From nobody Fri Dec 19 08:07:28 2025 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CD1D2C11D9 for ; Tue, 9 Dec 2025 06:28:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765261692; cv=none; b=DYFSYiuiQVJreL4M0ztpwmk4a4IdoUkAepaFAQMvm7nCJO095hkw7cL6N26I3nVJ4OnqpYyGj9gvfx0VA4uOD68QBF/fafPtvGTMUlR6zWU8tFNucXwtpdkU/218IPG35s/BO6NBXXIMao7j1CT5NAR3bvEONLM8QdX/oS95yMg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765261692; c=relaxed/simple; bh=Y4mHCSE7r/Bf2XSVUcjo8rDGpj6sjwQjI8iaN+4lGzc=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=icTwIQw0QMqG9WIQxW6D5kBR6yJoOwZej2MXCGVXAEfSzka0muVFRQX/K4rsCYfi4tRcfpjVOGkej4nq5gSMuPTenlvwPvEjhrzUlqrTC361vOnnM3KK9CtEEA8CCiqBYnT8nTIc5FqZTuT4hquEa99oW55Z2VXWZbD5ZSed8NY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-6574d3d44f9so7458373eaf.3 for ; Mon, 08 Dec 2025 22:28:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765261689; x=1765866489; h=content-transfer-encoding:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=aNu2/1Gc3iUHFWlDywIOHGJzD0HASNcJRebdwhnKCPI=; b=LJIbCAucNJxJZIVcAizCWKZ11s4RqR1LZh4hR3a6x/b5K1QmUGO7NqvFmzyAfS4QIS QLRvQ6wyqi4LjEQ+TQbkmxPq4NMdZ5/iKu+Exf9+gu2fEmr0z5H8m+TmJGCHkjrTyr0M yGxZvVoyABN41bp9Ph2pYong0CasnOjo0VsvV2L/D0RYDn9rz6DBOLO9bsX1OocNcBzf 1z7SRuey3nFfN1MkGkMMvXJ3ogJJ3uPZ+WXqeUMwjRFrGEwe64ZuUpsdlY6dSTDJA2x6 demWkhGk94t9vcsd1DUTJ04mwZ1QtfTYsp2LCxCfftUiOXK6jVK34fUL7OdhRhMoj8bl YYwg== X-Gm-Message-State: AOJu0YwVIoZnRr2Gr3vkYT9zofbxBF+wEMAIVBhs6h/srIIzaa3AADlM Cl4Tal5yiJNHVQLgiAAtOKodXBm3k6m3gb83PAibEp3JJHde//6prW8JCCO6NmNLXB4UvYpgO9Y U2WX9CfPkMq1cv7OyP74zDw1x39qu4+w1eHoigel0AfYLdhoBUzwVp07cUzs= X-Google-Smtp-Source: AGHT+IHtbEs0zG1LfXOmP+v/G9eEAVWQGQ2vACgZzEAFFT0dA61LYqoz0uTiZZrpO6iQgrE95Y/EIjHfBgNvW79c5KqDRBMM8qwf Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:216:b0:659:9a49:8fec with SMTP id 006d021491bc7-6599a908356mr4370707eaf.25.1765261689178; Mon, 08 Dec 2025 22:28:09 -0800 (PST) Date: Mon, 08 Dec 2025 22:28:09 -0800 In-Reply-To: <693540fe.a70a0220.38f243.004c.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6937c179.a70a0220.38f243.00c5.GAE@google.com> Subject: Forwarded: [PATCH] mm/workingset: fix NULL deref from invalid node ID in shadow From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] mm/workingset: fix NULL deref from invalid node ID in shad= ow Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Fix a NULL pointer dereference in lru_gen_test_recent() caused by shadow entries containing invalid NUMA node IDs. The crash occurs when: 1. A page is evicted and its folio incorrectly reports node_id >=3D MAX_NUM= NODES 2. pack_shadow() stores this invalid node ID in the shadow entry 3. On page refault, unpack_shadow() extracts the invalid node ID 4. NODE_DATA(invalid_nid) returns NULL 5. Subsequent dereference of NULL pgdat causes crash Example from crash log: shadow=3D0x11 unpacks to: nid=3D4, but system only has nodes 0-3 NODE_DATA(4) returns NULL =E2=86=92 crash Root cause: Pages can be tracked on non-existent NUMA nodes due to: - Incorrect node assignment during page allocation - Corrupted page->flags NODES bits - NUMA policy bugs Fix: Add validation in both pack_shadow() and unpack_shadow(): 1. In pack_shadow(): Detect and reject invalid node IDs at creation time 2. In unpack_shadow(): Validate node ID before using NODE_DATA() 3. Fall back to node 0 for invalid node IDs to prevent crash Additionally, initialize MGLRU min_seq to 1 instead of 0 to prevent creating shadows with zero eviction time, which lose temporal information. Link: https://syzkaller.appspot.com/bug?extid=3De008db2ac01e282550ee Reported-by: syzbot+e008db2ac01e282550ee@syzkaller.appspotmail.com Debugged-by: Deepanshu Kartikey Signed-off-by: Deepanshu Kartikey --- mm/workingset.c | 74 +++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 62 insertions(+), 12 deletions(-) diff --git a/mm/workingset.c b/mm/workingset.c index e9f05634747a..23a2d00fb582 100644 --- a/mm/workingset.c +++ b/mm/workingset.c @@ -199,28 +199,55 @@ static unsigned int bucket_order __read_mostly; static void *pack_shadow(int memcgid, pg_data_t *pgdat, unsigned long evic= tion, bool workingset) { + pr_err("PACK_SHADOW: CREATING SHADOW\n"); + pr_err(" memcgid=3D%d node_id=3D%d eviction=3D0x%lx workingset=3D%d\n", + memcgid, pgdat->node_id, eviction, workingset); + if (pgdat->node_id >=3D MAX_NUMNODES || !NODE_DATA(pgdat->node_id)) { + pr_err("*** BUG: pack_shadow called with INVALID node_id=3D%d! ***\n", + pgdat->node_id); + pr_err(" pgdat=3D%px pgdat->node_id=3D%d MAX_NUMNODES=3D%d\n", + pgdat, pgdat->node_id, MAX_NUMNODES); + dump_stack(); + =09 + // This will show WHERE the bad pgdat came from + } eviction &=3D EVICTION_MASK; eviction =3D (eviction << MEM_CGROUP_ID_SHIFT) | memcgid; eviction =3D (eviction << NODES_SHIFT) | pgdat->node_id; eviction =3D (eviction << WORKINGSET_SHIFT) | workingset; - - return xa_mk_value(eviction); + void *shadow =3D xa_mk_value(eviction); + pr_err(" Final packed shadow=3D0x%lx (raw eviction=3D0x%lx)\n", + (unsigned long)shadow, eviction); + if ((unsigned long)shadow =3D=3D 0x41) { + pr_err("*** BUG: CREATED SHADOW 0x41! ***\n"); + } + return shadow; } =20 static void unpack_shadow(void *shadow, int *memcgidp, pg_data_t **pgdat, unsigned long *evictionp, bool *workingsetp) { + pr_err("UNPACK_SHADOW: READING SHADOW\n"); + pr_err(" shadow=3D0x%lx\n", (unsigned long)shadow); unsigned long entry =3D xa_to_value(shadow); int memcgid, nid; bool workingset; - + // CRITICAL: Detect if we're reading the bad 0x41 shadow! + if ((unsigned long)shadow =3D=3D 0x41) { + pr_err("*** BUG: UNPACKING CORRUPTED SHADOW 0x41! ***\n"); + } workingset =3D entry & ((1UL << WORKINGSET_SHIFT) - 1); entry >>=3D WORKINGSET_SHIFT; nid =3D entry & ((1UL << NODES_SHIFT) - 1); entry >>=3D NODES_SHIFT; memcgid =3D entry & ((1UL << MEM_CGROUP_ID_SHIFT) - 1); entry >>=3D MEM_CGROUP_ID_SHIFT; - + pr_err(" Unpacked: memcgid=3D%d nid=3D%d eviction=3D0x%lx workingset=3D%= d\n", + memcgid, nid, entry, workingset); + pr_err(" NODE_DATA(%d)=3D%px\n", nid, NODE_DATA(nid)); + if (nid >=3D MAX_NUMNODES || !NODE_DATA(nid)) { + pr_err("*** BUG: INVALID NODE ID %d! ***\n", nid); + } *memcgidp =3D memcgid; *pgdat =3D NODE_DATA(nid); *evictionp =3D entry; @@ -231,6 +258,8 @@ static void unpack_shadow(void *shadow, int *memcgidp, = pg_data_t **pgdat, =20 static void *lru_gen_eviction(struct folio *folio) { + pr_err("LRU_GEN_EVICTION: ENTERED\n"); + pr_err(" folio=3D%px node=3D%d\n", folio, folio_nid(folio)); int hist; unsigned long token; unsigned long min_seq; @@ -250,11 +279,15 @@ static void *lru_gen_eviction(struct folio *folio) lrugen =3D &lruvec->lrugen; min_seq =3D READ_ONCE(lrugen->min_seq[type]); token =3D (min_seq << LRU_REFS_WIDTH) | max(refs - 1, 0); - + pr_err("LRU_GEN_EVICTION: min_seq=3D0x%lx refs=3D%d tier=3D%d\n", + min_seq, refs, tier); + pr_err(" token=3D0x%lx (will be eviction parameter)\n", token); hist =3D lru_hist_from_seq(min_seq); atomic_long_add(delta, &lrugen->evicted[hist][type][tier]); - - return pack_shadow(mem_cgroup_id(memcg), pgdat, token, workingset); + void *shadow =3D pack_shadow(mem_cgroup_id(memcg), pgdat, token, workings= et); + pr_err("LRU_GEN_EVICTION: Returning shadow=3D0x%lx\n", (unsigned long)sha= dow); + return shadow; + //return pack_shadow(mem_cgroup_id(memcg), pgdat, token, workingset); } =20 /* @@ -270,7 +303,14 @@ static bool lru_gen_test_recent(void *shadow, struct l= ruvec **lruvec, struct pglist_data *pgdat; =20 unpack_shadow(shadow, &memcg_id, &pgdat, token, workingset); - + /* + * If pgdat is NULL, the shadow entry contains an invalid node ID. + * Set lruvec to NULL so caller can detect and skip processing. + */ + if (unlikely(!pgdat)) { + *lruvec =3D NULL; + return false; + } memcg =3D mem_cgroup_from_id(memcg_id); *lruvec =3D mem_cgroup_lruvec(memcg, pgdat); =20 @@ -280,7 +320,7 @@ static bool lru_gen_test_recent(void *shadow, struct lr= uvec **lruvec, return abs_diff(max_seq, *token >> LRU_REFS_WIDTH) < MAX_NR_GENS; } =20 -static void lru_gen_refault(struct folio *folio, void *shadow) +static void lru_gen_refault(struct folio *folio, void *shadow)=20 { bool recent; int hist, tier, refs; @@ -292,11 +332,9 @@ static void lru_gen_refault(struct folio *folio, void = *shadow) int delta =3D folio_nr_pages(folio); =20 rcu_read_lock(); - recent =3D lru_gen_test_recent(shadow, &lruvec, &token, &workingset); - if (lruvec !=3D folio_lruvec(folio)) + if (!lruvec || lruvec !=3D folio_lruvec(folio)) goto unlock; - mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + type, delta); =20 if (!recent) @@ -533,6 +571,11 @@ bool workingset_test_recent(void *shadow, bool file, b= ool *workingset, */ void workingset_refault(struct folio *folio, void *shadow) { + pr_err("WORKINGSET_REFAULT: ENTERED\n"); + pr_err(" folio=3D%px shadow=3D0x%lx\n", folio, (unsigned long)sha= dow); + if ((unsigned long)shadow =3D=3D 0x41) { + pr_err("*** BUG: WORKINGSET_REFAULT received corrupted sha= dow 0x41! ***\n"); + } bool file =3D folio_is_file_lru(folio); struct pglist_data *pgdat; struct mem_cgroup *memcg; @@ -543,9 +586,13 @@ void workingset_refault(struct folio *folio, void *sha= dow) VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); =20 if (lru_gen_enabled()) { + pr_err("WORKINGSET_REFAULT: LRU_GEN enabled, calling lru_gen_refault\n"); lru_gen_refault(folio, shadow); + pr_err("WORKINGSET_REFAULT: lru_gen_refault returned\n"); + return; } + pr_err("WORKINGSET_REFAULT: Using regular (non-LRU_GEN) path\n"); =20 /* * The activation decision for this folio is made at the level @@ -562,6 +609,7 @@ void workingset_refault(struct folio *folio, void *shad= ow) lruvec =3D mem_cgroup_lruvec(memcg, pgdat); =20 mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + file, nr); + pr_err("WORKINGSET_REFAULT: Calling workingset_test_recent\n"); =20 if (!workingset_test_recent(shadow, file, &workingset, true)) return; @@ -572,6 +620,7 @@ void workingset_refault(struct folio *folio, void *shad= ow) =20 /* Folio was active prior to eviction */ if (workingset) { + pr_err("WORKINGSET_REFAULT: Folio was workingset, restoring\n"); folio_set_workingset(folio); /* * XXX: Move to folio_add_lru() when it supports new vs @@ -580,6 +629,7 @@ void workingset_refault(struct folio *folio, void *shad= ow) lru_note_cost_refault(folio); mod_lruvec_state(lruvec, WORKINGSET_RESTORE_BASE + file, nr); } + pr_err("WORKINGSET_REFAULT: EXITING\n"); } =20 /** --=20 2.43.0