From patchwork Fri Apr 7 04:07:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 13204444 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C973C76196 for ; Fri, 7 Apr 2023 04:10:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 05E3F6B0078; Fri, 7 Apr 2023 00:10:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 00E3A6B007B; Fri, 7 Apr 2023 00:10:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E18C16B007D; Fri, 7 Apr 2023 00:10:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id D149E6B0078 for ; Fri, 7 Apr 2023 00:10:00 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 956DDAC1A4 for ; Fri, 7 Apr 2023 04:10:00 +0000 (UTC) X-FDA: 80653266960.22.B16207A Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by imf08.hostedemail.com (Postfix) with ESMTP id BE56E160006 for ; Fri, 7 Apr 2023 04:09:58 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b="btjxM/o5"; spf=pass (imf08.hostedemail.com: domain of zhangpeng.00@bytedance.com designates 209.85.216.49 as permitted sender) smtp.mailfrom=zhangpeng.00@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1680840598; a=rsa-sha256; cv=none; b=nN4nrcrAerappgN/e+JwDqPwI/5nBIwhQLk9sIPlLjTHXkfCawG7kPyudn/FFQRRo/eBzO c/9yCs/vfAftbGIUmHEfqkLVEXupTbFydgJaklbXCdHZ9Sw+Efmxfvrt1kFcZ9UP9xdxxz c5xS8HkNqr5YT3F7Vkzoi45tIFWHeJM= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b="btjxM/o5"; spf=pass (imf08.hostedemail.com: domain of zhangpeng.00@bytedance.com designates 209.85.216.49 as permitted sender) smtp.mailfrom=zhangpeng.00@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1680840598; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=Zx5DdzmWKLzbuyGYegr8UfbKqydVOeftflVvrHqfeWGy2mlZlIZN1Y0fdBRw312eJ6FtoU veDIhKroe4lf8cpdj9Dw/RCcONF58sDeIum5jMeTb9IEfVePoT/aHzZEJhQJZmD1sjds9r JalFSLeRZFAjc1BfOMwBuCLL4cunB7E= Received: by mail-pj1-f49.google.com with SMTP id qe8-20020a17090b4f8800b0023f07253a2cso42390359pjb.3 for ; Thu, 06 Apr 2023 21:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1680840597; x=1683432597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=btjxM/o5y/IqXBtaNZ/DMdaeS8q7W0fcBp996++PmoaYGUmmjxC5+4oxxfu8uCia4a z/9uPMy8aZ4wrmYFHh2isoSkOuu3PIg3rh383oHcggyXy6bZxTcORAPuWHS5LL/Al5r5 tXN5pQdxmZ5pkQi7wWoAQom/VP4xuGT4xhjUe/dVi62TP9vf4COSlJGWAQTN8BpSyVKW KIKCIGH0wEmaOYsU5v7ipz4jT+4WhkeRS1iUYCLZo5dIJxNNUL7r1dnCoydWF9tqIer9 2NURW97pKYXL+4qBdxTgPc1pPH1xF8JNcAsebHvKj73WL9Q0ZH2c9FKM600UDK0L7Qwj IYIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680840597; x=1683432597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=q6/6fxPQidxVtshVcay145AacZ8F1X1mp0ZQnAh1eikkx1MYQCyEQMGu2sI1LeHFy2 EeX+dR7TOjFk2/vmpPDRYdwwrKHR2T5Dt9AXKqHoNWpf4BWBSutzMdKIlN/UcrF4jq40 egV44yiwoFuuWoG6ad+mgG7Ql56F4wdI83X5FBrg6BKu7NP6MdsYiE8qM0YKmRasCFcI +PjTs4a/jkQvpWO2XUzEpMHe5VmkLL5tfZ01Gr0EZ1zozjMIV0OxxXvbEvFjGCgBT1Cn 5wdAYvAjMmp2gzTdoGqc9wFdwDC2SWb1yuwPnQUlZIvEVsZkR+sTEaKIvZZRUy/V7M4E xNxg== X-Gm-Message-State: AAQBX9eO/pqlRpuTBcEbl865IDxZn8acHx4+n92djNMwoeOK43rrQU4H zCZjzTItjOvYFBpITvtXHjaEOE3wXKvc2l4mRTU= X-Google-Smtp-Source: AKy350YkWXtm+VROzrrxuPlktSa0hkQnxbc7VvFkG/dSGtIFvCZEnuJ6s72HKtPIIwquDBJqY8RjhQ== X-Received: by 2002:a05:6a20:38a2:b0:de:5082:c9ec with SMTP id n34-20020a056a2038a200b000de5082c9ecmr756627pzf.2.1680840597673; Thu, 06 Apr 2023 21:09:57 -0700 (PDT) Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id b8-20020aa78108000000b0062d7c0dc4f4sm2058010pfi.80.2023.04.06.21.09.54 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 06 Apr 2023 21:09:57 -0700 (PDT) From: Peng Zhang To: Liam.Howlett@oracle.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang , stable@vger.kernel.org Subject: [PATCH 2/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug Date: Fri, 7 Apr 2023 12:07:18 +0800 Message-Id: <20230407040718.99064-2-zhangpeng.00@bytedance.com> X-Mailer: git-send-email 2.37.0 (Apple Git-136) In-Reply-To: <20230407040718.99064-1-zhangpeng.00@bytedance.com> References: <20230407040718.99064-1-zhangpeng.00@bytedance.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Queue-Id: BE56E160006 X-Rspamd-Server: rspam01 X-Stat-Signature: imfgwu6i8u979qzichkoqb9pwat67h6j X-HE-Tag: 1680840598-450430 X-HE-Meta: U2FsdGVkX1/IA+RrpDgIv6oEKheP8HqlZF249AE9XYeHPuv/Hc0b6+6SQiGWRwfYak7xA1vFcahZF2hg9WRfP6a3yxWQB2Pq8F+or4v2mnA89NmzXzixizeumKtZxP4ZzYmeLjvizSzk2E59pPxSm79ICAuYuf0lj5605YbMwVT612xfAQm320ijodbEy9yjn7PjyTlmCYv5LMpglcCYy1ZjgKPpBnPdT1m1VlRJCcy6Wwqbivl1sFcib2APB4uIGTQaMF/kx7z1eTbpEmqVVBjs85iZOVYQK8azZOMyQZg7GNIClKXpuM8zVlcnQIIP+5/EmkcdmkXe8ivCuDPE1uZCa4+B02Hn/Yl+zxJpsMRSaz4iV5rL+enlmHfgVpx42A9sAT0dya/aVNC8/LgQTpUhSuBcQ4SgEbReA6PAgVpVxCADt7fe5/kri8P1Zn4oTPh3KgN3q52FMrvKuVJLOwnPdwJhsDryq1vC+P9pqBpLaMNEVNL6n8aUpYMT4qfOM/81yDCkmx4zoM3GKTYwJi4ljczZ2LKCcwJ+ZZkO+mnVjRzpo2CkKXWHAUhUZUSXqa8LRBTgCVJjbtdUqgmjIaUlNZP28L7hDH/ML9A/2+exREetIgFymc04FyUdV9zg+rT/no666mtMfLFSZASgt3CHsgoTOP6yN81Lsj7hwu8PCPO5r8eHDzKGXrv9y4MZIJRqcryX/JiX5xs13lf//bBDqo7UdV7/W7SZuvgflbO+6zEM3xgfYF/mSzB194u8absNWknL+QwZxPDDlq/o+twnLV/1gCPdJC9DArgnqd/vsoBRnqPAEKOVTgrkdnRXKm17QZDZdh4NAT1f3flHXReAZBm7jHjVMxqUCab0xi3R+07WqEGEuo7vHqBIrmqDr20zTE78N9CPhk+Ube1r5XzR25z0NwGfMf22FdtCjTYQXEn3H6FjbYMdSwnhQeq5X0AYzAqjJPqeOjP/LBy TZrQcq2M 5ICodBZOUUvaRs7nDUuxk3//DftqBGjWBOEtwTKDNQGd15+Ep/CmKUpxUDhwKtlLJ+cXuU8guxCc7afgRbRvzlFxTFAfdySJSed85e3kGMUPVwt0WLUNHps4TRP8HUo3KXQfxJiKl0J+fS2FAeujd56hGLF55MEghJ8tHQl1GadNZ3BC0lI7SUEFqesv1WiQbu6/RDqSRl3g9htnT1s8RSnG2R0kQvpO4ViUIG6FFR/8oPEpz36qp2zn1K3V45Shr5T/1I++BftyqEPSsEiVa1Bo0Kj94GUhFvZcRVUwcGgTieGr+VWL4h3aiwkz89Hh527E/4N8bnfJuyvWyRPVy1BCrPPnYTfzzjGJipAr5Oq29wD9J47c+cuW2CkZFpK7ialj4+9tYqMpuASg1knBU6ebpVCJ1gUOYKQhf1pLBotkYBmvJqpIG6iIvxmFO7OfzhMzhSxIdkE0NAJcRGyi3LsDzjDNfyeFBmspeGfu/MHml0xl4dKceHCSD96lJDa0zlfzZ44GzOgZ37AjOBzE5F6yqOoQ+mL8JTS5Y X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In mas_alloc_nodes(), there is such a piece of code: while (requested) { ... node->node_count = 0; ... } "node->node_count = 0" means to initialize the node_count field of the new node, but the node may not be a new node. It may be a node that existed before and node_count has a value, setting it to 0 will cause a memory leak. At this time, mas->alloc->total will be greater than the actual number of nodes in the linked list, which may cause many other errors. For example, out-of-bounds access in mas_pop_node(), and mas_pop_node() may return addresses that should not be used. Fix it by initializing node_count only for new nodes. Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Peng Zhang Cc: --- lib/maple_tree.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index 65fd861b30e1..9e25b3215803 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1249,26 +1249,18 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) node = mas->alloc; node->request_count = 0; while (requested) { - max_req = MAPLE_ALLOC_SLOTS; - if (node->node_count) { - unsigned int offset = node->node_count; - - slots = (void **)&node->slot[offset]; - max_req -= offset; - } else { - slots = (void **)&node->slot; - } - + max_req = MAPLE_ALLOC_SLOTS - node->node_count; + slots = (void **)&node->slot[node->node_count]; max_req = min(requested, max_req); count = mt_alloc_bulk(gfp, max_req, slots); if (!count) goto nomem_bulk; + if (node->node_count == 0) + node->slot[0]->node_count = 0; node->node_count += count; allocated += count; node = node->slot[0]; - node->node_count = 0; - node->request_count = 0; requested -= count; } mas->alloc->total = allocated;