From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oa1-f71.google.com (mail-oa1-f71.google.com [209.85.160.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BE5C1EBA19 for ; Wed, 24 Dec 2025 03:53:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.71 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766548416; cv=none; b=RSrwcHoKhm+o3WxEHKivdsCO2bxmtzj9/QBo+h0/E3S81AheYBtnNzDdiaXgaehEgU/1Wkio0kw1DADWNZarw69+asGzJhoV1KoROTNqzcm5KuRZQdXsPVBzHzmifSSqNxKL39Y3aQ4fBVo9KpDn8JKgPbWYqD+aUVKtIPhwMhw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766548416; c=relaxed/simple; bh=wI08tT0BRQwOtBiV2C9BFYiLnLfBJ+tsU10yCkYRRSg=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:Cc: Content-Type; b=PJ4Opd2n+v6ZtFqHb3GB7188cM9LGUJzZb+2Xh4f1Z8Rt/dWGFijM8B+qz3JPKb3H4dzDOfdBldFkBB78SWWL/Zu583wMoBfdo/0oUTbaA4AwE/ImHY/zLcC7KLNJQiXMQxHD0QEcJBoOPMznmUCsVQ0/C7phCubttutDOPx5Oo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.160.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f71.google.com with SMTP id 586e51a60fabf-3e1383751f1so13221466fac.1 for ; Tue, 23 Dec 2025 19:53:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766548413; x=1767153213; h=content-transfer-encoding:cc:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GZ2XVruqgaKKMSb8eZfKARL59cGvhAsy4xuvzE/p5E8=; b=vP6mOU1Xd7ybgoRYBC+M/PPDIdg9ZdEpw9oaKqGnbXz/CmdBRK4rWammsA9ANNRlA1 6pZ3SVBnvFk83nMf1cWISuvFTeIdhZGctAN3QZ01x5H0w+LoxIBg/CcO/kfrNMAGI86i KGRcESISs+GWaUFhxYC8j1QV0RUi3x1txntr8HGjwWkvpwyCnCmXeQ1qWRozBhsHXLdy Wg/OjKAxhL/bCU2KA2FEMSS1XBSigPT6jwGyVFMvdjyu+n+0ctvT8Ycb1PoBpW+JdkIN sifETfqn/4TwGmI2dgCMQeY//EsXY2tAPRG+cBKw9nqSjCqyE4KsZSXpFhYeYz2fpoqX RJGg== X-Forwarded-Encrypted: i=1; AJvYcCWwg6pikLYgS/ShN5TvejHIpsSoZKCDKzcDOAjul8e3J8oMtP1J0zTkGislLC3p4wAcomr2AatkOI0RBF8=@vger.kernel.org X-Gm-Message-State: AOJu0YzxrRVU+S/XDJtrczXefDGOVGA1s5t7jGAMIsxjgcbAH2cXwKfy EeYJGtfocjxgGhAN2MdooD39Mqtc9r8PbPFoEr3b3FlqdbV9n3GKT5cFw7bhLd/5Iy/+Xa4zcLV 0qbPcXqA/DsYrQVlV1pwEYJ8Y05Xxe14SIe5xekXuUsSNJ5fndej7G0CCxRI= X-Google-Smtp-Source: AGHT+IHGbiqSB+vPnSXXoPD40uG5Ob06csM8wTfUxZCIqMfecfiMubQh0zTZj7guumcFVjCnmGdcYrDCs+nZOlejmqiKsejvv+xc Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:8301:b0:65c:9e6f:f4d0 with SMTP id 006d021491bc7-65cfe6672c2mr6065985eaf.2.1766548413394; Tue, 23 Dec 2025 19:53:33 -0800 (PST) Date: Tue, 23 Dec 2025 19:53:33 -0800 In-Reply-To: <20251224020424.52976-1-21cnbao@gmail.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <694b63bd.050a0220.35954c.0012.GAE@google.com> Subject: Re: [syzbot] [mm?] KMSAN: uninit-value in swap_writeout From: syzbot To: 21cnbao@gmail.com Cc: 21cnbao@gmail.com, akpm@linux-foundation.org, baolin.wang@linux.alibaba.com, bhe@redhat.com, chrisl@kernel.org, hughd@google.com, kasong@tencent.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, nphamcs@gmail.com, pfalcato@suse.de, shikemeng@huaweicloud.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > On Wed, Dec 24, 2025 at 2:43=E2=80=AFPM Baolin Wang wrote: >> >> >> >> On 2025/12/24 08:16, Barry Song wrote: >> > On Wed, Dec 24, 2025 at 12:43=E2=80=AFPM Pedro Falcato wrote: >> >> >> >> On Wed, Dec 24, 2025 at 11:46:44AM +1300, Barry Song wrote: >> >>>> >> >>>> Uninit was created at: >> >>>> =C2=A0 __alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5233 >> >>>> =C2=A0 alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486 >> >>>> =C2=A0 folio_alloc_mpol_noprof+0x56/0x1d0 mm/mempolicy.c:2505 >> >>>> =C2=A0 shmem_alloc_folio mm/shmem.c:1890 [inline] >> >>>> =C2=A0 shmem_alloc_and_add_folio+0xc56/0x1bd0 mm/shmem.c:1932 >> >>>> =C2=A0 shmem_get_folio_gfp+0xad3/0x1fc0 mm/shmem.c:2556 >> >>>> =C2=A0 shmem_get_folio mm/shmem.c:2662 [inline] >> >>>> =C2=A0 shmem_symlink+0x562/0xad0 mm/shmem.c:4129 >> >>>> =C2=A0 vfs_symlink+0x42f/0x4c0 fs/namei.c:5514 >> >>>> =C2=A0 do_symlinkat+0x2ae/0xbb0 fs/namei.c:5541 >> >>> >> >>> +Hugh and Baolin. >> >> Thanks for CCing me. >> >> >>> >> >>> This happens in the shmem symlink path, where newly allocated >> >>> folios are not cleared for some reason. As a result, >> >>> is_folio_zero_filled() ends up reading uninitialized data. >> >>> >> >> >> >> I'm not Hugh nor Baolin, but I would guess that letting >> >> is_folio_zero_filled() skip/disable KMSAN would also work. Since all = we want >> >> is to skip writeout if the folio is zero, whether it is incidentally = zero, or not, >> >> does not really matter, I think. >> > >> > Hi Pedro, thanks! You=E2=80=99re always welcome to chime in. >> > >> > You are probably right. However, I still prefer the remaining >> > data to be zeroed, as it may be more compression-friendly. >> > >> > Random data could potentially lead to larger compressed output, >> > whereas a large area of zeros would likely result in much smaller >> > compressed data. >> >> Thanks Pedro and Barry. I remember Hugh raised a similar issue before >> (See [1], but I did not investigate further:(). I agree with Hugh's >> point that the uninitialized parts should be zeroed before going the >> outside world. >> >> [1] >> https://lore.kernel.org/all/02a21a55-8fe3-a9eb-f54b-051d75ae8335@google.= com/ >> >> > Not quite sure if the below can fix the issue: >> > >> > diff --git a/mm/shmem.c b/mm/shmem.c >> > index ec6c01378e9d..0ca2d4bffdb4 100644 >> > --- a/mm/shmem.c >> > +++ b/mm/shmem.c >> > @@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap= , struct inode *dir, >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 goto out_remove_offset; >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 inode->i_op =3D &shme= m_symlink_inode_operations; >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 memcpy(folio_address(= folio), symname, len); >> > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 memset(folio_address(folio= ) + len, 0, folio_size(folio) - len); >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 folio_mark_uptodate(f= olio); >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 folio_mark_dirty(foli= o); >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 folio_unlock(folio); >> >> That looks reasonable to me, though I prefer to use the more readable >> helper: folio_zero_range(). Barry, could you send out a formal patch=EF= =BC=9F >> Thanks. > > Thanks, Baolin. Let me request a bot test first. > > #syz test This crash does not have a reproducer. I cannot test it. > > diff --git a/mm/shmem.c b/mm/shmem.c > index ec6c01378e9d..835900a08f51 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, s= truct inode *dir, > goto out_remove_offset; > inode->i_op =3D &shmem_symlink_inode_operations; > memcpy(folio_address(folio), symname, len); > + folio_zero_range(folio, len, folio_size(folio) - len); > folio_mark_uptodate(folio); > folio_mark_dirty(folio); > folio_unlock(folio); > --=20 > 2.48.1