From: Shigeru Yoshida <syoshida@redhat.com>
Date: Sat, 21 Mar 2026 13:29:11 +0000 (+0900)
Subject: mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4fb61d95ad21c3b6f1c09f357ff49d70abb0535e;p=thirdparty%2Fkernel%2Flinux.git

mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()

zs_page_migrate() uses copy_page() to copy the contents of a zspage page
during migration.  However, copy_page() is not instrumented by KMSAN, so
the shadow and origin metadata of the destination page are not updated.

As a result, subsequent accesses to the migrated page are reported as
use-after-free by KMSAN, despite the data being correctly copied.

Add a kmsan_copy_page_meta() call after copy_page() to propagate the KMSAN
metadata to the new page, matching what copy_highpage() does internally.

Link: https://lkml.kernel.org/r/20260321132912.93434-1-syoshida@redhat.com
Fixes: afb2d666d025 ("zsmalloc: use copy_page for full page copy")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index e7417ece1c12e..63128ddb79598 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1753,6 +1753,7 @@ static int zs_page_migrate(struct page *newpage, struct page *page,
 	 */
 	d_addr = kmap_local_zpdesc(newzpdesc);
 	copy_page(d_addr, s_addr);
+	kmsan_copy_page_meta(zpdesc_page(newzpdesc), zpdesc_page(zpdesc));
 	kunmap_local(d_addr);
 
 	for (addr = s_addr + offset; addr < s_addr + PAGE_SIZE;