From nobody Sun Jun 14 14:34:06 2026 Received: from smtpbgjp3.qq.com (smtpbgjp3.qq.com [54.92.39.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9E462D94BA for ; Fri, 3 Apr 2026 07:52:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.92.39.34 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775202770; cv=none; b=EFdsuIKoRhPp21I1evAvopMUps7I4MMfdK58mK03HbrsIkHh/soMrDtRZ837ND+QYYGjv2YPXqHI4MgktQweo4VGercRm7QP3QAPq7ucsVa3x3cEoJk2fLgIOiAtTGhpkv/tyu+c1OPhUczZQuG6+BIF2IADaL2+h11VCDjx8d8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775202770; c=relaxed/simple; bh=SaPrWHHppuoOIOYI4qf8YtIPrDaWuHSLt+3dF9lMEaE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uGgs7kDf3Lu/nSt+v4Ghkojm40g5o5pheAPUGm7O0xWRWOnkJuVSB+9c1IQp28e1z1pvXAiX1WsYlIGS8iMZSVgW9QJ8UbHkdi74Lk6blLc38SZQC/5AteRIm2Yf1RbM3SNvmj43S8itGpvpclET1/rMDQmkUj+Tm/Yy5xcUXHo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=aT1oaND+; arc=none smtp.client-ip=54.92.39.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="aT1oaND+" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1775202731; bh=Ua6TXToexFuNdMYzgJkRu95qFBaQ1rvNnGJAFP7WrwY=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=aT1oaND+t1sU/b6MpLaW+ox8G+686JwvEL7FlWeuyTAUdghqhavkuxm62tgOSI3W7 EnMc/uYvIq9RHZvnCpemhJaBoLXC4P4V787FEWBvi4qG5LaZaktHryh8Dy2AD8Pd3o V58HrUEAFLWklUDRaZwj2KLOUPG+OoU1ASpjq5sM= X-QQ-mid: zesmtpip4t1775202727te98f80b9 X-QQ-Originating-IP: u28J8+j+Xf+Aatf+I4a6ZT8GoQYhyaSmCdRTLXJYTmI= Received: from Shurima ( [localhost]) by bizesmtp.qq.com (ESMTP) with id ; Fri, 03 Apr 2026 15:52:05 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 9212431654302830342 EX-QQ-RecipientCnt: 7 From: chenyichong To: wangqing7171@gmail.com Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzbot+37b7f6cd519f7fb8d32a@syzkaller.appspotmail.com, urezki@gmail.com, chenyichong Subject: [PATCH] mm/vmalloc: fix KMSAN uninit in decay_va_pool_node list handling Date: Fri, 3 Apr 2026 15:52:03 +0800 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260402081413.1896640-1-wangqing7171@gmail.com> References: <20260402081413.1896640-1-wangqing7171@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: zesmtpip:uniontech.com:qybglogicsvrgz:qybglogicsvrgz3a-0 X-QQ-XMAILINFO: MdDSduxpyAb9ILKvWW/jHHNz2KR4Qtin86AyAqu0KrjW0sUvgxyFFv3D rw/M3/DxIg0DbxRqdFlj8MtzPVobEzudHbFmAtxHj1wQy5DmBMRGAodut3AZH5rLqUZ6bbr 6BUfuOLA+s539J7LppWcYreC0BQ4Bhw2Rh0k9j4uRwoF+bYprM4vW+XVkiet5sXgOKqrjfr cjuJPcgOIV05Yffbag9nX2b0PdEsbZaFgUBYW1AUDjzjzN3XPq9RuZtn4NLiaW2lnC9yjNN XZE+uvft+fBxlRA9SLBaxWIVPJfJL03nmf2LB5j8qm96PfMZQUR1H7ed2ZcNMKbzRFxzz8l Y8SoLl/Ya50nyMvaumIWDLVEP54/zqxJuuvxALDtpLGW756bbO7LOOLfHnvLxSDTGvB1xf4 UaEBinGx/kjDhpoFqBFSb2ikKx/FmTsER0a9+e+p4yoL4Gyy3IgktmIjXxUoW+RFtbqIkZc yLcppRoLNLoX+11Jlv9iqt2sMluIhQLWQX1br1DOunYlbZ0AQg7ewtq6NkkTX9cpeW/ojgf 3pY4CeTEGfycRW4ebIY99l75GxdmX5kUJfWJOWixCcdmDAaw1Kw4espHsTJYukI4dY3zPcv +tDjG8ZCesJSBysW54wL0vAdzabdyusCqobDyMnLO/ljW3qN/uJ+rjUV61oBfETfgyZSL8t WmUpZd+nZDPiVZ8vJeOF1MUhBZZKb5/S73/Juj1pX47dysl4JFGjCZimDSMvmElSGMUXsXl nZ8E2Z8XE5JctBzsho6Y7CH0IZfrgsHdFN+ldb+b6XLsznQM3bvn/CCmkIkBNgYbEAsNWJh OXPAiaMfnKrML7PCeXxvDEEy1QhNWB8B9cDAKN8nLrukZxYnCy+5EBoDGWx99+0NVaiRbrf rMccMRxvc5EuBjzIsnIzviYxK00oipSTW7f4CrYviK2UOV0oJYL40PwIKAentDJYm7wd5mX 5hDcJ/Eac6FvoLhGRyaL89jUMDgirzJWOvkpqXWvNeHvwFe5e7sK2955wxZae/5KjMWcBxf U8+9bpJnq/Ef1Z560s X-QQ-XMRINFO: OWPUhxQsoeAVwkVaQIEGSKwwgKCxK/fD5g== X-QQ-RECHKSPAM: 0 Content-Type: text/plain; charset="utf-8" Prevent decay_va_pool_node from overwriting concurrent repopulation of vmap_node pool[i].head while purging. Read/reset pool[i].len under pool_lock and splice leftover vmap_area nodes back into the pool instead of replacing the list. Reported-by: syzbot+37b7f6cd519f7fb8d32a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D37b7f6cd519f7fb8d32a Fixes: 7679ba6b36db ("mm: vmalloc: add a shrinker to drain vmap pools") Signed-off-by: chenyichong --- mm/vmalloc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ecbac900c35f..72fb60553a71 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2233,10 +2233,9 @@ decay_va_pool_node(struct vmap_node *vn, bool full_d= ecay) /* Detach the pool, so no-one can access it. */ spin_lock(&vn->pool_lock); list_replace_init(&vn->pool[i].head, &tmp_list); - spin_unlock(&vn->pool_lock); - pool_len =3D n_decay =3D vn->pool[i].len; WRITE_ONCE(vn->pool[i].len, 0); + spin_unlock(&vn->pool_lock); =20 /* Decay a pool by ~25% out of left objects. */ if (!full_decay) @@ -2259,8 +2258,14 @@ decay_va_pool_node(struct vmap_node *vn, bool full_d= ecay) */ if (!list_empty(&tmp_list)) { spin_lock(&vn->pool_lock); - list_replace_init(&tmp_list, &vn->pool[i].head); - WRITE_ONCE(vn->pool[i].len, pool_len); + /* + * Merge leftover areas back into the pool rather than + * replacing the whole list. A concurrent allocator can + * repopulate vn->pool[i].head while we are decaying + * tmp_list, and replacing would drop those nodes. + */ + list_splice_tail_init(&tmp_list, &vn->pool[i].head); + WRITE_ONCE(vn->pool[i].len, vn->pool[i].len + pool_len); spin_unlock(&vn->pool_lock); } } --=20 2.50.1