 mm/madvise.c:2037
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdd6b98f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd6c81a038 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fdd6bbe5fa0 RCX: 00007fdd6b98f749
RDX: 0000000000000015 RSI: 0000000000600000 RDI: 0000200000000000
RBP: 00007fdd6ba13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fdd6bbe6038 R14: 00007fdd6bbe5fa0 R15: 00007ffcd3996008
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0f853ca2a798 Add linux-next specific files for 20260113
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14f7259a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d6e5303d96e21b5
dashboard link: https://syzkaller.appspot.com/bug?extid=079a3b213add54dd18a7
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167ef922580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d295fa580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/480cd223f3f6/disk-0f853ca2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ca2f0dbb7cc/vmlinux-0f853ca2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/60a0fef5805b/bzImage-0f853ca2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+079a3b...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: mm/memcontrol-v1.c:642 at memcg1_swapout+0x6c2/0x8d0 mm/memcontrol-v1.c:642, CPU#0: syz.4.233/6746
Modules linked in:
CPU: 0 UID: 0 PID: 6746 Comm: syz.4.233 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:memcg1_swapout+0x6c2/0x8d0 mm/memcontrol-v1.c:642
Code: 6d 5d 0d 00 0f 85 01 fa ff ff 48 89 df 48 c7 c6 a0 c3 98 8b e8 bf 8c f8 fe c6 05 77 6d 5d 0d 01 90 0f 0b 90 e9 e2 f9 ff ff 90 <0f> 0b 90 e9 eb fb ff ff 90 0f 0b 90 41 80 3c 2e 00 0f 85 d5 fe ff
RSP: 0018:ffffc9000bbae718 EFLAGS: 00010002
RAX: 0000000000000004 RBX: ffffea00017e9100 RCX: ffff888021f5c150
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffc9000b59b404
RBP: dffffc0000000000 R08: ffffc9000b59b407 R09: 1ffff920016b3680
R10: dffffc0000000000 R11: fffff520016b3681 R12: ffffea00017e9108
R13: 1ffffd40002fd220 R14: 1ffffd40002fd221 R15: ffff88805398b178
FS: 00007fdd6c81a6c0(0000) GS:ffff888125bf7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000020000009a000 CR3: 0000000075930000 CR4: 00000000003526f0
Call Trace:
<TASK>
__remove_mapping+0xac5/0xe30 mm/vmscan.c:764
shrink_folio_list+0x28d8/0x5320 mm/vmscan.c:1542
reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2222
reclaim_pages+0x454/0x520 mm/vmscan.c:2259
madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563
walk_pmd_range mm/pagewalk.c:130 [inline]
walk_pud_range mm/pagewalk.c:224 [inline]
walk_p4d_range mm/pagewalk.c:262 [inline]
walk_pgd_range+0x1037/0x1d30 mm/pagewalk.c:303
__walk_page_range+0x14c/0x710 mm/pagewalk.c:410
walk_page_range_vma_unsafe+0x34c/0x400 mm/pagewalk.c:714
madvise_pageout_page_range mm/madvise.c:622 [inline]
madvise_pageout mm/madvise.c:647 [inline]
madvise_vma_behavior+0x30c7/0x4420 mm/madvise.c:1366
madvise_walk_vmas+0x575/0xaf0 mm/madvise.c:1721
madvise_do_behavior+0x38e/0x550 mm/madvise.c:1937
do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039 [inline]
__se_sys_madvise mm/madvise.c:2037 [inline]
__x64_sys_madvise+0xa7/0xc0 mm/madvise.c:2037
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdd6b98f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd6c81a038 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fdd6bbe5fa0 RCX: 00007fdd6b98f749
RDX: 0000000000000015 RSI: 0000000000600000 RDI: 0000200000000000
RBP: 00007fdd6ba13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fdd6bbe6038 R14: 00007fdd6bbe5fa0 R15: 00007ffcd3996008
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Andrew Morton
Jan 17, 2026, 7:57:26 PM (8 hours ago) Jan 17
to syzbot, cgr...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, roman.g...@linux.dev, shakee...@linux.dev, syzkall...@googlegroups.com, Johannes Weiner, Muchun Song, Deepanshu Kartikey, Minchan Kim
On Sat, 17 Jan 2026 01:30:25 -0800 syzbot <syzbot+079a3b...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0f853ca2a798 Add linux-next specific files for 20260113
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=14f7259a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8d6e5303d96e21b5
> dashboard link: https://syzkaller.appspot.com/bug?extid=079a3b213add54dd18a7
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167ef922580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d295fa580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/480cd223f3f6/disk-0f853ca2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1ca2f0dbb7cc/vmlinux-0f853ca2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/60a0fef5805b/bzImage-0f853ca2.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+079a3b...@syzkaller.appspotmail.com
Thanks.
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0f853ca2a798 Add linux-next specific files for 20260113
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=14f7259a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8d6e5303d96e21b5
> dashboard link: https://syzkaller.appspot.com/bug?extid=079a3b213add54dd18a7
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167ef922580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d295fa580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/480cd223f3f6/disk-0f853ca2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1ca2f0dbb7cc/vmlinux-0f853ca2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/60a0fef5805b/bzImage-0f853ca2.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+079a3b...@syzkaller.appspotmail.com
> ------------[ cut here ]------------
> WARNING: mm/memcontrol-v1.c:642 at memcg1_swapout+0x6c2/0x8d0 mm/memcontrol-v1.c:642, CPU#0: syz.4.233/6746
VM_WARN_ON_ONCE(oldid != 0);
which was added by Deepanshu's "mm/swap_cgroup: fix kernel BUG in
swap_cgroup_record".
This patch has Fixes: 1a4e58cce84e ("mm: introduce MADV_PAGEOUT"),
which is six years old. For some reason it has no cc:stable.
Deepanshu's patch has no reviews.
So can I please do the memcg maintainer summoning dance here? We have a
repeatable BUG happening in mainline Linux.
Deepanshu Kartikey
Jan 17, 2026, 11:21:29 PM (5 hours ago) Jan 17
to Andrew Morton, syzbot, cgr...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, roman.g...@linux.dev, shakee...@linux.dev, syzkall...@googlegroups.com, Johannes Weiner, Muchun Song, Minchan Kim
I checked the git blame output for commit 0f853ca2a798:
Line 763: memcg1_swapout(folio, swap);
Line 764: __swap_cache_del_folio(ci, folio, swap, shadow);
(d7a7b2f91f36b - Kairui Song, 2026-01-13 02:33:36 +0800)
Kairui's reordering patch appears to have been merged on Jan 13.
The syzbot report is also from Jan 13, likely from earlier in the
day before the reordering patch was merged.
So this report is from before the fix. The warning should not appear
in linux-next builds after Jan 13.
Thanks,
Deepanshu
syzbot
12:02 AM (4 hours ago) 12:02 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/vmscan: test build to verify VM_WARN_ON_ONCE fix
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Test build to verify that VM_WARN_ON_ONCE in memcg1_swapout() no
longer triggers after Kairui Song's reordering patch.
This is a local test commit only and should NOT be submitted upstream.
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/vmscan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index a0e3f51de749..ac8cffddc2ea 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -760,6 +760,7 @@ static int __remove_mapping(struct address_space *mapping, struct folio *folio,
if (reclaimed && !mapping_exiting(mapping))
shadow = workingset_eviction(folio, target_memcg);
+
memcg1_swapout(folio, swap);
__swap_cache_del_folio(ci, folio, swap, shadow);
swap_cluster_unlock_irq(ci);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/vmscan: test build to verify VM_WARN_ON_ONCE fix
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Test build to verify that VM_WARN_ON_ONCE in memcg1_swapout() no
longer triggers after Kairui Song's reordering patch.
This is a local test commit only and should NOT be submitted upstream.
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/vmscan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index a0e3f51de749..ac8cffddc2ea 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -760,6 +760,7 @@ static int __remove_mapping(struct address_space *mapping, struct folio *folio,
if (reclaimed && !mapping_exiting(mapping))
shadow = workingset_eviction(folio, target_memcg);
+
memcg1_swapout(folio, swap);
__swap_cache_del_folio(ci, folio, swap, shadow);
swap_cluster_unlock_irq(ci);
--
2.43.0
syzbot
1:39 AM (3 hours ago) 1:39 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+079a3b...@syzkaller.appspotmail.com
Tested-by: syzbot+079a3b...@syzkaller.appspotmail.com
Tested on:
commit: 46fe65a2 Add linux-next specific files for 20260116
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12c08b9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=810a09a784e5ae02
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+079a3b...@syzkaller.appspotmail.com
Tested-by: syzbot+079a3b...@syzkaller.appspotmail.com
Tested on:
commit: 46fe65a2 Add linux-next specific files for 20260116
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12c08b9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=810a09a784e5ae02
dashboard link: https://syzkaller.appspot.com/bug?extid=079a3b213add54dd18a7
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=14e933fc580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
Deepanshu Kartikey
2:01 AM (2 hours ago) 2:01 AM
to Andrew Morton, syzbot, cgr...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mho...@kernel.org, roman.g...@linux.dev, shakee...@linux.dev, syzkall...@googlegroups.com, Johannes Weiner, Muchun Song, Minchan Kim
I tested with the latest linux-next in sysbot. It is working fine
Thanks
Deepanshu
Reply all
Reply to author
Forward
0 new messages