syzbot


KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

Status: upstream: reported on 2026/02/06 07:24
Subsystems: cgroups mm
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com
Fix commit: 63b02a9409cb mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm]
First crash: 156d, last: 84d
✨ AI Jobs (3)
ID Workflow Result Correct Bug Created Started Finished Revision Error
86affc21-29b3-4ae7-a08b-d9ae18a0bcd3 assessment-security DenialOfService: ✅ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 2026/06/01 01:54 2026/06/01 01:54 2026/06/01 02:54 6b4a844333e83556da95d61d7f207e7ef5cd4bc6

			
		
ff6ab158-e534-4749-bfb9-c54c98ed9b1f assessment-security 💥 KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 2026/05/15 09:59 2026/05/15 09:59 2026/05/15 10:00 9cd3beaadf14b3a22d15fd97a0bf081ee41ebe01
failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/63bb4d70c57be69f28...
truncated to first 200 bytes; open job for full error
dfd1fd4b-0d7d-4922-af45-fc54b9fe20e4 repro KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 2026/03/07 09:24 2026/03/07 09:24 2026/03/07 09:34 31e9c887f7dc24e04b3ca70d0d54fc34141844b0

			
		
Discussions (3)
Title Replies (including bot) Last reply
[PATCH] mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host 1 (1) 2026/05/04 12:55
[syzbot] Monthly cgroups report (Apr 2026) 0 (1) 2026/04/11 06:40
[syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 3 (4) 2026/02/13 16:04
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: wild-memory-access Read in lookup_swap_cgroup_id cgroups mm 17 1 484d 479d 0/29 auto-obsoleted due to no activity on 2025/06/14 20:44

Sample crash report:
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:82 [inline]
BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
Read of size 4 at addr 0007fffffffffffc by task syz.2.1964/13836

CPU: 0 UID: 0 PID: 13836 Comm: syz.2.1964 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
 instrument_atomic_read include/linux/instrumented.h:82 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
 lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
 swap_pte_batch+0x3c3/0x720 mm/internal.h:460
 zap_nonpresent_ptes mm/memory.c:1762 [inline]
 do_zap_pte_range mm/memory.c:1831 [inline]
 zap_pte_range mm/memory.c:1929 [inline]
 zap_pmd_range mm/memory.c:2021 [inline]
 zap_pud_range mm/memory.c:2049 [inline]
 zap_p4d_range mm/memory.c:2070 [inline]
 unmap_page_range+0x20e9/0x4840 mm/memory.c:2091
 unmap_single_vma+0x153/0x240 mm/memory.c:2133
 unmap_vmas+0x295/0x590 mm/memory.c:2171
 exit_mmap+0x1ef/0xa30 mm/mmap.c:1302
 __mmput+0x12a/0x410 kernel/fork.c:1175
 mmput+0x67/0x80 kernel/fork.c:1198
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x819/0x2b60 kernel/exit.c:964
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 __do_sys_exit_group kernel/exit.c:1129 [inline]
 __se_sys_exit_group kernel/exit.c:1127 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
 x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f931cb9c819
Code: Unable to access opcode bytes at 0x7f931cb9c7ef.
RSP: 002b:00007ffd6ae19798 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f931cb9c819
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffd6ae197fc R08: 0000000000000000 R09: 00000000000927c0
R10: 00007f931ce16038 R11: 0000000000000246 R12: 00000000000001ae
R13: 00000000000927c0 R14: 00000000000a0784 R15: 00007ffd6ae19850
 </TASK>
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/10 13:34 upstream 9a9c8ce300cd 38c8e246 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
2026/03/05 16:24 upstream c107785c7e8d d20b04c8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
2026/02/02 16:15 upstream 18f7fcd5e69a 018ebef2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
2026/01/28 07:38 upstream 1f97d9dcf536 3029c699 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
* Struck through repros no longer work on HEAD.