From nobody Fri Dec 19 08:09:38 2025
Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com
 [209.85.161.71])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 548FA2D46CE
	for <linux-kernel@vger.kernel.org>; Tue,  9 Dec 2025 05:35:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.71
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765258559; cv=none;
 b=d5dslUn9kid2TiXHvU6m+mSrAbtc7ySE5H7gD6dIJ4+gyCbeHGTkFlEgmeh+vPpca+2+5AAt9R5oCDvAo6AtmE72IPHlPcmZnXzPTcPiD8sAECZC9Pskwy4DM6XrDSP9HIrWPvz2Y+wJnoBMRL8BzzThmExv83BItTD0ZAb3pcw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765258559; c=relaxed/simple;
	bh=XRJ4hdJPl7nixLisqj5slpg56SDV0/Cailwe4TJfVCI=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=ER2aNvWbfQmBCFuEbk2bPYqOl5m0bNiarAX5IqaRfzZPq6a0fnFA2PwnfV8VXZgaFaLFos+4+aNaVKvMRzHVECCe/RS961znbBbsPyjT0IG8Ltdql33N/fj1Q3EAMeGGGiosm7f/mWao7b/9ocmBrUL6eekScOvfq2Ci7N9QOhU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.161.71
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f71.google.com with SMTP id
 006d021491bc7-657486eb435so6430725eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 08 Dec 2025 21:35:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765258556; x=1765863356;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=nH/YaIuJ1oB9S/Go3zjzANMIc1E5T6n7ZAKl0OGtzQo=;
        b=cfeeqMV9oIf54Vh1Sriwbs09mtKZLfa4yAbs5DWVbO6KsqlQWjRZRsC4stXCxzThso
         WLpP3dwaVfpXzgk8L9NCaO9G+tNfiJf6Q/7GySGMsIiWUze7tNBvAkAOFqV6cZ9Vmpau
         C5yepaBWOrkiax3DBaLMgGBxQdrO9PEt+dV1aN3B3juRmIe6HWRFk1sNoiQmfkkixfsa
         A7JprskTHuPTcd2snOEWh63ufdLJZUa/V5eVD1I7rMgI4TW44gLsgXFGlTIHi7iqeJVY
         VJTHZeaGygaxhAUHZYlDVIbzqXYNpo7IUpdxFJcyiulzBMmpGjLIfasou7YyMpgzHTTs
         JvFQ==
X-Gm-Message-State: AOJu0YxeXaPfz3l68Un3OqR9QEzwQnliLYBa54iQYJO3YS1Gy22RIJDb
	R19DcbvekJOnFLJJHxTgjpGlETk7X3Z+FbOk2j4y53yoQa5NEtcc0ZuTVGsLmncX1ccUR+wzXqu
	uD3fEUdCy0bHaBAwmGITj8K5ly4jXJKzoXRgPfCWsv5huMJkWW0VzBLVM+jg=
X-Google-Smtp-Source: 
 AGHT+IEk3ojfa7HaKEt/pdf3G1cv8pu86yKNqPcEQU9kfj8oZL7w6WDhtZVDtdFxPqPfFfc86I3pytm7J6BObaxkVHgLhpvif9tO
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a4a:e84c:0:b0:659:9a49:8f05 with SMTP id
 006d021491bc7-6599a8d5c2cmr3371048eaf.22.1765258556411; Mon, 08 Dec 2025
 21:35:56 -0800 (PST)
Date: Mon, 08 Dec 2025 21:35:56 -0800
In-Reply-To: <693540fe.a70a0220.38f243.004c.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <6937b53c.a70a0220.38f243.00bf.GAE@google.com>
Subject: Forwarded: [PATCH] mm/workingset: add debug instrumentation for MGLRU
 shadow corruption
From: syzbot <syzbot+e008db2ac01e282550ee@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] mm/workingset: add debug instrumentation for MGLRU shadow =
corruption
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master

Add comprehensive debug logging to track down NULL pointer dereference
in lru_gen_test_recent() when unpacking shadow entries with value 0x41.

The crash occurs when:
1. A shadow entry with value 0x41 is created during page eviction
2. The page later refaults and tries to unpack this shadow
3. unpack_shadow() extracts an invalid node ID from 0x41
4. NODE_DATA() returns NULL for the invalid node
5. Crash when trying to dereference NULL pgdat

This debug patch instruments the complete shadow entry lifecycle:

1. pack_shadow() - Log shadow creation and detect 0x41 creation
2. lru_gen_eviction() - Log MGLRU eviction path with min_seq/token
3. unpack_shadow() - Log shadow unpacking and detect 0x41 unpacking
4. lru_gen_test_recent() - Log entry and detect NULL pgdat
5. workingset_refault() - Log refault entry point
6. lru_gen_refault() - Log MGLRU refault handler

Each function dumps stack trace when 0x41 shadow is detected to capture
the full call chain.

The goal is to identify why pack_shadow() creates 0x41, which likely
indicates MGLRU generation counters (min_seq) are zero when they
shouldn't be.

Link: https://syzkaller.appspot.com/bug?extid=3De008db2ac01e282550ee
Reported-by: syzbot+e008db2ac01e282550ee@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 mm/workingset.c | 64 +++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 57 insertions(+), 7 deletions(-)

diff --git a/mm/workingset.c b/mm/workingset.c
index 0ec205a1ae92..d64490cd987d 100644
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -199,28 +199,49 @@ static unsigned int bucket_order __read_mostly;
 static void *pack_shadow(int memcgid, pg_data_t *pgdat, unsigned long evic=
tion,
 			 bool workingset)
 {
+	pr_err("PACK_SHADOW: CREATING SHADOW\n");
+	pr_err("  memcgid=3D%d node_id=3D%d eviction=3D0x%lx workingset=3D%d\n",
+	       memcgid, pgdat->node_id, eviction, workingset);
 	eviction &=3D EVICTION_MASK;
 	eviction =3D (eviction << MEM_CGROUP_ID_SHIFT) | memcgid;
 	eviction =3D (eviction << NODES_SHIFT) | pgdat->node_id;
 	eviction =3D (eviction << WORKINGSET_SHIFT) | workingset;
-
-	return xa_mk_value(eviction);
+	void *shadow =3D xa_mk_value(eviction);
+	pr_err("  Final packed shadow=3D0x%lx (raw eviction=3D0x%lx)\n",
+	       (unsigned long)shadow, eviction);
+	if ((unsigned long)shadow =3D=3D 0x41) {
+		pr_err("*** BUG: CREATED SHADOW 0x41! ***\n");
+		dump_stack();
+	}
+	return shadow;
 }
=20
 static void unpack_shadow(void *shadow, int *memcgidp, pg_data_t **pgdat,
 			  unsigned long *evictionp, bool *workingsetp)
 {
+	pr_err("UNPACK_SHADOW: READING SHADOW\n");
+	pr_err("  shadow=3D0x%lx\n", (unsigned long)shadow);
 	unsigned long entry =3D xa_to_value(shadow);
 	int memcgid, nid;
 	bool workingset;
-
+	// CRITICAL: Detect if we're reading the bad 0x41 shadow!
+	if ((unsigned long)shadow =3D=3D 0x41) {
+		pr_err("*** BUG: UNPACKING CORRUPTED SHADOW 0x41! ***\n");
+		dump_stack();
+	}
 	workingset =3D entry & ((1UL << WORKINGSET_SHIFT) - 1);
 	entry >>=3D WORKINGSET_SHIFT;
 	nid =3D entry & ((1UL << NODES_SHIFT) - 1);
 	entry >>=3D NODES_SHIFT;
 	memcgid =3D entry & ((1UL << MEM_CGROUP_ID_SHIFT) - 1);
 	entry >>=3D MEM_CGROUP_ID_SHIFT;
-
+	pr_err("  Unpacked: memcgid=3D%d nid=3D%d eviction=3D0x%lx workingset=3D%=
d\n",
+	       memcgid, nid, entry, workingset);
+	pr_err("  NODE_DATA(%d)=3D%px\n", nid, NODE_DATA(nid));
+	if (nid >=3D MAX_NUMNODES || !NODE_DATA(nid)) {
+		pr_err("*** BUG: INVALID NODE ID %d! ***\n", nid);
+		dump_stack();
+	}
 	*memcgidp =3D memcgid;
 	*pgdat =3D NODE_DATA(nid);
 	*evictionp =3D entry;
@@ -231,6 +252,8 @@ static void unpack_shadow(void *shadow, int *memcgidp, =
pg_data_t **pgdat,
=20
 static void *lru_gen_eviction(struct folio *folio)
 {
+	pr_err("LRU_GEN_EVICTION: ENTERED\n");
+	pr_err("  folio=3D%px node=3D%d\n", folio, folio_nid(folio));
 	int hist;
 	unsigned long token;
 	unsigned long min_seq;
@@ -250,11 +273,15 @@ static void *lru_gen_eviction(struct folio *folio)
 	lrugen =3D &lruvec->lrugen;
 	min_seq =3D READ_ONCE(lrugen->min_seq[type]);
 	token =3D (min_seq << LRU_REFS_WIDTH) | max(refs - 1, 0);
-
+	pr_err("LRU_GEN_EVICTION: min_seq=3D0x%lx refs=3D%d tier=3D%d\n",
+	       min_seq, refs, tier);
+	pr_err("  token=3D0x%lx (will be eviction parameter)\n", token);
 	hist =3D lru_hist_from_seq(min_seq);
 	atomic_long_add(delta, &lrugen->evicted[hist][type][tier]);
-
-	return pack_shadow(mem_cgroup_id(memcg), pgdat, token, workingset);
+	void *shadow =3D pack_shadow(mem_cgroup_id(memcg), pgdat, token, workings=
et);
+	pr_err("LRU_GEN_EVICTION: Returning shadow=3D0x%lx\n", (unsigned long)sha=
dow);
+	return shadow;
+	//return pack_shadow(mem_cgroup_id(memcg), pgdat, token, workingset);
 }
=20
 /*
@@ -289,6 +316,13 @@ static bool lru_gen_test_recent(void *shadow, struct l=
ruvec **lruvec,
=20
 static void lru_gen_refault(struct folio *folio, void *shadow)
 {
+	 pr_err("LRU_GEN_REFAULT: ENTERED\n");
+        pr_err("  folio=3D%px shadow=3D0x%lx\n", folio, (unsigned long)sha=
dow);
+       =20
+        if ((unsigned long)shadow =3D=3D 0x41) {
+                pr_err("*** BUG: LRU_GEN_REFAULT received corrupted shadow=
 0x41! ***\n");
+                //dump_stack();
+        }
 	bool recent;
 	int hist, tier, refs;
 	bool workingset;
@@ -299,8 +333,11 @@ static void lru_gen_refault(struct folio *folio, void =
*shadow)
 	int delta =3D folio_nr_pages(folio);
=20
 	rcu_read_lock();
+	        pr_err("LRU_GEN_REFAULT: Calling lru_gen_test_recent\n");
=20
 	recent =3D lru_gen_test_recent(shadow, &lruvec, &token, &workingset);
+	 pr_err("LRU_GEN_REFAULT: lru_gen_test_recent returned %d\n", recent);
+        pr_err("  lruvec=3D%px token=3D0x%lx workingset=3D%d\n", lruvec, t=
oken, workingset);
 	if (!lruvec || lruvec !=3D folio_lruvec(folio))
 		goto unlock;
 	mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + type, delta);
@@ -539,6 +576,12 @@ bool workingset_test_recent(void *shadow, bool file, b=
ool *workingset,
  */
 void workingset_refault(struct folio *folio, void *shadow)
 {
+	pr_err("WORKINGSET_REFAULT: ENTERED\n");
+        pr_err("  folio=3D%px shadow=3D0x%lx\n", folio, (unsigned long)sha=
dow);
+	  if ((unsigned long)shadow =3D=3D 0x41) {
+                pr_err("*** BUG: WORKINGSET_REFAULT received corrupted sha=
dow 0x41! ***\n");
+                dump_stack();
+        }
 	bool file =3D folio_is_file_lru(folio);
 	struct pglist_data *pgdat;
 	struct mem_cgroup *memcg;
@@ -549,9 +592,13 @@ void workingset_refault(struct folio *folio, void *sha=
dow)
 	VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio);
=20
 	if (lru_gen_enabled()) {
+		pr_err("WORKINGSET_REFAULT: LRU_GEN enabled, calling lru_gen_refault\n");
 		lru_gen_refault(folio, shadow);
+		pr_err("WORKINGSET_REFAULT: lru_gen_refault returned\n");
+
 		return;
 	}
+	        pr_err("WORKINGSET_REFAULT: Using regular (non-LRU_GEN) path\n");
=20
 	/*
 	 * The activation decision for this folio is made at the level
@@ -568,6 +615,7 @@ void workingset_refault(struct folio *folio, void *shad=
ow)
 	lruvec =3D mem_cgroup_lruvec(memcg, pgdat);
=20
 	mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + file, nr);
+	        pr_err("WORKINGSET_REFAULT: Calling workingset_test_recent\n");
=20
 	if (!workingset_test_recent(shadow, file, &workingset, true))
 		return;
@@ -578,6 +626,7 @@ void workingset_refault(struct folio *folio, void *shad=
ow)
=20
 	/* Folio was active prior to eviction */
 	if (workingset) {
+		 pr_err("WORKINGSET_REFAULT: Folio was workingset, restoring\n");
 		folio_set_workingset(folio);
 		/*
 		 * XXX: Move to folio_add_lru() when it supports new vs
@@ -586,6 +635,7 @@ void workingset_refault(struct folio *folio, void *shad=
ow)
 		lru_note_cost_refault(folio);
 		mod_lruvec_state(lruvec, WORKINGSET_RESTORE_BASE + file, nr);
 	}
+	 pr_err("WORKINGSET_REFAULT: EXITING\n");
 }
=20
 /**
--=20
2.43.0