lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACT4Y+bd+PcL=XzkehM-bmsfAB95UA2y9jr5JY2ov8zVOp1DWA@mail.gmail.com>
Date: Fri, 6 Feb 2026 08:31:19 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: syzbot <syzbot+e12bd9ca48157add237a@...kaller.appspotmail.com>
Cc: akpm@...ux-foundation.org, cgroups@...r.kernel.org, hannes@...xchg.org, 
	linux-kernel@...r.kernel.org, linux-mm@...ck.org, mhocko@...nel.org, 
	muchun.song@...ux.dev, roman.gushchin@...ux.dev, shakeel.butt@...ux.dev, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in
 lookup_swap_cgroup_id (2)

On Fri, 6 Feb 2026 at 08:24, syzbot
<syzbot+e12bd9ca48157add237a@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    18f7fcd5e69a Linux 6.19-rc8
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e12bd9ca48157add237a@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
> BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
> Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029
>
> CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G             L      syzkaller #0 PREEMPT(full)
> Tainted: [L]=SOFTLOCKUP
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
>  kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
>  check_region_inline mm/kasan/generic.c:186 [inline]
>  kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
>  instrument_atomic_read include/linux/instrumented.h:68 [inline]
>  atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
>  __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
>  lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
>  swap_pte_batch+0x3c3/0x720 mm/internal.h:390
>  zap_nonpresent_ptes mm/memory.c:1749 [inline]
>  do_zap_pte_range mm/memory.c:1818 [inline]
>  zap_pte_range mm/memory.c:1858 [inline]
>  zap_pmd_range mm/memory.c:1950 [inline]
>  zap_pud_range mm/memory.c:1978 [inline]
>  zap_p4d_range mm/memory.c:1999 [inline]
>  unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
>  unmap_single_vma+0x153/0x240 mm/memory.c:2062
>  unmap_vmas+0x218/0x470 mm/memory.c:2104
>  exit_mmap+0x181/0xae0 mm/mmap.c:1277
>  __mmput+0x12a/0x410 kernel/fork.c:1173
>  mmput+0x67/0x80 kernel/fork.c:1196
>  exit_mm kernel/exit.c:581 [inline]
>  do_exit+0x78a/0x2a30 kernel/exit.c:959
>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>  get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
>  arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
>  __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
>  exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
>  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
>  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
>  syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
>  syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
>  do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2f8f19aeb9
> Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
> RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
> RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
>  </TASK>
> ==================================================================

This happened before:
https://lore.kernel.org/all/67d04360.050a0220.1939a6.000e.GAE@google.com/T/
and now 2 more times.
All reports look similar: exit_mm -> zap_p4d_range
And all access addresses look the same: top 13 bits are zeros, then
some garbage (0007fffffffffffc).
I am pretty sure it's telling us something, some kind of tricky race,
rather than a previous corruption. Swp entry is somehow invalid?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ