From: syzbot <syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] mm/memfd: clear hugetlb pages on allocation
Date: Tue, 11 Nov 2025 17:27:56 -0800 [thread overview]
Message-ID: <6913e29c.a70a0220.22f260.0153.GAE@google.com> (raw)
In-Reply-To: <69122a59.a70a0220.22f260.00fb.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mm/memfd: clear hugetlb pages on allocation
Author: kartikey406@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When allocating hugetlb pages for memfd, the pages are not zeroed,
which leads to uninitialized kernel memory being exposed to userspace
through read() or mmap() operations.
The issue arises because hugetlb_reserve_pages() can allocate pages
through the surplus allocation path without the __GFP_ZERO flag. These
pages are added to the reservation pool and later returned by
alloc_hugetlb_folio_reserve() without being cleared, resulting in
uninitialized memory being accessible to userspace.
This is a security vulnerability as it allows information disclosure of
potentially sensitive kernel data. Fix it by explicitly zeroing the
folio after allocation using folio_zero_range().
This is particularly important for udmabuf use cases where these pages
are pinned and directly accessed by userspace via DMA buffers.
Reproducer:
- Create memfd with MFD_HUGETLB flag
- Use UDMABUF_CREATE ioctl to pin the hugetlb pages
- Read from the memfd using preadv()
- KMSAN detects uninitialized memory being copied to userspace
Reported-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
mm/memfd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/memfd.c b/mm/memfd.c
index 1d109c1acf21..cdef16ef1011 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -96,6 +96,7 @@ struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx)
NULL,
gfp_mask);
if (folio) {
+ folio_zero_range(folio, 0, folio_size(folio));
err = hugetlb_add_to_page_cache(folio,
memfd->f_mapping,
idx);
--
2.43.0
next prev parent reply other threads:[~2025-11-12 1:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-10 18:09 [syzbot] [fs?] [mm?] KMSAN: kernel-infoleak in hugetlbfs_read_iter syzbot
2025-11-12 0:54 ` Forwarded: [PATCH] mm/memfd: zero hugetlb pages on allocation syzbot
2025-11-12 1:27 ` syzbot [this message]
2025-11-12 12:41 ` Forwarded: [PATCH] mm/memfd: properly initialize hugetlb folios syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6913e29c.a70a0220.22f260.0153.GAE@google.com \
--to=syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.