From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 052CE37F739 for ; Mon, 11 May 2026 21:37:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778535466; cv=none; b=j1et8SWU6nn3xrLEzQLWQpUz165ZiON+9JH6DcDcwysQ3pQD3xPriqXas6/iudQ707VaiH9KyQjEW3Kn2YVY2p23WL2dT+hl3SMl+APdConTCD/SIu3nIKZBil251PXhrjNY3QSPj1+qTOmPN90aj9VhldD/9IEGkPc8UHqJOD0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778535466; c=relaxed/simple; bh=IQX6apPhVRLzClkKgol/Fu4ZcIZaAPPysYU3VxUbO34=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=WisYWv7rfdDMcTPiZ7cS4bpMa/p9LhswI7R78/feJu3lZkDF94zV/sd0gvhfbRIpXVl7jVfGvatED63CMV9m7ELmmtuZ6SRh7NXNcaF5m8oAeELG+dHTMB5iMcE0jAgyIMvCLIOiYDOutHWpLoTKZKP5Kx6QC1pbxxQX5vkjQWM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZUWAehQN; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZUWAehQN" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-367c26471f5so1966531a91.1 for ; Mon, 11 May 2026 14:37:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778535464; x=1779140264; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gzrGj1+ay1/Q4NFiw9lIg1LRZRplXcIVizS+d71NPgA=; b=ZUWAehQNwAEKyBY7zQymuclP1qUS0uBSBdsULUJ4PuFw5s+RnRHvDizleM6/fxPIIH JnyB34b5+nRmaMgvYY3qUCOQ0Vh6dXQlABZR8DjPzgy5wSqBGo+GzZdF+1p1mObCwWDk x8kWr7BVsawHwgv5s7grGapHt6Z85FSJNrIIGE/VIp405ThRgjSHqatyaUdDHop1TnRw xUkkY4FSabQm4VeAoyRC+CNVUqm3El9PnDrrcbAYsnMIhnCe2seEK9HOkqa9jGuTyFOi qDgZLo3/CNS45Iziagwf3kF5Kx6g7t/9wpz3IZg4Q2CDP2TcUBuHl9RmKwbL4HuQl9zS exFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778535464; x=1779140264; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gzrGj1+ay1/Q4NFiw9lIg1LRZRplXcIVizS+d71NPgA=; b=BHvvGRcLERkSPZVtmUXFw2Zf+r1AnEf1A6huGlTnjSGo9h6q1/tgBvLIPbc086B6TW kFWWFkSDrI3DdUyqzNFxFhct63rGsUgnk5Ir/ToaDVXknfeB0GlJzvm9zuuQNIIwxGBl iyFTVKvzVTq+IBh+Jy+CdnlhrlMUZhffkSMjx8Q5MwkES2Gnr5g8KI4/E9ztYDweadnl 5pTowvbHz0yWp9jfKcScLIVvOTADAt69IQXYsoodM6h+TvN0ekGnkiXyGhUNGBTYvdob Kox8ADksMsaUz0aqMac+zSyyFLAOfOTls1qXAQqKy6JSGFP4AyXJAlP1/FIve+lTT7Dd Jgxg== X-Forwarded-Encrypted: i=1; AFNElJ+wERr3HLhKNMnxrKsOseH1ES/tGt3orbicL1vo2rThQyrqBkzmphzF7A6+7BzZnHtp8Q/OyotOJz+/c18=@vger.kernel.org X-Gm-Message-State: AOJu0YwRvd1HebBjGRmJCrAhMgJbP2UHBiFg9kuDwJVHLDBjNN1jenx7 PTvhGIQdqt+p1xyq76UcjE1yG7yJGMQHnQv6rCBdnZqqBlNKGFy4+ED9 X-Gm-Gg: Acq92OE59ZL5I6n6U/5rxGd40O33U/9QyBt/uG/WNt6WV/KfPUKJhsZxGNruC29s7UR ZPy+4W5y6YQS4M1DmsS6FwuUS2EPErL1KoJ2RgDadkjvMfaoEkt02kTSiG/OXFk9iqvde6y8RGJ d3IUVEKYSscIISlXFfcKPay2ME/WfgzUSU672UyAPU1B7XUaH6udaIBFT+018zMtbkNMmFOUAth 2A/uxDEfNbrVyK77FG8LtZU4xrRZzhZE5hZyJXrGl/8COlVZoF8xYRsGw18R7QFtQejP9DCQSZW SM8SFHnin3kFpekWQKjbG3jhGSH7ewKCL9La7jm126toJQr1sBWBB5Rup7C6l6j0xBJblc7FCyb W9B/jq4SOlyewgcHNnNIzTVl2xMhrZ7vCwGF48/PiU5RR91WieyfMT7XcLLzeg5I3zAh9DFZMeT oL1BfKONVDzR3ECVSreAcworwXtblsLrGc7/Ripxojx2zFJb6LFu07kGgT9w== X-Received: by 2002:a17:90b:568d:b0:359:d54:846f with SMTP id 98e67ed59e1d1-365abae26a7mr27111229a91.7.1778535464259; Mon, 11 May 2026 14:37:44 -0700 (PDT) Received: from localhost.localdomain ([171.76.86.132]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d625ef70sm9048591a91.1.2026.05.11.14.37.41 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 11 May 2026 14:37:43 -0700 (PDT) From: Kartik Nair To: minchan@kernel.org, senozhatsky@chromium.org Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Kartik Nair , syzbot+8f77ff6144a73f0cf71b@syzkaller.appspotmail.com Subject: [PATCH] zsmalloc: zero-initialize zspage memory to prevent KMSAN uninit reads Date: Tue, 12 May 2026 03:06:58 +0530 Message-Id: <20260511213658.25273-1-contact.kartikn@gmail.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Pages allocated via alloc_zpdesc() use alloc_pages_node() without __GFP_ZERO, leaving physical memory uninitialized. When a compressed object spans two physical pages in a zspage, zs_obj_read_sg_begin() sets up a scatterlist pointing directly at the raw second page. If the second page was freshly allocated and never written beyond the object boundary, KMSAN detects reads of uninitialized memory downstream in the decompressor (e.g. sw842_decompress reading the CRC trailer). Fix this by passing __GFP_ZERO to alloc_zpdesc() in alloc_zspage() so all pages backing a zspage are zero-initialized at allocation time. Reported-by: syzbot+8f77ff6144a73f0cf71b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8f77ff6144a73f0cf71b Signed-off-by: Kartik Nair --- mm/zsmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 63128ddb7..5bbd417d3 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -951,7 +951,7 @@ static struct zspage *alloc_zspage(struct zs_pool *pool, for (i = 0; i < class->pages_per_zspage; i++) { struct zpdesc *zpdesc; - zpdesc = alloc_zpdesc(gfp, nid); + zpdesc = alloc_zpdesc(gfp | __GFP_ZERO, nid); if (!zpdesc) { while (--i >= 0) { zpdesc_dec_zone_page_state(zpdescs[i]); -- 2.39.5 (Apple Git-154)