[syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

[syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    18f7fcd5e69a Linux 6.19-rc8
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029

CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
 lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
 swap_pte_batch+0x3c3/0x720 mm/internal.h:390
 zap_nonpresent_ptes mm/memory.c:1749 [inline]
 do_zap_pte_range mm/memory.c:1818 [inline]
 zap_pte_range mm/memory.c:1858 [inline]
 zap_pmd_range mm/memory.c:1950 [inline]
 zap_pud_range mm/memory.c:1978 [inline]
 zap_p4d_range mm/memory.c:1999 [inline]
 unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
 unmap_single_vma+0x153/0x240 mm/memory.c:2062
 unmap_vmas+0x218/0x470 mm/memory.c:2104
 exit_mmap+0x181/0xae0 mm/mmap.c:1277
 __mmput+0x12a/0x410 kernel/fork.c:1173
 mmput+0x67/0x80 kernel/fork.c:1196
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x78a/0x2a30 kernel/exit.c:959
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
 exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2f8f19aeb9
Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
 </TASK>
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

[Dmitry Vyukov]

On Fri, 6 Feb 2026 at 08:24, syzbot
<syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    18f7fcd5e69a Linux 6.19-rc8
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
> BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
> Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029
>
> CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G             L      syzkaller #0 PREEMPT(full)
> Tainted: [L]=SOFTLOCKUP
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
>  kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
>  check_region_inline mm/kasan/generic.c:186 [inline]
>  kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
>  instrument_atomic_read include/linux/instrumented.h:68 [inline]
>  atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
>  __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
>  lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
>  swap_pte_batch+0x3c3/0x720 mm/internal.h:390
>  zap_nonpresent_ptes mm/memory.c:1749 [inline]
>  do_zap_pte_range mm/memory.c:1818 [inline]
>  zap_pte_range mm/memory.c:1858 [inline]
>  zap_pmd_range mm/memory.c:1950 [inline]
>  zap_pud_range mm/memory.c:1978 [inline]
>  zap_p4d_range mm/memory.c:1999 [inline]
>  unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
>  unmap_single_vma+0x153/0x240 mm/memory.c:2062
>  unmap_vmas+0x218/0x470 mm/memory.c:2104
>  exit_mmap+0x181/0xae0 mm/mmap.c:1277
>  __mmput+0x12a/0x410 kernel/fork.c:1173
>  mmput+0x67/0x80 kernel/fork.c:1196
>  exit_mm kernel/exit.c:581 [inline]
>  do_exit+0x78a/0x2a30 kernel/exit.c:959
>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>  get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
>  arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
>  __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
>  exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
>  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
>  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
>  syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
>  syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
>  do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2f8f19aeb9
> Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
> RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
> RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
>  </TASK>
> ==================================================================

This happened before:
https://lore.kernel.org/all/67d04360.050a0220.1939a6.000e.GAE@google.com/T/
and now 2 more times.
All reports look similar: exit_mm -> zap_p4d_range
And all access addresses look the same: top 13 bits are zeros, then
some garbage (0007fffffffffffc).
I am pretty sure it's telling us something, some kind of tricky race,
rather than a previous corruption. Swp entry is somehow invalid?

Re: [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

[Shakeel Butt]

+Kairui

On Fri, Feb 06, 2026 at 08:31:19AM +0100, Dmitry Vyukov wrote:
> On Fri, 6 Feb 2026 at 08:24, syzbot
> <syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    18f7fcd5e69a Linux 6.19-rc8
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
> > compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/2c19d9acc149/disk-18f7fcd5.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/02cf07c94e58/vmlinux-18f7fcd5.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/84011cec9819/bzImage-18f7fcd5.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> > BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> > BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
> > BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
> > Read of size 4 at addr 0007fffffffffffc by task syz.5.3598/20029
> >
> > CPU: 1 UID: 0 PID: 20029 Comm: syz.5.3598 Tainted: G             L      syzkaller #0 PREEMPT(full)
> > Tainted: [L]=SOFTLOCKUP
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:94 [inline]
> >  dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
> >  kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
> >  check_region_inline mm/kasan/generic.c:186 [inline]
> >  kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
> >  instrument_atomic_read include/linux/instrumented.h:68 [inline]
> >  atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> >  __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
> >  lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
> >  swap_pte_batch+0x3c3/0x720 mm/internal.h:390
> >  zap_nonpresent_ptes mm/memory.c:1749 [inline]
> >  do_zap_pte_range mm/memory.c:1818 [inline]
> >  zap_pte_range mm/memory.c:1858 [inline]
> >  zap_pmd_range mm/memory.c:1950 [inline]
> >  zap_pud_range mm/memory.c:1978 [inline]
> >  zap_p4d_range mm/memory.c:1999 [inline]
> >  unmap_page_range+0x1f6f/0x43e0 mm/memory.c:2020
> >  unmap_single_vma+0x153/0x240 mm/memory.c:2062
> >  unmap_vmas+0x218/0x470 mm/memory.c:2104
> >  exit_mmap+0x181/0xae0 mm/mmap.c:1277
> >  __mmput+0x12a/0x410 kernel/fork.c:1173
> >  mmput+0x67/0x80 kernel/fork.c:1196
> >  exit_mm kernel/exit.c:581 [inline]
> >  do_exit+0x78a/0x2a30 kernel/exit.c:959
> >  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
> >  get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
> >  arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
> >  __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
> >  exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
> >  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
> >  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
> >  syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
> >  syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
> >  do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f2f8f19aeb9
> > Code: Unable to access opcode bytes at 0x7f2f8f19ae8f.
> > RSP: 002b:00007f2f900350e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> > RAX: fffffffffffffe00 RBX: 00007f2f8f416098 RCX: 00007f2f8f19aeb9
> > RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2f8f416098
> > RBP: 00007f2f8f416090 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 00007f2f8f416128 R14: 00007ffc0c8cc050 R15: 00007ffc0c8cc138
> >  </TASK>
> > ==================================================================
> 
> This happened before:
> https://lore.kernel.org/all/67d04360.050a0220.1939a6.000e.GAE@google.com/T/
> and now 2 more times.
> All reports look similar: exit_mm -> zap_p4d_range
> And all access addresses look the same: top 13 bits are zeros, then
> some garbage (0007fffffffffffc).
> I am pretty sure it's telling us something, some kind of tricky race,
> rather than a previous corruption. Swp entry is somehow invalid?

Thanks for the report. It would be good to have a reproducer. I will dig
deeper later but good to have eyes from Kairui who has recent changes
in the area.

Re: [syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

[Kairui Song]

On Sat, Feb 7, 2026 at 1:30 AM Shakeel Butt <shakeel.butt@linux.dev> wrote:
>
> +Kairui

Thanks for Cc. I just noticed it while cleaning my mailbox.

> On Fri, Feb 06, 2026 at 08:31:19AM +0100, Dmitry Vyukov wrote:
> > On Fri, 6 Feb 2026 at 08:24, syzbot
> > <syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    18f7fcd5e69a Linux 6.19-rc8
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1428fc5a580000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a
> > > compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > This happened before:
> > https://lore.kernel.org/all/67d04360.050a0220.1939a6.000e.GAE@google.com/T/
> > and now 2 more times.
> > All reports look similar: exit_mm -> zap_p4d_range
> > And all access addresses look the same: top 13 bits are zeros, then
> > some garbage (0007fffffffffffc).
> > I am pretty sure it's telling us something, some kind of tricky race,
> > rather than a previous corruption. Swp entry is somehow invalid?
>
> Thanks for the report. It would be good to have a reproducer. I will dig
> deeper later but good to have eyes from Kairui who has recent changes
> in the area.

I've just checked the syzbot's console log for the two times it
catched the error:
https://syzkaller.appspot.com/text?tag=CrashLog&x=1428fc5a580000
https://syzkaller.appspot.com/text?tag=CrashLog&x=16c2c694580000

(from https://syzkaller.appspot.com/bug?extid=e12bd9ca48157add237a)

In the first log, before the panic, console is full with:
get_swap_device: Bad swap file entry 4003ffffffffffff

Which indicates there is at least one, maybe a lot of invalid swap
entries of the same value in the page table. Unfortunately that's all
it can tell, maybe something corrupted the page table?