[PATCH] mm/shmem: fix uninitialized folio in shmem_symlink

[PATCH] mm/shmem: fix uninitialized folio in shmem_symlink

[Barry Song]

From: Barry Song <baohua@kernel.org>

Uninitialized folio allocated in shmem_symlink() may be accessed
during swap-out, causing KMSAN BUG:

BUG: KMSAN: uninit-value in is_folio_zero_filled mm/page_io.c:188 [inline]
BUG: KMSAN: uninit-value in swap_writeout+0x468/0x1390 mm/page_io.c:263
 is_folio_zero_filled mm/page_io.c:188 [inline]
 swap_writeout+0x468/0x1390 mm/page_io.c:263
 shmem_writeout+0x1abb/0x1f60 mm/shmem.c:1662
 writeout mm/vmscan.c:649 [inline]
 pageout mm/vmscan.c:698 [inline]
 shrink_folio_list+0x5920/0x7fc0 mm/vmscan.c:1418
 evict_folios+0x999d/0xbf30 mm/vmscan.c:4711
 try_to_shrink_lruvec+0x12b6/0x17e0 mm/vmscan.c:4874
 lru_gen_shrink_lruvec mm/vmscan.c:5023 [inline]
 shrink_lruvec+0x46f/0x4f10 mm/vmscan.c:5784
 shrink_node_memcgs mm/vmscan.c:6020 [inline]

This patch clears the remaining part to zero for the portion not
covered by memcpy from symname.

Cc: Hugh Dickins <hughd@google.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Reported-by: syzbot+178fff6149127421c2cc@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/6949370f.050a0220.1b4e0c.0038.GAE@google.com/
Signed-off-by: Barry Song <baohua@kernel.org>
---
 mm/shmem.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/shmem.c b/mm/shmem.c
index ec6c01378e9d..835900a08f51 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -4131,6 +4131,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
 			goto out_remove_offset;
 		inode->i_op = &shmem_symlink_inode_operations;
 		memcpy(folio_address(folio), symname, len);
+		folio_zero_range(folio, len, folio_size(folio) - len);
 		folio_mark_uptodate(folio);
 		folio_mark_dirty(folio);
 		folio_unlock(folio);
-- 
2.43.0

Re: [PATCH] mm/shmem: fix uninitialized folio in shmem_symlink

[Matthew Wilcox]

On Wed, Dec 24, 2025 at 10:40:27PM +1300, Barry Song wrote:
> From: Barry Song <baohua@kernel.org>
> 
> Uninitialized folio allocated in shmem_symlink() may be accessed
> during swap-out, causing KMSAN BUG:

This would be an unfortunate way to fix it.  The vast majority of
symlinks are short, and we'll never access past the \0 in normal
operation, so we'll be dirtying a lot of cachelines essentially to (1)
shut up an automated tool and (2) optimise a corner case.

How about this instead which delays zeroing to swapout?

diff --git a/mm/shmem.c b/mm/shmem.c
index ec6c01378e9d..f3b3be1b50fe 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1636,6 +1636,13 @@ int shmem_writeout(struct folio *folio, struct swap_iocb **plug,
 		folio_mark_uptodate(folio);
 	}
 
+	/* Zero out symlink tails to help with compression */
+	if (folio_test_owner_2(folio)) {
+		struct inode *inode = folio->mapping->host;
+		folio_zero_segment(folio, inode->i_size, folio_size(folio));
+		folio_clear_owner_2(folio);
+	}
+
 	if (!folio_alloc_swap(folio)) {
 		bool first_swapped = shmem_recalc_inode(inode, 0, nr_pages);
 		int error;
@@ -4133,6 +4140,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
 		memcpy(folio_address(folio), symname, len);
 		folio_mark_uptodate(folio);
 		folio_mark_dirty(folio);
+		folio_set_owner_2(folio);
 		folio_unlock(folio);
 		folio_put(folio);
 	}

Re: [PATCH] mm/shmem: fix uninitialized folio in shmem_symlink

[Barry Song]

On Thu, Dec 25, 2025 at 6:01 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Wed, Dec 24, 2025 at 10:40:27PM +1300, Barry Song wrote:
> > From: Barry Song <baohua@kernel.org>
> >
> > Uninitialized folio allocated in shmem_symlink() may be accessed
> > during swap-out, causing KMSAN BUG:
>
> This would be an unfortunate way to fix it.  The vast majority of
> symlinks are short, and we'll never access past the \0 in normal
> operation, so we'll be dirtying a lot of cachelines essentially to (1)
> shut up an automated tool and (2) optimise a corner case.
>
> How about this instead which delays zeroing to swapout?

Matthew, thank you very much for your review, even during Christmas.
I would like to wish you a happy holiday!

I am not quite sure, as shm symlinks do not seem very common. Since
allocating a folio requires a symname longer than 128 bytes (where
128 == SHORT_SYMLINK_LEN), such cases appear even rarer.

BTW, do we need to migrate the owner_2 flag in folio_migrate_flags()?
If so, I am not quite sure it is worth changing the hotpath to
accommodate this.

>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index ec6c01378e9d..f3b3be1b50fe 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -1636,6 +1636,13 @@ int shmem_writeout(struct folio *folio, struct swap_iocb **plug,
>                 folio_mark_uptodate(folio);
>         }
>
> +       /* Zero out symlink tails to help with compression */
> +       if (folio_test_owner_2(folio)) {
> +               struct inode *inode = folio->mapping->host;
> +               folio_zero_segment(folio, inode->i_size, folio_size(folio));
> +               folio_clear_owner_2(folio);
> +       }
> +
>         if (!folio_alloc_swap(folio)) {
>                 bool first_swapped = shmem_recalc_inode(inode, 0, nr_pages);
>                 int error;
> @@ -4133,6 +4140,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
>                 memcpy(folio_address(folio), symname, len);
>                 folio_mark_uptodate(folio);
>                 folio_mark_dirty(folio);
> +               folio_set_owner_2(folio);
>                 folio_unlock(folio);
>                 folio_put(folio);
>         }

Thanks
Barry

Re: [PATCH] mm/shmem: fix uninitialized folio in shmem_symlink

[Baolin Wang]

On 2025/12/25 12:04, Barry Song wrote:
> On Thu, Dec 25, 2025 at 6:01 AM Matthew Wilcox <willy@infradead.org> wrote:
>>
>> On Wed, Dec 24, 2025 at 10:40:27PM +1300, Barry Song wrote:
>>> From: Barry Song <baohua@kernel.org>
>>>
>>> Uninitialized folio allocated in shmem_symlink() may be accessed
>>> during swap-out, causing KMSAN BUG:
>>
>> This would be an unfortunate way to fix it.  The vast majority of
>> symlinks are short, and we'll never access past the \0 in normal
>> operation, so we'll be dirtying a lot of cachelines essentially to (1)
>> shut up an automated tool and (2) optimise a corner case.
>>
>> How about this instead which delays zeroing to swapout?
> 
> Matthew, thank you very much for your review, even during Christmas.
> I would like to wish you a happy holiday!
> 
> I am not quite sure, as shm symlinks do not seem very common. Since
> allocating a folio requires a symname longer than 128 bytes (where
> 128 == SHORT_SYMLINK_LEN), such cases appear even rarer.
> 
> BTW, do we need to migrate the owner_2 flag in folio_migrate_flags()?
> If so, I am not quite sure it is worth changing the hotpath to
> accommodate this.

+1. At least for me, using the 'PG_owner_2' flag alone to mark this 
uncommon case doesn't seem quite worthwhile.

>> diff --git a/mm/shmem.c b/mm/shmem.c
>> index ec6c01378e9d..f3b3be1b50fe 100644
>> --- a/mm/shmem.c
>> +++ b/mm/shmem.c
>> @@ -1636,6 +1636,13 @@ int shmem_writeout(struct folio *folio, struct swap_iocb **plug,
>>                  folio_mark_uptodate(folio);
>>          }
>>
>> +       /* Zero out symlink tails to help with compression */
>> +       if (folio_test_owner_2(folio)) {
>> +               struct inode *inode = folio->mapping->host;
>> +               folio_zero_segment(folio, inode->i_size, folio_size(folio));
>> +               folio_clear_owner_2(folio);
>> +       }
>> +
>>          if (!folio_alloc_swap(folio)) {
>>                  bool first_swapped = shmem_recalc_inode(inode, 0, nr_pages);
>>                  int error;
>> @@ -4133,6 +4140,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir,
>>                  memcpy(folio_address(folio), symname, len);
>>                  folio_mark_uptodate(folio);
>>                  folio_mark_dirty(folio);
>> +               folio_set_owner_2(folio);
>>                  folio_unlock(folio);
>>                  folio_put(folio);
>>          }
> 
> Thanks
> Barry

Re: [PATCH] mm/shmem: fix uninitialized folio in shmem_symlink

[Matthew Wilcox]

On Thu, Dec 25, 2025 at 05:04:38PM +1300, Barry Song wrote:
> On Thu, Dec 25, 2025 at 6:01 AM Matthew Wilcox <willy@infradead.org> wrote:
> >
> > On Wed, Dec 24, 2025 at 10:40:27PM +1300, Barry Song wrote:
> > > From: Barry Song <baohua@kernel.org>
> > >
> > > Uninitialized folio allocated in shmem_symlink() may be accessed
> > > during swap-out, causing KMSAN BUG:
> >
> > This would be an unfortunate way to fix it.  The vast majority of
> > symlinks are short, and we'll never access past the \0 in normal
> > operation, so we'll be dirtying a lot of cachelines essentially to (1)
> > shut up an automated tool and (2) optimise a corner case.
> >
> > How about this instead which delays zeroing to swapout?
> 
> Matthew, thank you very much for your review, even during Christmas.
> I would like to wish you a happy holiday!

Heh, thanks.  My mailserver is actually in a different timezone from me,
so it was still the 24th when I sent it ;-)

> I am not quite sure, as shm symlinks do not seem very common. Since
> allocating a folio requires a symname longer than 128 bytes (where
> 128 == SHORT_SYMLINK_LEN), such cases appear even rarer.

Fair enough.  I hadn't noticed the SHORT_SYMLINK_LEN case when I
wrote this.  That does change things somewhat, but still for a 160 byte
symlink, we have 5 cachelines of data and 59 cachelines of zeroes.

> BTW, do we need to migrate the owner_2 flag in folio_migrate_flags()?
> If so, I am not quite sure it is worth changing the hotpath to
> accommodate this.

It already happens, it's just camouflaged.  owner_2 is the same bit as
mappedtodisk.