Re: [PATCH mm-hotfixes] mm/zswap: add missing kunmap_local()
From: Lorenzo Stoakes (Oracle)
Date: Mon Mar 16 2026 - 11:54:54 EST
On Mon, Mar 16, 2026 at 02:52:24PM +0000, Yosry Ahmed wrote:
> On Mon, Mar 16, 2026 at 02:01:22PM +0000, Lorenzo Stoakes (Oracle) wrote:
> > Commit e2c3b6b21c77 ("mm: zswap: use SG list decompression APIs from
> > zsmalloc") updated zswap_decompress() to use the scatterwalk API to copy
> > data for uncompressed pages.
> >
> > In doing so, it mapped kernel memory locally for 32-bit kernels using
> > kmap_local_folio(), however it never unmapped this memory.
> >
> > This resulted in the linked syzbot report where a BUG_ON() is triggered due
> > to leaking the kmap slot.
> >
> > This patch fixes the issue by explicitly unmapping the established kmap.
> >
> > Reported-by: syzbot+fe426bef95363177631d@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://lore.kernel.org/all/69b75e2c.050a0220.12d28.015a.GAE@xxxxxxxxxx
> > Fixes: e2c3b6b21c77 ("mm: zswap: use SG list decompression APIs from zsmalloc")
> > Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@xxxxxxxxxx>
>
> Oh thanks for catching that, not sure how I ended up doing that tbh..
Don't worry I've made FAR worse mistakes in some of my patches, believe me :)
easily done.
>
> Anyway, LGTM:
>
> Acked-by: Yosry Ahmed <yosry@xxxxxxxxxx>
Thanks!
Cheers, Lorenzo
>
> > ---
> > mm/zswap.c | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/mm/zswap.c b/mm/zswap.c
> > index e6ec3295bdb0..499520f65ff0 100644
> > --- a/mm/zswap.c
> > +++ b/mm/zswap.c
> > @@ -942,9 +942,14 @@ static bool zswap_decompress(struct zswap_entry *entry, struct folio *folio)
> >
> > /* zswap entries of length PAGE_SIZE are not compressed. */
> > if (entry->length == PAGE_SIZE) {
> > + void *dst;
> > +
> > WARN_ON_ONCE(input->length != PAGE_SIZE);
> > - memcpy_from_sglist(kmap_local_folio(folio, 0), input, 0, PAGE_SIZE);
> > +
> > + dst = kmap_local_folio(folio, 0);
> > + memcpy_from_sglist(dst, input, 0, PAGE_SIZE);
> > dlen = PAGE_SIZE;
> > + kunmap_local(dst);
> > } else {
> > sg_init_table(&output, 1);
> > sg_set_folio(&output, folio, PAGE_SIZE, 0);
> > --
> > 2.53.0