From nobody Mon Feb 9 05:53:12 2026 Received: from mail-ot1-f69.google.com (mail-ot1-f69.google.com [209.85.210.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57BD61A2545 for ; Sat, 10 Jan 2026 02:17:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.69 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768011456; cv=none; b=ulud41ZKIr3ZUqDvkBn8E0rUseZiXiYcKFpnrMWzdBTqPsKsLLX9Sl6UG7eiVG8MNvAW8+L0pcRuwvl3Ttvcj21rV1RJV0R5cW49MRMfdzwWoEokLOTnMUGVSP7iHv7/l01lZ2VNHFGJTn122rre2BjaarLK0KDFjldi1cl5keQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768011456; c=relaxed/simple; bh=xfBs8/iut6DLCQp1Hd4qRNR5BBVYYqteao0uAWignt8=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=LEiUws5C2ZjIYDatbwSO8wYWahYkywzG0SqwPr//a0tU3GoQcidWoYDtvZmID4VE31ALfQiqBGtwhBs+Ak0VC61F9LrpUdhQmmRbC3n7TCa2xn7tbHys6ZlxwjY2vholyvObEmqHMGrAD4PhgfQP2OrsIIJPdDnI/jQEpfQ2hrQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f69.google.com with SMTP id 46e09a7af769-7c70268301aso4395676a34.3 for ; Fri, 09 Jan 2026 18:17:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768011454; x=1768616254; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FteNnxPBTnoOfRCP/S0O/AyPF9l7Hv7eZoXSnLiymuk=; b=bkhDwuqfUZDQ/01Quq2Q2Ck0UwQXpL9aKPTrUqoEjDT6l2VuEfUJe1BDpjswZ6ME0w FiK9OHGMtp/4l/otDb58NrHjZUrlLQjTjvOo+waC3l63ZRtVmKZ7TNU3CIkyu9ZLwMiJ NlSc2Fb7alJ9v9meDNh7iYDPB9DW1Arfvkoo0DaQ6F2d2LU22+Ps/M2pTrm/hg0/0LzD BgOXdjGosvH8Jjz7PQKr1i1EXEUNvQKYb0aBRUNAr95Qb3yFNKHKjlZEev3E/PJXGvPm 2LWZq/khCHUmF9hKt3ugP4rR532vtDofigj3+pwgQaYRAyNYFoUeh2K+YfYkmDcD6gbX y5xQ== X-Gm-Message-State: AOJu0YwprKl/13762nSWT1Vw40a4/lI7Avy08DztWVk6Z1w+b5TPFduX ieqRrqZD3k0GoDBKWFNoj/CuTmdZK2k4iAAECzDjnaHpdb9vhQ+9m3D0D9B+L+hNmNatp1I5EZq LGDVqvwB0Qn8ErNtyVkFT5g6664LDNib42gLZZ1FsNOvQwwuelW7rSQ14QQ0= X-Google-Smtp-Source: AGHT+IHbkixypFxUL1dyuvDitJTjB+W3kziH1Vl/Pv4vRYG1bjFYfSWlTG8d9SVmO+hMJ+QfmQSXE3mJc3gTgatEsnnsKTVD2tos Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:4588:b0:65f:6ed:7474 with SMTP id 006d021491bc7-65f54f5a8edmr5032707eaf.51.1768011454352; Fri, 09 Jan 2026 18:17:34 -0800 (PST) Date: Fri, 09 Jan 2026 18:17:34 -0800 In-Reply-To: <6960c2f0.050a0220.1c677c.03be.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6961b6be.050a0220.1c677c.03da.GAE@google.com> Subject: Forwarded: [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] mm/swap_cgroup: fix kernel BUG in swap_cgroup_record Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.gi= t master When using MADV_PAGEOUT, pages can remain in swapcache with their swap entries assigned. If MADV_PAGEOUT is called again on these pages, they reuse the same swap entries, causing memcg1_swapout() to call swap_cgroup_record() with an already-recorded entry. The existing code assumes swap entries are always being recorded for the first time (oldid =3D=3D 0), triggering VM_BUG_ON when it encounters an already-recorded entry: ------------[ cut here ]------------ kernel BUG at mm/swap_cgroup.c:78! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6176 Comm: syz.0.30 Not tainted RIP: 0010:swap_cgroup_record+0x19c/0x1c0 mm/swap_cgroup.c:78 Call Trace: memcg1_swapout+0x2fa/0x830 mm/memcontrol-v1.c:623 __remove_mapping+0xac5/0xe30 mm/vmscan.c:773 shrink_folio_list+0x2786/0x4f40 mm/vmscan.c:1528 reclaim_folio_list+0xeb/0x4e0 mm/vmscan.c:2208 reclaim_pages+0x454/0x520 mm/vmscan.c:2245 madvise_cold_or_pageout_pte_range+0x19a0/0x1ce0 mm/madvise.c:563 ... do_madvise+0x1bc/0x270 mm/madvise.c:2030 __do_sys_madvise mm/madvise.c:2039 This bug occurs because pages in swapcache can be targeted by MADV_PAGEOUT multiple times without being swapped in between. Each time, the same swap entry is reused, but swap_cgroup_record() expects to only record new, unused entries. Fix this by checking if the swap entry already has the correct cgroup ID recorded before attempting to record it. Use the existing lookup_swap_cgroup_id() to read the current cgroup ID, and return early from memcg1_swapout() if the entry is already correctly recorded. Only call swap_cgroup_record() when the entry needs to be set or updated. This approach avoids unnecessary atomic operations, reference count manipulations, and statistics updates when the entry is already correct. Link: https://syzkaller.appspot.com/bug?extid=3Dd97580a8cceb9b03c13e Reported-by: syzbot+d97580a8cceb9b03c13e@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- mm/memcontrol-v1.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 56d27baf93ab..982cfe5af225 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -614,6 +614,7 @@ void memcg1_swapout(struct folio *folio, swp_entry_t en= try) { struct mem_cgroup *memcg, *swap_memcg; unsigned int nr_entries; + unsigned short oldid; =20 VM_BUG_ON_FOLIO(folio_test_lru(folio), folio); VM_BUG_ON_FOLIO(folio_ref_count(folio), folio); @@ -630,6 +631,16 @@ void memcg1_swapout(struct folio *folio, swp_entry_t e= ntry) if (!memcg) return; =20 + /* + * Check if this swap entry is already recorded. This can happen + * when MADV_PAGEOUT is called multiple times on pages that remain + * in swapcache, reusing the same swap entries. + */ + oldid =3D lookup_swap_cgroup_id(entry); + if (oldid =3D=3D mem_cgroup_id(memcg)) + return; + VM_WARN_ON_ONCE(oldid !=3D 0); + /* * In case the memcg owning these pages has been offlined and doesn't * have an ID allocated to it anymore, charge the closest online --=20 2.43.0