Re: [PATCH] zsmalloc: use actual object size to detect spans

Next message: Stephen Rothwell: "linux-next: manual merge of the tip tree with the crypto tree"
Previous message: Chao Yu: "Re: [syzbot] [f2fs?] KASAN: use-after-free Read in f2fs_write_end_io (2)"
In reply to: Yosry Ahmed: "Re: [PATCH] zsmalloc: use actual object size to detect spans"
Next in thread: Yosry Ahmed: "Re: [PATCH] zsmalloc: use actual object size to detect spans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sergey Senozhatsky

Date: Tue Jan 06 2026 - 21:06:15 EST

On (26/01/07 01:56), Yosry Ahmed wrote:
> > I recall us having exactly this idea when we first introduced
> > zs_obj_{read,write}_end() functions, and I do recall that it
> > did not work. Somehow this panics in __memcpy+0xc/0x44. Let
> > me dig into it again.
>
> Maybe because at this point we are trying to memcpy() class->size, which
> already includes ZS_HANDLE_SIZE. So reading after increasing the offset
> reads ZS_HANDLE_SIZE after class->size.

Yeah, I guess that falsely hits the spanning path because of extra
sizeof(unsigned long).