From: syzbot <syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] mm/memfd: zero hugetlb pages on allocation
Date: Tue, 11 Nov 2025 16:54:32 -0800 [thread overview]
Message-ID: <6913dac8.a70a0220.22f260.0150.GAE@google.com> (raw)
In-Reply-To: <69122a59.a70a0220.22f260.00fb.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mm/memfd: zero hugetlb pages on allocation
Author: kartikey406@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When allocating hugetlb pages for memfd, the pages were not being
zeroed, which could lead to uninitialized kernel memory being exposed
to userspace through read() or mmap() operations.
This is a security issue as it allows information disclosure of
potentially sensitive kernel data. Add __GFP_ZERO to the gfp_mask
to ensure pages are cleared before being made accessible to userspace.
This is particularly important for udmabuf use cases where these
pages are pinned and directly accessed by userspace via DMA buffers.
Reproducer:
- Create memfd with MFD_HUGETLB flag
- Use udmabuf ioctl to pin the pages
- Read from the memfd using preadv()
- KMSAN detects uninitialized memory leak to userspace
Reported-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
mm/memfd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/memfd.c b/mm/memfd.c
index 1d109c1acf21..0095b9f4fe00 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -85,6 +85,7 @@ struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx)
gfp_mask = htlb_alloc_mask(h);
gfp_mask &= ~(__GFP_HIGHMEM | __GFP_MOVABLE);
+ gfp_mask |= __GFP_ZERO;
idx >>= huge_page_order(h);
nr_resv = hugetlb_reserve_pages(inode, idx, idx + 1, NULL, 0);
--
2.43.0
next prev parent reply other threads:[~2025-11-12 0:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-10 18:09 [syzbot] [fs?] [mm?] KMSAN: kernel-infoleak in hugetlbfs_read_iter syzbot
2025-11-12 0:54 ` syzbot [this message]
2025-11-12 1:27 ` Forwarded: [PATCH] mm/memfd: clear hugetlb pages on allocation syzbot
2025-11-12 12:41 ` Forwarded: [PATCH] mm/memfd: properly initialize hugetlb folios syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6913dac8.a70a0220.22f260.0150.GAE@google.com \
--to=syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.