From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF8A317A2E8
	for <linux-kernel@vger.kernel.org>; Wed, 24 Dec 2025 03:47:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766548024; cv=none; b=ngmX9B6vSCtF5Saoja+PGpKQqb6qA5gM7BWUOAzHJQqZfkz3Cf+enXTCZcazlxk2IyNunNcNlkaRuObUER16IiBy9KSCZqLQg8+Mj2a4J1cBNlrC9VuoETcGdquMkYgvkrFafcbbsPU2dEBOCuvlYD4XbZpFL7lDBvJCbfX31VE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766548024; c=relaxed/simple;
	bh=/XwZFuFDoe/rUOyagwSXE/CRE3P7PFoVCXl6i/LEf2g=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=O+JQYF3iOc96l5ft4Jm/kZLnJNge3ChB67zjhqApF+GMscTLocVkJMowEf+zbAueICpJQRcZunE6TLp0I3Pcf5gpqqRrRcHA1waVhIbg+u6mD6NxrBfB50CJR0pR0W0YiBymSYJIMl4kF3x2zLq2cZ7w95veo8mkUyq20L1ag+s=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Dc6jpt9P; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Dc6jpt9P"
Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8b2d32b9777so787793685a.2
        for <linux-kernel@vger.kernel.org>; Tue, 23 Dec 2025 19:47:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766548022; x=1767152822; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=hXrYLXPtyADbkpCPhye6vwcYC3MDDrqUQyT/zKh32iM=;
        b=Dc6jpt9PTZYtJpi87/ESinmgf5Tb82HjhIydSa4Q+qPOACuCCET7Q4X7LJTYIRn7MK
         sB6lOp9idG+BLGoLYtXyxTLSQ2gOK1CPsyte/iMU6JRK6s26V5h+c00jlIF5CYVUPPmD
         OfIiOJ2LceMCdNlXFG3cVkaAG56b+apHggAgJ4BRKlI2eqsnxekJ/sRldTM+UUNnVfb6
         SQ6dHsOMjHD5DUNI3b3LVbqnkqzURrAM/OFALiwc/OIYG8n2RMDBrEkSU+bTuS+IhIaQ
         NiNZlzcuJtgxZhOeynw2AlhZG7IYTN1nkhjsPuzY6x2sYmj3ZQpl6LR5JFG0zR+XDrAB
         TWVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766548022; x=1767152822;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=hXrYLXPtyADbkpCPhye6vwcYC3MDDrqUQyT/zKh32iM=;
        b=eBV66Nt4Bdo59p3m26Eo2zV4tyJQD+6U4VAshEIJGSKHuNFOFZVrcP6/vxKYZRkNRX
         IfN7F/dFrLzGEzj+REdL5feDAs57AfaTHHUhxKooHIBrdOFBq9aTacz9vgBQ/hVNSiGS
         m+ZtkEyRwqiYKuv3siori2+C/2ZZ+1Kff7tuOlD4EF9s5VptTzc858nIFMXuQDBZ/xdn
         HYJcNLsEdNVDXXFty4ENPPdqHvIZquvDruqzX+JnqeqDLjYWbslNP9QxJuhCd9atpqFb
         UCxMgfn+ExmZSwuJgeBDBosmm7IUB/jiUocrqjTZsvtg7YrZAEW/F+n2+J5XSla311dI
         KrCw==
X-Forwarded-Encrypted: i=1; AJvYcCUi5AiDvwJ3PDp7DOinpJMDH2DEwcf6oyB6O8gvOzmvFBIaAR4lSvD4NosUSNWmh+8SVGZJ3UeLWrJbOA4=@vger.kernel.org
X-Gm-Message-State: AOJu0YwRRl/HfUpDh/TDW6gYq8cQwPor2mOgGtjyZrdPVB7vH3S/h2WX
	n5Oj0fnYxMntVQbuOuLwFk0W7XGeLTU/o/NZ8nOf+ZM/ogRBWgbfDuZNkqQVNtkH
X-Gm-Gg: AY/fxX4JP9+I54OVNKBc+/BhZR4Q5iWvAZyE/bcXFP8AzQdkZxuxpEK3xq3RXoSFTe3
	EfjJTfZwi5Knb/1G3FV7ETQ+XANCGdXFtS+3k+vavH0GZ60/Hx9O4cSzmu2tk78Dgqq4f9U0qfk
	cdbNDoxDaVuRkuIC59kA6tJNR8FQu5+zCC67yoCmRKlugTjbQCZYRklQX2QLmNdzFaEb8hGrYeQ
	LmTi03PqcIfGQufIfYSs/wKOjU08EUbFycRzpGf/3h4QGzshWYF1z7ZSKPddtlbnm1A/6YwAb0Z
	3T7865mzXXoJokLRBi/FWe6LP3LM7wnPs5F/yogk4NGaJ33cEoj5vRgB1SuM0iaFmvXVhV18zqQ
	9O/KJI+z4CwcRhHET9jxfLcdpHW2E7wB1Tt33q9ZEnTDlJ+YSk7K1cLCO6VEvyFwi/aeyvD+ent
	5KWJ8daUBHmonv
X-Google-Smtp-Source: AGHT+IGpzSIvzsx58mdl/niocf1lry49aUnkUvSKw/smczxKOj5NW9s7CL7SDZBEFPmEs/fVAONFmQ==
X-Received: by 2002:a17:903:b90:b0:29f:301a:f6da with SMTP id d9443c01a7336-2a2f2a34f54mr156498915ad.43.1766541873732;
        Tue, 23 Dec 2025 18:04:33 -0800 (PST)
Received: from barry-desktop.hub ([47.72.129.29])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3c8279esm136373295ad.28.2025.12.23.18.04.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Dec 2025 18:04:33 -0800 (PST)
From: Barry Song <21cnbao@gmail.com>
To: baolin.wang@linux.alibaba.com,
	syzbot+178fff6149127421c2cc@syzkaller.appspotmail.com
Cc: 21cnbao@gmail.com,
	akpm@linux-foundation.org,
	bhe@redhat.com,
	chrisl@kernel.org,
	hughd@google.com,
	kasong@tencent.com,
	linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	nphamcs@gmail.com,
	pfalcato@suse.de,
	shikemeng@huaweicloud.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] KMSAN: uninit-value in swap_writeout
Date: Wed, 24 Dec 2025 15:04:21 +1300
Message-ID: <20251224020424.52976-1-21cnbao@gmail.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <9bbc1962-5f6f-4e3c-a672-d80565aa5157@linux.alibaba.com>
References: <9bbc1962-5f6f-4e3c-a672-d80565aa5157@linux.alibaba.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Wed, Dec 24, 2025 at 2:43 PM Baolin Wang <baolin.wang@linux.alibaba.com> wrote:
>
>
>
> On 2025/12/24 08:16, Barry Song wrote:
> > On Wed, Dec 24, 2025 at 12:43 PM Pedro Falcato <pfalcato@suse.de> wrote:
> >>
> >> On Wed, Dec 24, 2025 at 11:46:44AM +1300, Barry Song wrote:
> >>>>
> >>>> Uninit was created at:
> >>>>   __alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5233
> >>>>   alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486
> >>>>   folio_alloc_mpol_noprof+0x56/0x1d0 mm/mempolicy.c:2505
> >>>>   shmem_alloc_folio mm/shmem.c:1890 [inline]
> >>>>   shmem_alloc_and_add_folio+0xc56/0x1bd0 mm/shmem.c:1932
> >>>>   shmem_get_folio_gfp+0xad3/0x1fc0 mm/shmem.c:2556
> >>>>   shmem_get_folio mm/shmem.c:2662 [inline]
> >>>>   shmem_symlink+0x562/0xad0 mm/shmem.c:4129
> >>>>   vfs_symlink+0x42f/0x4c0 fs/namei.c:5514
> >>>>   do_symlinkat+0x2ae/0xbb0 fs/namei.c:5541
> >>>
> >>> +Hugh and Baolin.
>
> Thanks for CCing me.
>
> >>>
> >>> This happens in the shmem symlink path, where newly allocated
> >>> folios are not cleared for some reason. As a result,
> >>> is_folio_zero_filled() ends up reading uninitialized data.
> >>>
> >>
> >> I'm not Hugh nor Baolin, but I would guess that letting
> >> is_folio_zero_filled() skip/disable KMSAN would also work. Since all we want
> >> is to skip writeout if the folio is zero, whether it is incidentally zero, or not,
> >> does not really matter, I think.
> >
> > Hi Pedro, thanks! You’re always welcome to chime in.
> >
> > You are probably right. However, I still prefer the remaining
> > data to be zeroed, as it may be more compression-friendly.
> >
> > Random data could potentially lead to larger compressed output,
> > whereas a large area of zeros would likely result in much smaller
> > compressed data.
>
> Thanks Pedro and Barry. I remember Hugh raised a similar issue before
> (See [1], but I did not investigate further:(). I agree with Hugh's
> point that the uninitialized parts should be zeroed before going the
> outside world.
>
> [1]
> https://lore.kernel.org/all/02a21a55-8fe3-a9eb-f54b-051d75ae8335@google.com/
>
> > Not quite sure if the below can fix the issue:
> >
> > diff --git a/mm/shmem.c b/mm/shmem.c
> > index ec6c01378e9d..0ca2d4bffdb4 100644
> > --- a/mm/shmem.c
> > +++ b/mm/shmem.c
> > @@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
> >                       goto out_remove_offset;
> >               inode->i_op = &shmem_symlink_inode_operations;
> >               memcpy(folio_address(folio), symname, len);
> > +             memset(folio_address(folio) + len, 0, folio_size(folio) - len);
> >               folio_mark_uptodate(folio);
> >               folio_mark_dirty(folio);
> >               folio_unlock(folio);
>
> That looks reasonable to me, though I prefer to use the more readable
> helper: folio_zero_range(). Barry, could you send out a formal patch？
> Thanks.

Thanks, Baolin. Let me request a bot test first.

#syz test

diff --git a/mm/shmem.c b/mm/shmem.c
index ec6c01378e9d..835900a08f51 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
 			goto out_remove_offset;
 		inode->i_op = &shmem_symlink_inode_operations;
 		memcpy(folio_address(folio), symname, len);
+		folio_zero_range(folio, len, folio_size(folio) - len);
 		folio_mark_uptodate(folio);
 		folio_mark_dirty(folio);
 		folio_unlock(folio);
-- 
2.48.1