syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1347]
Subsystems
🐞 Fixed [7099]
🐞 Invalid [18748]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2)

Status: upstream: reported on 2026/02/06 07:24
Subsystems: cgroups mm
[Documentation on labels]
Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com
Fix commit: mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 111d, last: 39d
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
ff6ab158-e534-4749-bfb9-c54c98ed9b1f assessment-security 💥 KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 2026/05/15 09:59 2026/05/15 09:59 2026/05/15 10:00 9cd3beaadf14b3a22d15fd97a0bf081ee41ebe01 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/63bb4d70c57be69f28b7f9ed53b5711205a39ef1" "-s" "bzImage" "compile_commands.json"]: exit status 2 * * Restart config... * * * General architecture-dependent options * SMT (Hyperthreading) scheduler support (SCHED_SMT) [Y/?] y Cluster scheduler support (SCHED_CLUSTER) [Y/n/?] y Multi-Core Cache (MC) scheduler support (SCHED_MC) [Y/n/?] y Kprobes (KPROBES) [N/y/?] n Optimize very unlikely/likely branches (JUMP_LABEL) [Y/n/?] y Static key selftest (STATIC_KEYS_SELFTEST) [N/y/?] n Static call selftest (STATIC_CALL_SELFTEST) [N/y/?] n Enable seccomp to safely execute untrusted bytecode (SECCOMP) [Y/n/?] y Show seccomp filter cache status in /proc/pid/seccomp_cache (SECCOMP_CACHE_DEBUG) [N/y/?] n Stack Protector buffer overflow detection (STACKPROTECTOR) [Y/n/?] y Strong Stack Protector (STACKPROTECTOR_STRONG) [Y/n/?] y Link Time Optimization (LTO) > 1. None (LTO_NONE) choice[1]: 1 Enable Clang's AutoFDO build (EXPERIMENTAL) (AUTOFDO_CLANG) [N/y/?] (NEW) Error in reading or end of file. Enable Clang's Propeller build (PROPELLER_CLANG) [N/y/?] (NEW) Error in reading or end of file. Use Kernel Control Flow Integrity (kCFI) (CFI) [N/y/?] (NEW) Error in reading or end of file. Number of bits to use for ASLR of mmap base address (ARCH_MMAP_RND_BITS) [28] 28 Number of bits to use for ASLR of mmap base address for compatible applications (ARCH_MMAP_RND_COMPAT_BITS) [8] 8 MMU page size > 1. 4KiB pages (PAGE_SIZE_4KB) choice[1]: 1 Provide system calls for 32-bit time_t (COMPAT_32BIT_TIME) [Y/n/?] y Use a virtually-mapped stack (VMAP_STACK) [Y/n/?] y Support for randomizing kernel stack offset on syscall entry (RANDOMIZE_KSTACK_OFFSET) [Y/n/?] y Default state of kernel stack offset randomization (RANDOMIZE_KSTACK_OFFSET_DEFAULT) [N/y/?] n Locking event counts collection (LOCK_EVENT_COUNTS) [N/y/?] n * * Memory initialization * Initialize kernel stack variables at function entry 1. no automatic stack variable initialization (weakest) (INIT_STACK_NONE) 2. pattern-init everything (strongest) (INIT_STACK_ALL_PATTERN) > 3. zero-init everything (strongest and safest) (INIT_STACK_ALL_ZERO) choice[1-3?]: 3 Poison kernel stack before returning from syscalls (KSTACK_ERASE) [N/y/?] (NEW) Error in reading or end of file. Enable heap memory zeroing on allocation by default (INIT_ON_ALLOC_DEFAULT_ON) [Y/n/?] y Enable heap memory zeroing on free by default (INIT_ON_FREE_DEFAULT_ON) [N/y/?] n Enable register zeroing on function exit (ZERO_CALL_USED_REGS) [N/y/?] n * * Kernel hardening options * Randomize layout of sensitive kernel structures > 1. Disable structure layout randomization (RANDSTRUCT_NONE) 2. Fully randomize structure layout (RANDSTRUCT_FULL) (NEW) choice[1-2?]: Error in reading or end of file. fixdep: not all data was written to the output make[5]: *** [/app/workdir/cache/src/45a72e37bdc9a743745d31b732897f7b486a8c6a/scripts/Makefile.build:289: security/tomoyo/audit.o] Error 1 make[5]: *** Deleting file 'security/tomoyo/audit.o' fixdep: not all data was written to the output make[4]: *** [/app/workdir/cache/src/45a72e37bdc9a743745d31b732897f7b486a8c6a/scripts/Makefile.build:289: io_uring/fs.o] Error 1 make[4]: *** Deleting file 'io_uring/fs.o' make[4]: *** [/app/workdir/cache/src/45a72e37bdc9a743745d31b732897f7b486a8c6a/scripts/Makefile.build:548: security/tomoyo] Error 2 make[3]: *** [/app/workdir/cache/src/45a72e37bdc9a743745d31b732897f7b486a8c6a/scripts/Makefile.build:548: io_uring] Error 2 make[3]: *** Waiting for unfinished jobs.... make[4]: *** Waiting for unfinished jobs.... fatal error: error in backend: IO failure on output stream: No space left on device PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script. Stack dump: 0. Program arguments: /usr/bin/clang --target=x86_64-linux-gnu -fintegrated-as -Werror=unknown-warning-option -W
dfd1fd4b-0d7d-4922-af45-fc54b9fe20e4 repro KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 2026/03/07 09:24 2026/03/07 09:24 2026/03/07 09:34 31e9c887f7dc24e04b3ca70d0d54fc34141844b0
Discussions (3)
Title Replies (including bot) Last reply
[PATCH] mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host 1 (1) 2026/05/04 12:55
[syzbot] Monthly cgroups report (Apr 2026) 0 (1) 2026/04/11 06:40
[syzbot] [cgroups?] [mm?] KASAN: wild-memory-access Read in lookup_swap_cgroup_id (2) 3 (4) 2026/02/13 16:04
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: wild-memory-access Read in lookup_swap_cgroup_id cgroups mm 17 1 438d 434d 0/29 auto-obsoleted due to no activity on 2025/06/14 20:44

Sample crash report:
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:82 [inline]
BUG: KASAN: wild-memory-access in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: wild-memory-access in __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
BUG: KASAN: wild-memory-access in lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
Read of size 4 at addr 0007fffffffffffc by task syz.2.1964/13836

CPU: 0 UID: 0 PID: 13836 Comm: syz.2.1964 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
 instrument_atomic_read include/linux/instrumented.h:82 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 __swap_cgroup_id_lookup mm/swap_cgroup.c:28 [inline]
 lookup_swap_cgroup_id+0xf9/0x1a0 mm/swap_cgroup.c:127
 swap_pte_batch+0x3c3/0x720 mm/internal.h:460
 zap_nonpresent_ptes mm/memory.c:1762 [inline]
 do_zap_pte_range mm/memory.c:1831 [inline]
 zap_pte_range mm/memory.c:1929 [inline]
 zap_pmd_range mm/memory.c:2021 [inline]
 zap_pud_range mm/memory.c:2049 [inline]
 zap_p4d_range mm/memory.c:2070 [inline]
 unmap_page_range+0x20e9/0x4840 mm/memory.c:2091
 unmap_single_vma+0x153/0x240 mm/memory.c:2133
 unmap_vmas+0x295/0x590 mm/memory.c:2171
 exit_mmap+0x1ef/0xa30 mm/mmap.c:1302
 __mmput+0x12a/0x410 kernel/fork.c:1175
 mmput+0x67/0x80 kernel/fork.c:1198
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x819/0x2b60 kernel/exit.c:964
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 __do_sys_exit_group kernel/exit.c:1129 [inline]
 __se_sys_exit_group kernel/exit.c:1127 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
 x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f931cb9c819
Code: Unable to access opcode bytes at 0x7f931cb9c7ef.
RSP: 002b:00007ffd6ae19798 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f931cb9c819
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffd6ae197fc R08: 0000000000000000 R09: 00000000000927c0
R10: 00007f931ce16038 R11: 0000000000000246 R12: 00000000000001ae
R13: 00000000000927c0 R14: 00000000000a0784 R15: 00007ffd6ae19850
 </TASK>
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/10 13:34 upstream 9a9c8ce300cd 38c8e246 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
2026/03/05 16:24 upstream c107785c7e8d d20b04c8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
2026/02/02 16:15 upstream 18f7fcd5e69a 018ebef2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
2026/01/28 07:38 upstream 1f97d9dcf536 3029c699 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: wild-memory-access Read in lookup_swap_cgroup_id
* Struck through repros no longer work on HEAD.