From: syzbot <syzbot+178fff6149127421c2cc@syzkaller.appspotmail.com>
To: 21cnbao@gmail.com
Cc: 21cnbao@gmail.com, akpm@linux-foundation.org,
baolin.wang@linux.alibaba.com, bhe@redhat.com,
chrisl@kernel.org, hughd@google.com, kasong@tencent.com,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
nphamcs@gmail.com, pfalcato@suse.de, shikemeng@huaweicloud.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] KMSAN: uninit-value in swap_writeout
Date: Tue, 23 Dec 2025 19:53:33 -0800 [thread overview]
Message-ID: <694b63bd.050a0220.35954c.0012.GAE@google.com> (raw)
In-Reply-To: <20251224020424.52976-1-21cnbao@gmail.com>
> On Wed, Dec 24, 2025 at 2:43 PM Baolin Wang <baolin.wang@linux.alibaba.com> wrote:
>>
>>
>>
>> On 2025/12/24 08:16, Barry Song wrote:
>> > On Wed, Dec 24, 2025 at 12:43 PM Pedro Falcato <pfalcato@suse.de> wrote:
>> >>
>> >> On Wed, Dec 24, 2025 at 11:46:44AM +1300, Barry Song wrote:
>> >>>>
>> >>>> Uninit was created at:
>> >>>> __alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5233
>> >>>> alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486
>> >>>> folio_alloc_mpol_noprof+0x56/0x1d0 mm/mempolicy.c:2505
>> >>>> shmem_alloc_folio mm/shmem.c:1890 [inline]
>> >>>> shmem_alloc_and_add_folio+0xc56/0x1bd0 mm/shmem.c:1932
>> >>>> shmem_get_folio_gfp+0xad3/0x1fc0 mm/shmem.c:2556
>> >>>> shmem_get_folio mm/shmem.c:2662 [inline]
>> >>>> shmem_symlink+0x562/0xad0 mm/shmem.c:4129
>> >>>> vfs_symlink+0x42f/0x4c0 fs/namei.c:5514
>> >>>> do_symlinkat+0x2ae/0xbb0 fs/namei.c:5541
>> >>>
>> >>> +Hugh and Baolin.
>>
>> Thanks for CCing me.
>>
>> >>>
>> >>> This happens in the shmem symlink path, where newly allocated
>> >>> folios are not cleared for some reason. As a result,
>> >>> is_folio_zero_filled() ends up reading uninitialized data.
>> >>>
>> >>
>> >> I'm not Hugh nor Baolin, but I would guess that letting
>> >> is_folio_zero_filled() skip/disable KMSAN would also work. Since all we want
>> >> is to skip writeout if the folio is zero, whether it is incidentally zero, or not,
>> >> does not really matter, I think.
>> >
>> > Hi Pedro, thanks! You’re always welcome to chime in.
>> >
>> > You are probably right. However, I still prefer the remaining
>> > data to be zeroed, as it may be more compression-friendly.
>> >
>> > Random data could potentially lead to larger compressed output,
>> > whereas a large area of zeros would likely result in much smaller
>> > compressed data.
>>
>> Thanks Pedro and Barry. I remember Hugh raised a similar issue before
>> (See [1], but I did not investigate further:(). I agree with Hugh's
>> point that the uninitialized parts should be zeroed before going the
>> outside world.
>>
>> [1]
>> https://lore.kernel.org/all/02a21a55-8fe3-a9eb-f54b-051d75ae8335@google.com/
>>
>> > Not quite sure if the below can fix the issue:
>> >
>> > diff --git a/mm/shmem.c b/mm/shmem.c
>> > index ec6c01378e9d..0ca2d4bffdb4 100644
>> > --- a/mm/shmem.c
>> > +++ b/mm/shmem.c
>> > @@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
>> > goto out_remove_offset;
>> > inode->i_op = &shmem_symlink_inode_operations;
>> > memcpy(folio_address(folio), symname, len);
>> > + memset(folio_address(folio) + len, 0, folio_size(folio) - len);
>> > folio_mark_uptodate(folio);
>> > folio_mark_dirty(folio);
>> > folio_unlock(folio);
>>
>> That looks reasonable to me, though I prefer to use the more readable
>> helper: folio_zero_range(). Barry, could you send out a formal patch?
>> Thanks.
>
> Thanks, Baolin. Let me request a bot test first.
>
> #syz test
This crash does not have a reproducer. I cannot test it.
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index ec6c01378e9d..835900a08f51 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
> goto out_remove_offset;
> inode->i_op = &shmem_symlink_inode_operations;
> memcpy(folio_address(folio), symname, len);
> + folio_zero_range(folio, len, folio_size(folio) - len);
> folio_mark_uptodate(folio);
> folio_mark_dirty(folio);
> folio_unlock(folio);
> --
> 2.48.1
next prev parent reply other threads:[~2025-12-24 3:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 12:18 [syzbot] [mm?] KMSAN: uninit-value in swap_writeout syzbot
2025-12-23 22:46 ` Barry Song
2025-12-23 23:43 ` Pedro Falcato
2025-12-24 0:16 ` Barry Song
2025-12-24 1:43 ` Baolin Wang
2025-12-24 2:04 ` Barry Song
2025-12-24 3:53 ` syzbot [this message]
2026-01-05 9:12 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=694b63bd.050a0220.35954c.0012.GAE@google.com \
--to=syzbot+178fff6149127421c2cc@syzkaller.appspotmail.com \
--cc=21cnbao@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=bhe@redhat.com \
--cc=chrisl@kernel.org \
--cc=hughd@google.com \
--cc=kasong@tencent.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=nphamcs@gmail.com \
--cc=pfalcato@suse.de \
--cc=shikemeng@huaweicloud.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.