From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7F8E386438 for ; Fri, 3 Apr 2026 10:55:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775213738; cv=none; b=tazjRn48qtd82tU3P6s0IN4RfFEsj9M69xsh1wD45XLFaDcJsoLcdkXfMl2gD3ey9PyZ8qdzHZmhBWtanRHOxy303K38R7/Pa2wyTtoP8XNYoPzgxF6LPsdhtrBDOx0I9QkoeFMGwlLDZn9kwi8gvdW7xk/ri8nESo/c2fBAU4Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775213738; c=relaxed/simple; bh=I8Rwq7kRizyjo/viVRP0V9aUX9FOxzTXfk2KjLk/C1Q=; h=From:Date:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=XTLd4wyBSltDv8eYPl+EbYV6Z48qY1Xs6HVIe+mFRxAzRSxJYkr71tvVonNCLLxj9YDRKuH74yVsXf5GrzL0XQDpJe43HhvxXN7F6aaZS8ifQ9lOXW21igRhCAbwSjdbfs/Ggx3C8KmWiMUF0jlLCWaDHuCAtJoQZwV3HXeGM7g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z/Pwcinn; arc=none smtp.client-ip=209.85.167.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z/Pwcinn" Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-5a337552604so630062e87.2 for ; Fri, 03 Apr 2026 03:55:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775213734; x=1775818534; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:from:to:cc:subject:date:message-id:reply-to; bh=gCOWVyQQtQGKUxOgS4eWpTFTaC5e80uwLtnknZ47Le4=; b=Z/Pwcinnl7DRc7Atz704A8WgrLMSqXE92RVAsovy0A5XafvxFpMtfvYKzgFR25kBrB NDIxUpodbUsdN5wMDGFe2ufh3tSinu5mJJ+jjMFIXWzkyb3S4VyXMjNDreqBJPQZil4T fW3yN4AQqRVxcHuSAcx2292X5Vwx3tpCIctdAkZ/l/YbyNgvZ2RQTInnE+x0RuNf63tN goTbU5jTdsov2t9h6XeoGxWtSmxRFdXXs+SRVs2i7iF/1KzaWasWVgMUNZndUqjLgnZ4 OUDNXAriXuPRHZPHbmweiYvajXK8gxKgahkj8kfUlsew0kPcOpf9CqNYDCUWh0ShQt3A 7k9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775213734; x=1775818534; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gCOWVyQQtQGKUxOgS4eWpTFTaC5e80uwLtnknZ47Le4=; b=mcmtgQYgRAZuNH/wW4BxuyAOb9j0pl2jRbE4TjwsWh3suicO/Vv7k8fY4Ic/C++1SI 4AhtqWlg7BY0JsQ4ARQG73qF6fuMl752iLSn2ht/yNpemSYmW5FZjG0RCwf/18dB1Z/f kiFkMX0o9nUKRbgOGztQ4yZ6g8SCEOOh3l4+dNDem5c4zeezXQrubJGNNHyBQsdV1nvX 6tTb5Z1R713biqlRdatZQ86Vo1TBCYRVDSPCRk2swKIPByu37uBUSJpHZytZlvPobTFQ G0boPlbfBXQpDPaep6CcTL+9qBtEd+3dZpu2JtMAu1q2nP5Pq1Qx1eldEs921ezUzqWF xVqA== X-Forwarded-Encrypted: i=1; AJvYcCUANgvUYFvIN+e4XLM0SYCk1GKXQKkAqc9lPpVCMFUYzKo3hZu7BPDVcnCplzCJ9QRIn2Vw10JIPfVoHIQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwLEchUYMKIgnrK997O/ABGQORQ2GErE5xP2A8BTR5EyPkm4w1d ANdZ7qcc/wbQNZo7jqURDKJ6O3NSXKN2Lfzy+1Fx3Hx1URqTL+DLhPeb X-Gm-Gg: AeBDievmo8W8nnXdHzkYnwvXAOr3VynzbdohnajK898V95ruYl/0QFVTq6HMvAOlgIr u3w6/7iL6FKsUNjwvHDslIWskr9MhFEnszwq+4knaDa8zZbUA7ww74foz9/oC2veX2bY8K9duTK CA8Mou3hNyMtn5gnnkDsUhYZh3FYIMqtcTZgA+ZVCbHz/t0+Ajmn+rJ0pTaoHXkdfCUFHZ7pnA8 w4R15V429SB8+1rQDclnjwBlko7bMOL2tp/Z98gB0L94Wlm3625dFWs3wOIuyOTfSMpWJaVkjKI T0VfHu2axq5fbmMVP5LAqi0vLmaxQOejQoWU7S+prpNh90EllOkZfrCAEOHPTlZlW1ml932DUGL crKL7utz6/7HP66/kLEeVTrBIEbkluCQstYu/GjbXU3JrZoszJVDCjTw8VnOyvCE= X-Received: by 2002:a05:6512:3d92:b0:5a2:bb45:7f21 with SMTP id 2adb3069b0e04-5a33757c21fmr977130e87.28.1775213733774; Fri, 03 Apr 2026 03:55:33 -0700 (PDT) Received: from pc636 ([2001:9b1:d5a0:a500::800]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a2c6cc6010sm1397846e87.44.2026.04.03.03.55.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Apr 2026 03:55:33 -0700 (PDT) From: Uladzislau Rezki X-Google-Original-From: Uladzislau Rezki Date: Fri, 3 Apr 2026 12:55:31 +0200 To: chenyichong Cc: wangqing7171@gmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzbot+37b7f6cd519f7fb8d32a@syzkaller.appspotmail.com, urezki@gmail.com Subject: Re: [PATCH] mm/vmalloc: fix KMSAN uninit in decay_va_pool_node list handling Message-ID: References: <20260402081413.1896640-1-wangqing7171@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Fri, Apr 03, 2026 at 03:52:03PM +0800, chenyichong wrote: > Prevent decay_va_pool_node from overwriting concurrent repopulation of > vmap_node pool[i].head while purging. Read/reset pool[i].len under > pool_lock and splice leftover vmap_area nodes back into the pool > instead of replacing the list. > > Reported-by: syzbot+37b7f6cd519f7fb8d32a@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=37b7f6cd519f7fb8d32a > Fixes: 7679ba6b36db ("mm: vmalloc: add a shrinker to drain vmap pools") > Signed-off-by: chenyichong > --- > mm/vmalloc.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > index ecbac900c35f..72fb60553a71 100644 > --- a/mm/vmalloc.c > +++ b/mm/vmalloc.c > @@ -2233,10 +2233,9 @@ decay_va_pool_node(struct vmap_node *vn, bool full_decay) > /* Detach the pool, so no-one can access it. */ > spin_lock(&vn->pool_lock); > list_replace_init(&vn->pool[i].head, &tmp_list); > - spin_unlock(&vn->pool_lock); > - > pool_len = n_decay = vn->pool[i].len; > WRITE_ONCE(vn->pool[i].len, 0); > + spin_unlock(&vn->pool_lock); > > /* Decay a pool by ~25% out of left objects. */ > if (!full_decay) > @@ -2259,8 +2258,14 @@ decay_va_pool_node(struct vmap_node *vn, bool full_decay) > */ > if (!list_empty(&tmp_list)) { > spin_lock(&vn->pool_lock); > - list_replace_init(&tmp_list, &vn->pool[i].head); > - WRITE_ONCE(vn->pool[i].len, pool_len); > + /* > + * Merge leftover areas back into the pool rather than > + * replacing the whole list. A concurrent allocator can > + * repopulate vn->pool[i].head while we are decaying > + * tmp_list, and replacing would drop those nodes. > + */ > + list_splice_tail_init(&tmp_list, &vn->pool[i].head); > + WRITE_ONCE(vn->pool[i].len, vn->pool[i].len + pool_len); > "A concurrent allocator can repopulate..." - Where is it done? Probably you meant something different. -- Uladzislau Rezki