From nobody Fri Dec 19 11:49:56 2025 Received: from mail-ot1-f71.google.com (mail-ot1-f71.google.com [209.85.210.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A5DD1F5EA for ; Mon, 8 Dec 2025 04:49:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765169374; cv=none; b=O4Xk9pR1y7MdBGINSSMfqPqF7TqDViXThiqK36ArC5cUzzz4C89tl/ZYfGNHPo+WzS4k4BpV5SVMtrZj/LhEOV04QZosLMs9qa0FDzrAYIHzzny4gucDPHgm9xS6gjrY7VrRuGCz8O7P+TdN66vTNbtDFG/B6gXfci609KNiQ5I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765169374; c=relaxed/simple; bh=gy53qvAMK4mEHbA5WVRapAK2M/wWKIMhes7NwaoWFUc=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=n55cxRX8HbFg9IA4H5gPxMtt3XpsYLIJ7Vc7h/+A3NxwkSBqwh5fy4iDODG4IL6+2zX3+NWNIUET1AJe9XXRM89jj/PmRw8kIOVUOT8GAGzIdXWOq+/QDUKHv/2/Usi29xB9Dl6LltLJ1GS+pn1mvRda/sESqmPBnyTy0+94SUQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-7c7028db074so7731532a34.1 for ; Sun, 07 Dec 2025 20:49:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765169372; x=1765774172; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DqAwWDDY9eGramNu6NdJ7lW2iREE/2GEgIZDOKwzRso=; b=lDm02tva5fxAbQzD4CE5PtVax+lczf6g5JBM3+hN+l1D9eXzLouoluUNL12upPzIRD EPCr+P+RQEoD6kLG8VC+mQPt5O/g54VTAQiTJq1DpQDpz1utzzFp+bVN4l1h4kyB3hgf 6czoq3XbCFswYJ5IdhFq+G4QvjBXj2IL0YfTanp+7kcF5DRkf9JO4/8TZPlMw8Aium9T wvg/8XCzkpHi5xeMYcH093BmI/IVHT96uPr87U/9LFjgdak6VQNo5jmW/CPvEUfbHrUw IVM4b9Ng90hQpLZeTCFrMggs9qQmzKrYHgTZp7FUPYZaprZuEAfTzMaL2+RP4ZpozRq5 MYHA== X-Gm-Message-State: AOJu0YxJPJHN0JwZAtfqO65ET34uf+XWJPKMWG5kyhhSkNLJMqLpRB1c UA4J/oeCXwBEEOwQHxlAbjT4cdMIppZ7qPBfLMk4+tm/xkRElLVu0XrcD6eBnhIEvVCphL+YcfZ MJi8zYojXk26TgslGVq64dC4Za0rakJW5KxBLB5pSfJLxf40t+L13WGHmOa4= X-Google-Smtp-Source: AGHT+IESJ7M5kaPdVrWRirVXJEeVyqQrlVvACEJvRThliYHATxFXPSPzMr1x99FLgzHc79S1VvJshgsnKxDLBpg11/PecvSCWVJd Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:622:b0:659:9a49:8f39 with SMTP id 006d021491bc7-6599a9842damr3070096eaf.74.1765169372360; Sun, 07 Dec 2025 20:49:32 -0800 (PST) Date: Sun, 07 Dec 2025 20:49:32 -0800 In-Reply-To: <693540fe.a70a0220.38f243.004c.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <693658dc.a70a0220.38f243.0083.GAE@google.com> Subject: Forwarded: [PATCH] mm/workingset: fix crash from corrupted shadow entries in lru_gen From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] mm/workingset: fix crash from corrupted shadow entries in = lru_gen Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Syzbot reported crashes in lru_gen_test_recent() and subsequent NULL pointer dereferences in the page cache code: Oops: general protection fault in lru_gen_test_recent+0xfc/0x370 KASAN: probably user-memory-access in range [0x0000000000004e00-0x0000000= 000004e07] And later: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode RIP: 0010:0x0 Call Trace: filemap_read_folio+0xc8/0x2a0 The root cause is that unpack_shadow() can extract an invalid node ID from a corrupted shadow entry, causing NODE_DATA(nid) to return NULL for pgdat. When this NULL pgdat is passed to mem_cgroup_lruvec(), it leads to crashes when dereferencing memcg->nodeinfo. Even if we detect and return early from lru_gen_test_recent(), the corrupted state propagates through the call chain, eventually causing crashes in the page cache code when trying to use the corrupted folio. Fix this by: 1. Checking if pgdat is NULL in lru_gen_test_recent() and setting *lruvec to NULL to signal the corruption to the caller. 2. Adding a NULL check for lruvec in lru_gen_refault() to catch corrupted shadow entries and skip processing before the corruption can propagate further into the page cache code. Reported-by: syzbot+e008db2ac01e282550ee@syzkaller.appspot.com Link: https://syzkaller.appspot.com/bug?extid=3De008db2ac01e282550ee Signed-off-by: Deepanshu Kartikey --- mm/workingset.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/mm/workingset.c b/mm/workingset.c index e9f05634747a..da19ff153dc7 100644 --- a/mm/workingset.c +++ b/mm/workingset.c @@ -270,7 +270,14 @@ static bool lru_gen_test_recent(void *shadow, struct l= ruvec **lruvec, struct pglist_data *pgdat; =20 unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset); - + /* + * If pgdat is NULL, the shadow entry contains an invalid node ID. + * Set lruvec to NULL so caller can detect and skip processing. + */ + if (unlikely(!pgdat)) { + *lruvec =3D NULL; + return false; + } memcg =3D mem_cgroup_from_id(memcg_id); *lruvec =3D mem_cgroup_lruvec(memcg, pgdat); =20 @@ -294,7 +301,7 @@ static void lru_gen_refault(struct folio *folio, void *= shadow) rcu_read_lock(); =20 recent =3D lru_gen_test_recent(shadow, &lruvec, &token, &workingset); - if (lruvec !=3D folio_lruvec(folio)) + if (!lruvec || lruvec !=3D folio_lruvec(folio)) goto unlock; =20 mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + type, delta); --=20 2.43.0