Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756919AbcCaNNw (ORCPT ); Thu, 31 Mar 2016 09:13:52 -0400 Received: from mx2.suse.de ([195.135.220.15]:35825 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756337AbcCaNNv (ORCPT ); Thu, 31 Mar 2016 09:13:51 -0400 Subject: Re: [PATCH] mm: fix invalid node in alloc_migrate_target() To: Andrew Morton , Xishi Qiu References: <56F4E104.9090505@huawei.com> <20160325122237.4ca4e0dbca215ccbf4f49922@linux-foundation.org> <56FA7DC8.4000902@suse.cz> Cc: Joonsoo Kim , David Rientjes , Naoya Horiguchi , Laura Abbott , zhuhui@xiaomi.com, wangxq10@lzu.edu.cn, Linux MM , LKML From: Vlastimil Babka Message-ID: <56FD2285.4080600@suse.cz> Date: Thu, 31 Mar 2016 15:13:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: <56FA7DC8.4000902@suse.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 743 Lines: 19 On 03/29/2016 03:06 PM, Vlastimil Babka wrote: > On 03/25/2016 08:22 PM, Andrew Morton wrote: >> Also, mm/mempolicy.c:offset_il_node() worries me: >> >> do { >> nid = next_node(nid, pol->v.nodes); >> c++; >> } while (c <= target); >> >> Can't `nid' hit MAX_NUMNODES? > > AFAICS it can. interleave_nid() uses this and the nid is then used e.g. > in node_zonelist() where it's used for NODE_DATA(nid). That's quite > scary. It also predates git. Why don't we see crashes or KASAN finding this? Ah, I see. In offset_il_node(), nid is initialized to -1, and the number of do-while iterations calling next_node() is up to the number of bits set in the pol->v.nodes bitmap, so it can't reach past the last set bit and return MAX_NUMNODES.