[syzbot] [mm?] general protection fault in lru_gen_test_recent (2)
1 view
Skip to first unread message
syzbot
Dec 7, 2025, 3:55:28 AM (20 hours ago) Dec 7
to ak...@linux-foundation.org, axelra...@google.com, da...@kernel.org, han...@cmpxchg.org, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, mho...@kernel.org, shakee...@linux.dev, syzkall...@googlegroups.com, wei...@google.com, yua...@google.com, zhengq...@bytedance.com
Hello,
syzbot found the following issue on:
HEAD commit: c06c303832ec ocfs2: fix xattr array entry __counted_by error
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cbfc1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5aef7d5187304591
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127f2992580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cf4eb4580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c06c3038.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a5115eeda38/vmlinux-c06c3038.xz
kernel image: https://storage.googleapis.com/syzbot-assets/98eb17e54bb8/bzImage-c06c3038.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 2 UID: 0 PID: 6121 Comm: syz.0.27 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:296 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6360f8f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6361dfa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f63611e5fa0 RCX: 00007f6360f8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f6361013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f63611e6038 R14: 00007f63611e5fa0 R15: 00007ffe36ff8138
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 38 80 b5 ff 48 85 cmp %al,-0x7ab7004b(%rax)
6: db 0f fisttpl (%rdi)
8: 84 79 01 test %bh,0x1(%rcx)
b: 00 00 add %al,(%rax)
d: e8 2a 80 b5 ff call 0xffb5803c
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e a3 01 00 00 jle 0x1dd
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c06c303832ec ocfs2: fix xattr array entry __counted_by error
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cbfc1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5aef7d5187304591
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127f2992580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cf4eb4580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c06c3038.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a5115eeda38/vmlinux-c06c3038.xz
kernel image: https://storage.googleapis.com/syzbot-assets/98eb17e54bb8/bzImage-c06c3038.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 2 UID: 0 PID: 6121 Comm: syz.0.27 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:296 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6360f8f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6361dfa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f63611e5fa0 RCX: 00007f6360f8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f6361013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f63611e6038 R14: 00007f63611e5fa0 R15: 00007ffe36ff8138
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Code: 38 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 2a 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc90003e17828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888100068000 RCX: ffffc90003e1772c
RDX: 00000000000009c0 RSI: ffffffff82096446 RDI: 0000000000004e00
RBP: ffffc90003e178c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888028282ff0 R12: ffffc90003e178e0
R13: 0000000000000000 R14: ffffc90003e178b0 R15: 0000000000000000
FS: 00007f6361dfa6c0(0000) GS:ffff8880d6b0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000039516000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 38 80 b5 ff 48 85 cmp %al,-0x7ab7004b(%rax)
6: db 0f fisttpl (%rdi)
8: 84 79 01 test %bh,0x1(%rcx)
b: 00 00 add %al,(%rax)
d: e8 2a 80 b5 ff call 0xffb5803c
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e a3 01 00 00 jle 0x1dd
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Dec 7, 2025, 7:44:51 AM (16 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with a NULL memcg
triggers a crash because the inline function's code calculates
memcg->nodeinfo offset (0x4e00) before the NULL check can execute,
causing a NULL pointer dereference that KASAN detects.
Although mem_cgroup_lruvec() has a NULL check internally, compiler
inlining and optimization causes the offset calculation to occur
first, making the internal check unreachable.
The fix adds an explicit NULL check after mem_cgroup_from_id() and
falls back to root_mem_cgroup, which is consistent with how
mem_cgroup_lruvec() itself handles NULL pointers.
Reproducer triggers this via:
procfs_procmap_ioctl() -> do_procmap_query() -> __build_id_parse() ->
freader_get_folio() -> filemap_add_folio() -> workingset_refault() ->
lru_gen_refault() -> lru_gen_test_recent()
KASAN report:
general protection fault in mem_cgroup_lruvec
RIP: mem_cgroup_lruvec+0xee/0x320 include/linux/memcontrol.h:720
Call Trace:
lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..8b6332cfb4f0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg)
+ memcg = root_mem_cgroup;
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with a NULL memcg
triggers a crash because the inline function's code calculates
memcg->nodeinfo offset (0x4e00) before the NULL check can execute,
causing a NULL pointer dereference that KASAN detects.
Although mem_cgroup_lruvec() has a NULL check internally, compiler
inlining and optimization causes the offset calculation to occur
first, making the internal check unreachable.
The fix adds an explicit NULL check after mem_cgroup_from_id() and
falls back to root_mem_cgroup, which is consistent with how
mem_cgroup_lruvec() itself handles NULL pointers.
Reproducer triggers this via:
procfs_procmap_ioctl() -> do_procmap_query() -> __build_id_parse() ->
freader_get_folio() -> filemap_add_folio() -> workingset_refault() ->
lru_gen_refault() -> lru_gen_test_recent()
KASAN report:
general protection fault in mem_cgroup_lruvec
RIP: mem_cgroup_lruvec+0xee/0x320 include/linux/memcontrol.h:720
Call Trace:
lru_gen_test_recent+0xee/0x320 mm/workingset.c:275
workingset_refault+0x251/0xca0 mm/workingset.c:546
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..8b6332cfb4f0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg)
+ memcg = root_mem_cgroup;
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
syzbot
Dec 7, 2025, 8:10:03 AM (16 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 0 UID: 0 PID: 6513 Comm: syz.0.29 Not tainted syzkaller #0 PREEMPT(full)
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:298 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:548
RAX: ffffffffffffffda RBX: 00007f7ae73e5fa0 RCX: 00007f7ae718f7c9
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6ceb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 000000002e141000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:298 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:548
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7ae718f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7ae8064038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7ae73e5fa0 RCX: 00007f7ae718f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f7ae7213f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7ae73e6038 R14: 00007f7ae73e5fa0 R15: 00007ffdab92bc98
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc900035f7828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc900035f772c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc900035f78c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802b10aff0 R12: ffffc900035f78e0
R13: 0000000000000000 R14: ffffc900035f78b0 R15: 0000000000000000
FS: 00007f7ae80646c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 000000002e141000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
Code disassembly (best guess):
6: db 0f fisttpl (%rdi)
8: 84 a9 01 00 00 e8 test %ch,-0x17ffffff(%rcx)
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6ceb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1336a992580000
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 9:35:43 AM (14 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
NULL. The subsequent call to mem_cgroup_lruvec() with NULL memcg
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Add NULL check for memcg in lru_gen_test_recent() to prevent crash when
mem_cgroup_from_id() returns NULL.
The crash occurs when a folio's shadow entry contains a memcg_id that
no longer maps to a valid memory cgroup. This can happen when:
1. The memory cgroup has been deleted/freed
2. A folio was created without proper memcg association (e.g., during
procmap_query build ID parsing via freader_get_folio)
3. The memcg_id in the shadow entry is invalid or zero
When lru_gen_test_recent() calls mem_cgroup_from_id(), it may return
triggers a crash.
Although mem_cgroup_lruvec() has an internal NULL check, the crash
occurs before reaching it due to compiler optimization. Since
mem_cgroup_lruvec() is an inline function, the compiler calculates
the offset memcg->nodeinfo (0x4e00) before the function's NULL check
can execute, causing a NULL pointer dereference.
Fix this by introducing an effective_memcg variable that is explicitly
set to root_mem_cgroup when memcg is NULL. This approach forces the
compiler to use a separate register/memory location, preventing the
premature offset calculation that caused the crash with a simple
in-place NULL check.
Reported-by: syzbot+e008db...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
mm/workingset.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..dad8b16af105 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -266,13 +266,14 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
{
int memcg_id;
unsigned long max_seq;
- struct mem_cgroup *memcg;
+ struct mem_cgroup *memcg, *effective_memcg;
struct pglist_data *pgdat;
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ effective_memcg = memcg ? : root_mem_cgroup;
+ *lruvec = mem_cgroup_lruvec(effective_memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
max_seq &= EVICTION_MASK >> LRU_REFS_WIDTH;
--
2.43.0
syzbot
Dec 7, 2025, 9:50:04 AM (14 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 3 UID: 0 PID: 6430 Comm: syz.0.26 Not tainted syzkaller #0 PREEMPT(full)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:276
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000325f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffc9000325f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000325f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802ed4d4b0 R12: ffffc9000325f8e0
R13: 0000000000000000 R14: ffffc9000325f8b0 R15: 0000000000000000
FS: 00007f03a13f86c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ec36aadde8 CR3: 0000000055323000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:297 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:547
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f03a058f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f03a13f8038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f03a07e5fa0 RCX: 00007f03a058f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f03a0613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f03a07e6038 R14: 00007f03a07e5fa0 R15: 00007ffc40446548
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:276
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: 2a 80 b5 ff 48 85 db 0f 84 a9 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000325f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffc9000325f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000325f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802ed4d4b0 R12: ffffc9000325f8e0
R13: 0000000000000000 R14: ffffc9000325f8b0 R15: 0000000000000000
FS: 00007f03a13f86c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ec36aadde8 CR3: 0000000055323000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
6: db 0f fisttpl (%rdi)
8: 84 a9 01 00 00 e8 test %ch,-0x17ffffff(%rcx)
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16d4f21a580000
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
6: db 0f fisttpl (%rdi)
8: 84 a9 01 00 00 e8 test %ch,-0x17ffffff(%rcx)
e: 1c 80 sbb $0x80,%al
10: b5 ff mov $0xff,%ch
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1145a992580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 10:05:22 AM (14 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..847580173fb0 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,8 +272,15 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ pr_warn("DEBUG: memcg_id=%d memcg=%p root_mem_cgroup=%p\n",memcg_id, memcg, root_mem_cgroup);
memcg = mem_cgroup_from_id(memcg_id);
+ if (!memcg) {
+ pr_warn("DEBUG: memcg is NULL, using root_mem_cgroup\n");
+ memcg = root_mem_cgroup;
+ pr_warn("DEBUG: after assignment memcg=%p\n", memcg);
+ }
+ pr_warn("DEBUG: about to call mem_cgroup_lruvec with memcg=%p\n", memcg);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
-
+ pr_warn("DEBUG: mem_cgroup_lruvec returned successfully\n");
syzbot
Dec 7, 2025, 10:22:06 AM (14 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
DEBUG: memcg_id=0 memcg=0000000000000000 root_mem_cgroup=ffff88801cac8000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
DEBUG: memcg is NULL, using root_mem_cgroup
DEBUG: after assignment memcg=ffff88801cac8000
DEBUG: about to call mem_cgroup_lruvec with memcg=ffff88801cac8000
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 0 UID: 0 PID: 6414 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full)
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0x14a/0x420 mm/workingset.c:282
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: dc 7f b5 ff 48 85 db 0f 84 a4 01 00 00 e8 ce 7f b5 ff 49 8d be 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 10 02 00 00 4d 63 ae 00 4e 00
RSP: 0018:ffffc9000177f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffffff819c8d55
RDX: 00000000000009c0 RSI: ffffffff820964a2 RDI: 0000000000004e00
RBP: ffffc9000177f8c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: ffff888026ad8b30 R12: ffffc9000177f8e0
R13: ffffffff90882820 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb55eb846c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000022e91000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:303 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:553
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb55dd8f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb55eb84038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb55dfe5fa0 RCX: 00007fb55dd8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fb55de13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb55dfe6038 R14: 00007fb55dfe5fa0 R15: 00007ffd3962a3c8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0x14a/0x420 mm/workingset.c:282
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Code: dc 7f b5 ff 48 85 db 0f 84 a4 01 00 00 e8 ce 7f b5 ff 49 8d be 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 10 02 00 00 4d 63 ae 00 4e 00
RSP: 0018:ffffc9000177f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801cac8000 RCX: ffffffff819c8d55
RDX: 00000000000009c0 RSI: ffffffff820964a2 RDI: 0000000000004e00
RBP: ffffc9000177f8c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: ffff888026ad8b30 R12: ffffc9000177f8e0
R13: ffffffff90882820 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb55eb846c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000022e91000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: dc 7f b5 fdivrl -0x4b(%rdi)
Code disassembly (best guess):
3: ff 48 85 decl -0x7b(%rax)
6: db 0f fisttpl (%rdi)
8: 84 a4 01 00 00 e8 ce test %ah,-0x31180000(%rcx,%rax,1)
f: 7f b5 jg 0xffffffc6
11: ff 49 8d decl -0x73(%rcx)
14: be 00 4e 00 00 mov $0x4e00,%esi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e 10 02 00 00 jle 0x24a
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
3a: 4d rex.WRB
3b: 63 .byte 0x63
3c: ae scas %es:(%rdi),%al
3b: 63 .byte 0x63
3d: 00 4e 00 add %cl,0x0(%rsi)
Tested on:
commit: 37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f5a992580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 10:31:08 AM (14 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
Fixes: ac35a4902374 ("mm: multi-gen LRU: minimal implementation")
mm/workingset.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/workingset.c b/mm/workingset.c
1 file changed, 2 insertions(+)
index e9f05634747a..8166793b38dc 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,6 +272,8 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (unlikely(!memcg))
memcg = mem_cgroup_from_id(memcg_id);
+ WRITE_ONCE(memcg, root_mem_cgroup);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
max_seq = READ_ONCE((*lruvec)->lrugen.max_seq);
--
2.43.0
syzbot
Dec 7, 2025, 10:38:17 AM (13 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..4fa33b57f0ca 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,7 +272,11 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
memcg = mem_cgroup_from_id(memcg_id);
- *lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ if(unlikely(!memcg)) {
+ *lruvec = &pgdat->__lruvec;
+ } else {
+ *lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ }
syzbot
Dec 7, 2025, 10:45:03 AM (13 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc00000009c0: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
CPU: 0 UID: 0 PID: 6460 Comm: syz.0.36 Not tainted syzkaller #0 PREEMPT(full)
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
Code: 2a 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000313f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc9000313f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000313f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8880280f0b30 R12: ffffc9000313f8e0
R13: 0000000000000000 R14: ffffc9000313f8b0 R15: 0000000000000000
FS: 00007fb06f8496c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000057f81000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:298 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:548
workingset_refault+0x251/0xca0 mm/workingset.c:548
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb06e98f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb06f849038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb06ebe5fa0 RCX: 00007fb06e98f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fb06ea13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb06ebe6038 R14: 00007fb06ebe5fa0 R15: 00007ffd239d7168
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mem_cgroup_lruvec include/linux/memcontrol.h:720 [inline]
RIP: 0010:lru_gen_test_recent+0xfc/0x370 mm/workingset.c:277
Code: 2a 80 b5 ff 48 85 db 0f 84 79 01 00 00 e8 1c 80 b5 ff 49 8d bd 00 4e 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d3 01 00 00 4d 63 b5 00 4e 00
RSP: 0018:ffffc9000313f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88801d688000 RCX: ffffc9000313f72c
RDX: 00000000000009c0 RSI: ffffffff82096454 RDI: 0000000000004e00
RBP: ffffc9000313f8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8880280f0b30 R12: ffffc9000313f8e0
R13: 0000000000000000 R14: ffffc9000313f8b0 R15: 0000000000000000
FS: 00007fb06f8496c0(0000) GS:ffff8880d6a09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb06e973460 CR3: 0000000057f81000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
Code disassembly (best guess):
0: 2a 80 b5 ff 48 85 sub -0x7ab7004b(%rax),%al
6: db 0f fisttpl (%rdi)
8: 84 79 01 test %bh,0x1(%rcx)
b: 00 00 add %al,(%rax)
d: e8 1c 80 b5 ff call 0xffb5802e
b: 00 00 add %al,(%rax)
12: 49 8d bd 00 4e 00 00 lea 0x4e00(%r13),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e d3 01 00 00 jle 0x20d
3a: 4d rex.WRB
3b: 63 .byte 0x63
3b: 63 .byte 0x63
3c: b5 00 mov $0x0,%ch
3e: 4e rex.WRX
Tested on:
commit: 9e906a9d Merge tag 'perf-tools-for-v6.19-2025-12-06' o..
3e: 4e rex.WRX
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1601521a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1202f21a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 11:00:08 AM (13 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000a4f: 0000 [#1] SMP KASAN NOPTI
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lru_gen_test_recent
KASAN: probably user-memory-access in range [0x0000000000005278-0x000000000000527f]
CPU: 2 UID: 0 PID: 6563 Comm: syz.0.66 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:lru_gen_test_recent+0x1a4/0x2f0 mm/workingset.c:281
Code: 48 c1 ea 03 80 3c 02 00 0f 85 17 01 00 00 48 8d bb c0 00 00 00 49 89 1c 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 01 00 00 48 8b 9b c0 00 00 00 48 89 ea 48 b8
RSP: 0018:ffffc900027ef828 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 00000000000051b8 RCX: ffffc900027ef72c
RDX: 0000000000000a4f RSI: ffffffff820964dd RDI: 0000000000005278
RBP: ffffc900027ef8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802c77aff0 R12: ffffc900027ef8e0
R13: 0000000000000000 R14: ffffc900027ef8b0 R15: 0000000000000000
FS: 00007ff4529496c0(0000) GS:ffff8880d6b09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000409000000 CR3: 0000000055b8f000 CR4: 0000000000352ef0
Call Trace:
<TASK>
lru_gen_refault mm/workingset.c:300 [inline]
workingset_refault+0x251/0xca0 mm/workingset.c:550
filemap_add_folio+0x23d/0x610 mm/filemap.c:981
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff451b8f7c9
do_read_cache_folio+0x23c/0x5c0 mm/filemap.c:4063
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff452949038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff451de5fa0 RCX: 00007ff451b8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007ff451c13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ff451de6038 R14: 00007ff451de5fa0 R15: 00007ffda7f04458
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lru_gen_test_recent+0x1a4/0x2f0 mm/workingset.c:281
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 48 c1 ea 03 80 3c 02 00 0f 85 17 01 00 00 48 8d bb c0 00 00 00 49 89 1c 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 01 00 00 48 8b 9b c0 00 00 00 48 89 ea 48 b8
RSP: 0018:ffffc900027ef828 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 00000000000051b8 RCX: ffffc900027ef72c
RDX: 0000000000000a4f RSI: ffffffff820964dd RDI: 0000000000005278
RBP: ffffc900027ef8c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88802c77aff0 R12: ffffc900027ef8e0
R13: 0000000000000000 R14: ffffc900027ef8b0 R15: 0000000000000000
FS: 00007ff4529496c0(0000) GS:ffff8880d6a09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff451b73460 CR3: 0000000055b8f000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 48 c1 ea 03 shr $0x3,%rdx
Code disassembly (best guess):
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 17 01 00 00 jne 0x125
e: 48 8d bb c0 00 00 00 lea 0xc0(%rbx),%rdi
15: 49 89 1c 24 mov %rbx,(%r12)
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2e: 0f 85 21 01 00 00 jne 0x155
34: 48 8b 9b c0 00 00 00 mov 0xc0(%rbx),%rbx
3b: 48 89 ea mov %rbp,%rdx
3e: 48 rex.W
3f: b8 .byte 0xb8
Tested on:
commit: 9e906a9d Merge tag 'perf-tools-for-v6.19-2025-12-06' o..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=168666c2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 11:08:01 AM (13 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..6a45e98317e9 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -272,8 +272,13 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
memcg = mem_cgroup_from_id(memcg_id);
+ if (unlikely(!memcg)) {
memcg = mem_cgroup_from_id(memcg_id);
+ pr_warn("DEBUG: memcg is NULL (memcg_id=%d), pgdat=%p, returning false\n",memcg_id, pgdat);
+ pr_warn("DEBUG: shadow=%p token=%lx workingset=%d\n",shadow, *token, *workingset);
+ return false;
+ }
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
-
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ pr_warn("DEBUG: memcg=%p, lruvec=%p, continuing normally\n", memcg, *lruvec);
syzbot
Dec 7, 2025, 11:23:05 AM (13 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
DEBUG: memcg is NULL (memcg_id=0), pgdat=0000000000000000, returning false
DEBUG: shadow=0000000000000013 token=0 workingset=1
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 36e08067 P4D 36e08067 PUD 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 6417 Comm: syz.0.25 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000444f988 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888036dfc980 RSI: ffffea00011b2b00 RDI: ffff8880329bbdc0
RBP: ffffea00011b2b00 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000889f32
R13: ffff8880329bbdc0 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f75eb5a26c0(0000) GS:ffff8880d6b09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005576a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f75ea78f7c9
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f75eb5a2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f75ea9e5fa0 RCX: 00007f75ea78f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f75ea813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f75ea9e6038 R14: 00007f75ea9e5fa0 R15: 00007fff20402df8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000444f988 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888036dfc980 RSI: ffffea00011b2b00 RDI: ffff8880329bbdc0
RBP: ffffea00011b2b00 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000889f32
R13: ffff8880329bbdc0 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f75eb5a26c0(0000) GS:ffff8880d6b09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005576a000 CR4: 0000000000352ef0
Tested on:
commit: 9e906a9d Merge tag 'perf-tools-for-v6.19-2025-12-06' o..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14b1521a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 9:31:42 PM (3 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent()
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a general protection fault in lru_gen_test_recent() when
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
accessing memcg->nodeinfo with a NULL memcg pointer:
Oops: general protection fault in lru_gen_test_recent+0xfc/0x370
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
RIP: 0010:lru_gen_test_recent+0xfc/0x370
The crash occurs when unpack_shadow() extracts parameters from a shadow
entry. There are two cases where NULL pointers can be returned:
1. pgdat can be NULL when NODE_DATA(nid) returns NULL for an invalid or
offlined NUMA node ID stored in the shadow entry.
2. memcg can be NULL when mem_cgroup_from_id() fails to find the memory
cgroup (e.g., if it was destroyed).
The existing code directly passes these potentially NULL pointers to
mem_cgroup_lruvec(), which dereferences memcg->nodeinfo without checking,
leading to the crash.
Fix this by:
- Checking if pgdat is NULL and returning early if so, as we cannot
determine page recency without a valid node.
- Checking if memcg is NULL and falling back to pgdat->__lruvec (the
root memcg's lruvec) instead of calling mem_cgroup_lruvec() which
would dereference NULL.
Reported-by: syzbot+e008db...@syzkaller.appspot.com
Link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
mm/workingset.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..335c2d34ac94 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -270,10 +270,18 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
struct pglist_data *pgdat;
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
+ if(unlikely(!pgdat))
+ return false;
memcg = mem_cgroup_from_id(memcg_id);
- *lruvec = mem_cgroup_lruvec(memcg, pgdat);
-
+ if (unlikely(!memcg)) {
+ pr_warn("DEBUG: memcg is NULL (memcg_id=%d), pgdat=%p, returning false\n",memcg_id, pgdat);
+ pr_warn("DEBUG: shadow=%p token=%lx workingset=%d\n",shadow, *token, *workingset);
+ memcg = root_mem_cgroup;
+ pr_warn("DEBUG: memcg is NULL (memcg_id=%d), pgdat=%p, returning false\n",memcg_id, pgdat);
+ pr_warn("DEBUG: shadow=%p token=%lx workingset=%d\n",shadow, *token, *workingset);
+ *lruvec = &pgdat->__lruvec;
+ } else {
+ } else {
+ *lruvec = mem_cgroup_lruvec(memcg, pgdat);
+ }
syzbot
Dec 7, 2025, 9:47:24 PM (2 hours ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a general protection fault in lru_gen_test_recent() when
accessing invalid memory addresses:
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix NULL pointer dereference in lru_gen_test_recent()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a general protection fault in lru_gen_test_recent() when
Oops: general protection fault in lru_gen_test_recent+0xfc/0x370
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
RIP: 0010:lru_gen_test_recent+0xfc/0x370
The crash occurs when unpack_shadow() extracts a pglist_data pointer from
a shadow entry. The pgdat can be NULL when NODE_DATA(nid) returns NULL for
an invalid or offlined NUMA node ID stored in the shadow entry.
The existing code doesn't check for NULL pgdat before passing it to
mem_cgroup_lruvec(), which can lead to crashes when dereferencing the
invalid pointer.
Fix this by checking if pgdat is NULL and setting lruvec to NULL before
returning false. The caller in lru_gen_refault() will then skip processing
via the check "if (lruvec != folio_lruvec(folio)) goto unlock", preventing
use of the invalid lruvec.
Reported-by: syzbot+e008db...@syzkaller.appspot.com
Link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..b63948f4e91a 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -270,7 +270,10 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
struct pglist_data *pgdat;
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
-
+ if (unlikely(!pgdat)) {
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
-
+ *lruvec = NULL;
+ return false;
+ }
memcg = mem_cgroup_from_id(memcg_id);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
--
2.43.0
syzbot
Dec 7, 2025, 10:00:05 PM (2 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syz...@syzkaller.appspot.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 253cc067 P4D 253cc067 PUD 0
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6434 Comm: syz.0.22 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003af7988 EFLAGS: 00010293
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888029640000 RSI: ffffea00010f2540 RDI: ffff88801cabb180
RBP: ffffea00010f2540 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff9200075ef32
R13: ffff88801cabb180 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f51eb3756c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000039a0a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f51ea58f7c9
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f51eb375038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f51ea7e5fa0 RCX: 00007f51ea58f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007f51ea613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f51ea7e6038 R14: 00007f51ea7e5fa0 R15: 00007ffedaa41fc8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003af7988 EFLAGS: 00010293
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888029640000 RSI: ffffea00010f2540 RDI: ffff88801cabb180
RBP: ffffea00010f2540 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff9200075ef32
R13: ffff88801cabb180 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f51eb3756c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000039a0a000 CR4: 0000000000352ef0
Tested on:
commit: c2f2b01b Merge tag 'i3c/for-6.19' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f0aeb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=134f6992580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 10:28:05 PM (2 hours ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syz...@syzkaller.appspot.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 2c3cf067 P4D 2c3cf067 PUD 0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6434 Comm: syz.0.29 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc900038e7988 EFLAGS: 00010293
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888028d4c980 RSI: ffffea000162df00 RDI: ffff88802ca0ba40
RBP: ffffea000162df00 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: ffff888028d4d4b0 R12: 1ffff9200071cf32
R13: ffff88802ca0ba40 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007fba957a36c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000034f91000 CR4: 0000000000352ef0
Call Trace:
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fba9498f7c9
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fba957a3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fba94be5fa0 RCX: 00007fba9498f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fba94a13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fba94be6038 R14: 00007fba94be5fa0 R15: 00007ffca4d48ae8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc900038e7988 EFLAGS: 00010293
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff888028d4c980 RSI: ffffea000162df00 RDI: ffff88802ca0ba40
RBP: ffffea000162df00 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: ffff888028d4d4b0 R12: 1ffff9200071cf32
R13: ffff88802ca0ba40 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007fba957a36c0(0000) GS:ffff8880d6909000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000034f91000 CR4: 0000000000352ef0
Tested on:
commit: c2f2b01b Merge tag 'i3c/for-6.19' of git://git.kernel...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1410aeb4580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 10:56:47 PM (1 hour ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: add debug for corrupted shadow entry investigation
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When pgdat is NULL in lru_gen_test_recent(), it indicates a corrupted
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
shadow entry. Currently returning false allows execution to continue,
which leads to a subsequent crash in filemap_read_folio() with a NULL
function pointer dereference.
Add debug output and stack dump to understand:
1. When pgdat is NULL (corrupted shadow entries)
2. The full call path leading to this situation
3. Why continuing execution after return false causes crashes
This will help determine the proper place to handle corrupted shadow
entries - either stop earlier in the call chain or handle the corruption
differently in lru_gen_test_recent().
Related-to: syzbot+e008db...@syzkaller.appspot.com
Link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 8 +++++++-
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..a848572f8c8a 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -270,7 +270,13 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
struct pglist_data *pgdat;
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
-
+ if (unlikely(!pgdat)) {
+ pr_warn("FATAL: Corrupted shadow entry - pgdat is NULL! shadow=%p\n", shadow);
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
-
+ if (unlikely(!pgdat)) {
+ pr_warn("This indicates page cache corruption - cannot proceed\n");
+ dump_stack();
syzbot
Dec 7, 2025, 11:14:05 PM (1 hour ago) Dec 7
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
RBP: 00007fb7c7c13f91 R08: 0000000000000000 R09: 0000000000000000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb7c7de6038 R14: 00007fb7c7de5fa0 R15: 00007ffd557726f8
</TASK>
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 4f090067 P4D 4f090067
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PUD 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6482 Comm: syz.0.48 Not tainted syzkaller #0 PREEMPT(full)
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003d47988 EFLAGS: 00010293
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff88802283a4c0 RSI: ffffea00010cb180 RDI: ffff888031ad5500
RBP: ffffea00010cb180 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff920007a8f32
R13: ffff888031ad5500 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007fb7c8ab16c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000004ec6a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb7c7b8f7c9
<TASK>
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
freader_get_folio+0x33a/0x930 lib/buildid.c:58
freader_fetch+0xbd/0x740 lib/buildid.c:101
__build_id_parse.isra.0+0xdd/0x6c0 lib/buildid.c:289
do_procmap_query+0xb0e/0x1080 fs/proc/task_mmu.c:733
procfs_procmap_ioctl+0x9d/0xe0 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb7c8ab1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb7c7de5fa0 RCX: 00007fb7c7b8f7c9
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fb7c7c13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb7c7de6038 R14: 00007fb7c7de5fa0 R15: 00007ffd557726f8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003d47988 EFLAGS: 00010293
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81f7e52e
RDX: ffff88802283a4c0 RSI: ffffea00010cb180 RDI: ffff888031ad5500
RBP: ffffea00010cb180 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff920007a8f32
R13: ffff888031ad5500 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007fb7c8ab16c0(0000) GS:ffff8880d6c09000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000004ec6a000 CR4: 0000000000352ef0
Tested on:
commit: c2f2b01b Merge tag 'i3c/for-6.19' of git://git.kernel...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbcb767d1e1208ac
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15098ec2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 7, 2025, 11:49:33 PM (15 minutes ago) Dec 7
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] mm/workingset: fix crash from corrupted shadow entries in lru_gen
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported crashes in lru_gen_test_recent() and subsequent NULL
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
pointer dereferences in the page cache code:
Oops: general protection fault in lru_gen_test_recent+0xfc/0x370
KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000000004e07]
And later:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
Call Trace:
filemap_read_folio+0xc8/0x2a0
The root cause is that unpack_shadow() can extract an invalid node ID
from a corrupted shadow entry, causing NODE_DATA(nid) to return NULL for
pgdat. When this NULL pgdat is passed to mem_cgroup_lruvec(), it leads
to crashes when dereferencing memcg->nodeinfo.
Even if we detect and return early from lru_gen_test_recent(), the
corrupted state propagates through the call chain, eventually causing
crashes in the page cache code when trying to use the corrupted folio.
Fix this by:
1. Checking if pgdat is NULL in lru_gen_test_recent() and setting
*lruvec to NULL to signal the corruption to the caller.
2. Adding a NULL check for lruvec in lru_gen_refault() to catch
corrupted shadow entries and skip processing before the corruption
can propagate further into the page cache code.
Reported-by: syzbot+e008db...@syzkaller.appspot.com
Link: https://syzkaller.appspot.com/bug?extid=e008db2ac01e282550ee
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
mm/workingset.c | 11 +++++++++--
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/mm/workingset.c b/mm/workingset.c
index e9f05634747a..da19ff153dc7 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -270,7 +270,14 @@ static bool lru_gen_test_recent(void *shadow, struct lruvec **lruvec,
struct pglist_data *pgdat;
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
-
+ /*
unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset);
-
+ * If pgdat is NULL, the shadow entry contains an invalid node ID.
+ * Set lruvec to NULL so caller can detect and skip processing.
+ */
+ if (unlikely(!pgdat)) {
+ *lruvec = NULL;
+ return false;
+ }
memcg = mem_cgroup_from_id(memcg_id);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
@@ -294,7 +301,7 @@ static void lru_gen_refault(struct folio *folio, void *shadow)
+ return false;
+ }
memcg = mem_cgroup_from_id(memcg_id);
*lruvec = mem_cgroup_lruvec(memcg, pgdat);
rcu_read_lock();
recent = lru_gen_test_recent(shadow, &lruvec, &token, &workingset);
- if (lruvec != folio_lruvec(folio))
+ if (!lruvec || lruvec != folio_lruvec(folio))
goto unlock;
mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + type, delta);
--
2.43.0
Reply all
Reply to author
Forward
0 new messages