From patchwork Tue Apr 11 04:10:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 13207019 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0039AC7619A for ; Tue, 11 Apr 2023 04:10:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 85EBA280055; Tue, 11 Apr 2023 00:10:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 80E2D280054; Tue, 11 Apr 2023 00:10:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6FC94280055; Tue, 11 Apr 2023 00:10:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 5F814280054 for ; Tue, 11 Apr 2023 00:10:19 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 258E9403F9 for ; Tue, 11 Apr 2023 04:10:19 +0000 (UTC) X-FDA: 80667782958.06.1709C8E Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by imf27.hostedemail.com (Postfix) with ESMTP id B2BF24000B for ; Tue, 11 Apr 2023 04:10:16 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=UZFe1vqI; spf=pass (imf27.hostedemail.com: domain of zhangpeng.00@bytedance.com designates 209.85.216.42 as permitted sender) smtp.mailfrom=zhangpeng.00@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1681186217; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=; b=lMQCmfUykEwmgbhENcTU6HOOHvIOZAjxtwy2IOQ6Ih/LHsL+T2utVQDg5WxtaLjvNDxISj 9JzC9D5oP2uiBAxMtZTm0vGJpzBoHMzc9CfGRbFS8/AB7UPTRpqakoWaZEcEYxlSCRdcl2 68jNNyiZGzI76EcYyCeb2JfRr7HBo9Y= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=UZFe1vqI; spf=pass (imf27.hostedemail.com: domain of zhangpeng.00@bytedance.com designates 209.85.216.42 as permitted sender) smtp.mailfrom=zhangpeng.00@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1681186217; a=rsa-sha256; cv=none; b=c/njyOasK8n47oqw+FAKh0HeWqTIbp9jg2AHBmKAshkv44/ehHuNZVCb1jLGvQJi0jjIvn 8aCAqdGrX4SaJv/RjRx40XHsaEY6qzPgGlZLHHi2ZNA5GXVjIQgimpOVkxx7NjotirJQ2Y DVHK9WnrE6dW2/oyOKo0FF8XmrScbHI= Received: by mail-pj1-f42.google.com with SMTP id l9-20020a17090a3f0900b0023d32684e7fso570169pjc.1 for ; Mon, 10 Apr 2023 21:10:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1681186215; x=1683778215; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=; b=UZFe1vqI+wN9iQAUaKh6UKtom6rHOvL9AJb7n/MojmI9ZlaKauWs5yldPgww5XsKyn AlJQyJYQhn+WWTx5NiuImiFc8uLeQZ5Y7sTp5zmkOliTiMGJ9ZWK8AJUNJx4aFfXqLY6 5Yylfkgcg2+ivHSGJaPPTRC+JShlBzyW8LxWC6vHPEeEuKIywsq7dT5fxb5vW6i8TfEn 4F217cam94a5ZTgzS/rY9XurNwkQkqtQKY66vg39eNTvW2+UVcTwccas4Afk1giVpINj l3q7iKBhwrFa9UDTdMtI1CgWPG5ugokypEJ2HJq+hfikd0mBJZjB7m1d6mBR1tyyJaxe CSug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681186215; x=1683778215; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=; b=EDF2subelByY9Jfph5R/wsFeeDApk+IlGwsqYx937sDlDUXc6/D2PCwDv7z0goZteq BpDYiohWZg0UnfLPUxwTogGrtD67N/lvFO+017BJDugzAqle96WZ1OmYfZ9lMgurPAx4 fVZy/4FZsNJYSS515QFyqdcplD21HtxUBm6kscdCLYpM1kCuSSTZC8CblRzjSDzo71LF Qp5wMavj25LPFXir2jGUnQBBY5oEiZJwTTtkj4Iw/IEL6sHhHDPU0R4LrJgii+lNldhT G231fbWe3NCeBdvQiZkIfq3piUNTZ6/JImtRLiA99BtCjuM3U5XbXz78jpRMJwcSoy10 Oy6w== X-Gm-Message-State: AAQBX9d0XrrVcgBmj3J7+Mb9qugc9LEnOce1gnnii1V+aIvEJGWBpfTC y/YJD4Yta75BYDlIukAtOsYLlg== X-Google-Smtp-Source: AKy350aSrN8B0Sp6VnEsjBen0H6woXVY8sym2SpKJ+kLilm7zW8jPJh6ije32zry0RpRfMYjoUZOTA== X-Received: by 2002:a17:902:d2d2:b0:1a1:bcf:db5f with SMTP id n18-20020a170902d2d200b001a10bcfdb5fmr20291415plc.25.1681186215375; Mon, 10 Apr 2023 21:10:15 -0700 (PDT) Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id g13-20020a170902868d00b00198f36a8941sm5567317plo.221.2023.04.10.21.10.12 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 10 Apr 2023 21:10:14 -0700 (PDT) From: Peng Zhang To: Liam.Howlett@oracle.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang , stable@vger.kernel.org Subject: [PATCH v2 1/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug Date: Tue, 11 Apr 2023 12:10:04 +0800 Message-Id: <20230411041005.26205-1-zhangpeng.00@bytedance.com> X-Mailer: git-send-email 2.37.0 (Apple Git-136) MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: B2BF24000B X-Stat-Signature: n1onxwb6cyrkfcqutzwbc59o76oh6o1d X-HE-Tag: 1681186216-893267 X-HE-Meta: U2FsdGVkX1+RE2R1jc/5bAub+Vy1XxEHzY3eBhuAuPMeTC2R9Ftvk03i3eQHaGh7liUoPLK4HnDYEvEEYzqGcScW2arcxKcCdW4XFXn4PoILN1TSfmYjcj0ltDKXeKxPktfpOxyx5a2zclGRgZEtp6yBMK7yBzoU+klUIITKCYRyt3kwwB2F926i3BzxtKP6J5RJhDd0k04LOSpIHIbFihmI7ScLhNh6dfBYpcCyjUiW2K2hUYHqWQB6VL50UmZG3Ddf7o17w/08O+6yahVDofpFHdCZVOchMdcNCrZMfhKNqkhfMeV3jSDZJSgzey6PR8ceY5eVVVRA/M3Ds3Yp47ANnDebCTXmlnFBxS7/L7dMyGr4ZrlNo3rYiIBcntG1CCceHdVn8Yw+nJYB5lhdA67ILHcHpw0JEHM3MJ87UApiW63teZ05Ipu56ec1FAdtakaK+AQh7YIrVNJsBeLH77P8JOzhdXdgz/J1qQpu7W4k+Bh86OJcEAHfGxq2WNk6XhFw3/I+Nx0q7+MHw0PM2/9wHYigwSGWIUXiO6JYsVIPfxB/EVnVPmHcdNvWNbHFx7OZ+VoIFGymQ4auKnXB4Nn0T7o7CZMfYKiJ5YDXzn9vdJ5NBcTjnDx1PShCTsX4doIMQhbXrhCaWlfWiu2fLX4LuGDkyuul4YPbCxiqOkVD+IK6Hz2lCAGgYm7y9/FviQaC8comU1+hX9C1sJaMT234NbrT5ba7ba2HgjJAAWdsNTOWj+L+M12nw8KkLjcS9agU1+l/9VhK03QwPw18B6YWKBvUgw4D37H+0ULwrbTLFaa5ybVQjbFOY+kzB+YikKvQXeRU4Xmh46Vwhemgr3wKG/5lPsk++PCH6oejvAwT6QGL+SqR+bQX2P9PBT3k7ybCDxH/ZKDSKrOYzPKnAn8/J/7QHGwl9wkUz33FA3FO49xC/Unv4o1CeYFbbmlrOA7QT2cpJFh/qb6grFE SJLQXXNV iI+Yc2lqOQoAPI+KIfr2GS/1cxrBveNJlYzIiCXxIVAOYJxZL4pKr0bUX76U3C6NkihPhNblYpvbp8n4iNMrt3rYbkBh735RPr3TbsKxCrXESqKOOTnjLh2uVT15OWdPY43B16TY3KjJgMLoKpXlL3ja1hObmtAq7ul3ii213ZjFQeoevE+rtYwiOiNcVoQT1W0yAZ4XoUGwTMn9J6sI+l0eoUJODboCq57o4wKfF59wa/TfGgjaAbZBXh+bI5kmLCwB8qM454bZS11U50lvMDjwfRNMpocTBJFhRACKryqOMWRRCveBZuYWiOzPNdjjbZRgE3vQGdrkV66+/qqxIIYSj1/VdePZou7mlwMKU1dmrf6Kh9dGG5gMeuCCQ7DAfmF721HwajvQFhwy+IWjPRfn7NPQD9wkpyzjT2eS3X/emvUHeUlWvyz7EPCNnwlPdEexTWgNAr/wnqD7WI0RRnmqBaOxbFer2s9C4Zf/7lSAqz8q0vtK2YYOr6Cf2dVzFx1GcCdVWpxyebcflfLTVyyYmFCsBic6BGyrr X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In mas_alloc_nodes(), "node->node_count = 0" means to initialize the node_count field of the new node, but the node may not be a new node. It may be a node that existed before and node_count has a value, setting it to 0 will cause a memory leak. At this time, mas->alloc->total will be greater than the actual number of nodes in the linked list, which may cause many other errors. For example, out-of-bounds access in mas_pop_node(), and mas_pop_node() may return addresses that should not be used. Fix it by initializing node_count only for new nodes. Also, by the way, an if-else statement was removed to simplify the code. Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Peng Zhang Cc: Reviewed-by: Liam R. Howlett --- lib/maple_tree.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index dd1a114d9e2b..938634bea2d6 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1303,26 +1303,21 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) node = mas->alloc; node->request_count = 0; while (requested) { - max_req = MAPLE_ALLOC_SLOTS; - if (node->node_count) { - unsigned int offset = node->node_count; - - slots = (void **)&node->slot[offset]; - max_req -= offset; - } else { - slots = (void **)&node->slot; - } - + max_req = MAPLE_ALLOC_SLOTS - node->node_count; + slots = (void **)&node->slot[node->node_count]; max_req = min(requested, max_req); count = mt_alloc_bulk(gfp, max_req, slots); if (!count) goto nomem_bulk; + if (node->node_count == 0) { + node->slot[0]->node_count = 0; + node->slot[0]->request_count = 0; + } + node->node_count += count; allocated += count; node = node->slot[0]; - node->node_count = 0; - node->request_count = 0; requested -= count; } mas->alloc->total = allocated;