| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYYkvaqYGLXD3_P-@linux.dev> Date: Fri, 6 Feb 2026 09:30:28 -0800 From: Shakeel Butt <shakeel.butt@...ux.dev> To: Dmitry Vyukov <dvyukov@...gle.com> Cc: syzbot <syzbot+e12bd9ca48157add237a@...kaller.appspotmail.com>, akpm@...ux-foundation.org, cgroups@...r.kernel.org, hannes@...xchg.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, mhocko@...nel.org, muchun.song@...ux.dev, roman.gushchin@...ux.dev, syzkaller-bugs@...glegroups.com, kasong@...cent.com Subject: Re: [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) +Kairui On Fri, Feb 06, 2026 at 08:31:19AM +0100, Dmitry Vyukov wrote: > On Fri, 6 Feb 2026 at 08:24, syzbot > <syzbot+e12bd9ca48157add237a@...kaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 18f7fcd5e69a Linux 6.19-rc8 > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671 > > dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a > > compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+e12bd9ca48157add237a@...kaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline] > > BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] > > BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline] > > BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127 > > Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029 > > > > CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G L syzkaller #0 PREEMPT(full) > > Tainted: [L]=SOFTLOCKUP > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > > Call Trace: > > <TASK> > > __dump_stack lib/dump_stack.c:94 [inline] > > dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 > > kasan_report+0xdf/0x1a0 mm/kasan/report.c:595 > > check_region_inline mm/kasan/generic.c:186 [inline] > > kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200 > > instrument_atomic_read include/linux/instrumented.h:68 [inline] > > atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] > > __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline] > > lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127 > > swap_pte_batch+0x3c3/0x720 mm/internal.h:390 > > zap_nonpresent_ptes mm/memory.c:1749 [inline] > > do_zap_pte_range mm/memory.c:1818 [inline] > > zap_pte_range mm/memory.c:1858 [inline] > > zap_pmd_range mm/memory.c:1950 [inline] > > zap_pud_range mm/memory.c:1978 [inline] > > zap_p4d_range mm/memory.c:1999 [inline] > > unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020 > > unmap_single_vma+0x153/0x240 mm/memory.c:2062 > > unmap_vmas+0x218/0x470 mm/memory.c:2104 > > exit_mmap+0x181/0xae0 mm/mmap.c:1277 > > __mmput+0x12a/0x410 kernel/fork.c:1173 > > mmput+0x67/0x80 kernel/fork.c:1196 > > exit_mm kernel/exit.c:581 [inline] > > do_exit+0x78a/0x2a30 kernel/exit.c:959 > > do_group_exit+0xd5/0x2a0 kernel/exit.c:1112 > > get_signal+0x1ec7/0x21e0 kernel/signal.c:3034 > > arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337 > > __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] > > exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75 > > __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] > > syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] > > syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] > > syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] > > do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100 > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > RIP: 0033:0x7f2f8f19aeb9 > > Code: Unable to access opcode bytes at 0x7f2f8f19ae8f. > > RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca > > RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9 > > RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098 > > RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > > R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138 > > </TASK> > > ================================================================== > > This happened before: > https://lore.kernel.org/all/67d04360.050a0220.1939a6.000e.GAE@google.com/T/ > and now 2 more times. > All reports look similar: exit_mm -> zap_p4d_range > And all access addresses look the same: top 13 bits are zeros, then > some garbage (0007fffffffffffc). > I am pretty sure it's telling us something, some kind of tricky race, > rather than a previous corruption. Swp entry is somehow invalid? Thanks for the report. It would be good to have a reproducer. I will dig deeper later but good to have eyes from Kairui who has recent changes in the area.
Powered by blists - more mailing lists