From: Sergey Senozhatsky <senozhatsky@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>,
Yosry Ahmed <yosry@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kartik Nair <contact.kartikn@gmail.com>,
minchan@kernel.org, senozhatsky@chromium.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
syzbot+8f77ff6144a73f0cf71b@syzkaller.appspotmail.com,
Nhat Pham <nphamcs@gmail.com>, Yosry Ahmed <yosry@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] zsmalloc: zero-initialize zspage memory to prevent KMSAN uninit reads
Date: Wed, 13 May 2026 11:47:41 +0900 [thread overview]
Message-ID: <agPjfGO6zh9HLPBE@google.com> (raw)
In-Reply-To: <20260512144733.9132c83e392a109743e92f71@linux-foundation.org>
Adding Yosry and Herbert,
On (26/05/12 14:47), Andrew Morton wrote:
> > Pages allocated via alloc_zpdesc() use alloc_pages_node() without
> > __GFP_ZERO, leaving physical memory uninitialized. When a compressed
> > object spans two physical pages in a zspage, zs_obj_read_sg_begin()
> > sets up a scatterlist pointing directly at the raw second page. If the
> > second page was freshly allocated and never written beyond the object
> > boundary, KMSAN detects reads of uninitialized memory downstream in
> > the decompressor (e.g. sw842_decompress reading the CRC trailer).
I don't get this. How can sw842_decompress() read more bytes than
it's told to decompress. We first compress and store the object,
before we load and decompress, reading past the known compressed
object size (which we pass to decompress function) should not happen.
Yosry, Herbert, any ideas?
> > Fix this by passing __GFP_ZERO to alloc_zpdesc() in alloc_zspage() so
> > all pages backing a zspage are zero-initialized at allocation time.
> >
> > Reported-by: syzbot+8f77ff6144a73f0cf71b@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=8f77ff6144a73f0cf71b
> > Signed-off-by: Kartik Nair <contact.kartikn@gmail.com>
>
> Thanks.
>
> > --- a/mm/zsmalloc.c
> > +++ b/mm/zsmalloc.c
> > @@ -951,7 +951,7 @@ static struct zspage *alloc_zspage(struct zs_pool *pool,
> > for (i = 0; i < class->pages_per_zspage; i++) {
> > struct zpdesc *zpdesc;
> >
> > - zpdesc = alloc_zpdesc(gfp, nid);
> > + zpdesc = alloc_zpdesc(gfp | __GFP_ZERO, nid);
> > if (!zpdesc) {
> > while (--i >= 0) {
> > zpdesc_dec_zone_page_state(zpdescs[i]);
>
> Decompressing uninitialized memory sounds rather bad, so I'll add a
> cc:stable to this.
[..]
> I think the Fixes: target is 56e5a103a721 ("zsmalloc: prefer the the
> original page's node for compressed data"). Can people please check
> this when reviewing?
If we need to pick a zsmalloc commit, then this probably can be related
to zs_obj_read_sg_begin() API (which is used only by zswap at the moemnt),
so probably the Fixes: tag be dc2e4982cb018 (zsmalloc: introduce SG-list
based object read API).
next prev parent reply other threads:[~2026-05-13 2:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 21:36 [PATCH] zsmalloc: zero-initialize zspage memory to prevent KMSAN uninit reads Kartik Nair
2026-05-12 21:47 ` Andrew Morton
2026-05-13 2:47 ` Sergey Senozhatsky [this message]
2026-05-13 5:43 ` Herbert Xu
2026-05-13 6:06 ` Sergey Senozhatsky
2026-05-13 20:11 ` Yosry Ahmed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agPjfGO6zh9HLPBE@google.com \
--to=senozhatsky@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=contact.kartikn@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=minchan@kernel.org \
--cc=nphamcs@gmail.com \
--cc=syzbot+8f77ff6144a73f0cf71b@syzkaller.appspotmail.com \
--cc=yosry@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox