Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3456769imm;
        Mon, 4 Jun 2018 04:03:11 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIuuzPTut6BZhjIWzs/0isfgOfGCj2m6cTsHKoO/VplQbUnjYK2kph4lEvCleNJ7U1CNns0
X-Received: by 2002:a62:808f:: with SMTP id j137-v6mr12658163pfd.91.1528110191476;
        Mon, 04 Jun 2018 04:03:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528110191; cv=none;
        d=google.com; s=arc-20160816;
        b=lwNWVLmc6Ca1Uti8BPcDnh7H0tGsDYnKnplU6xznPsEv3E479fnwAdYPqeWw9136NK
         5QDK/TYBtsSKXvBQA1XbXi+lyhqIsTZOr7eqZN2Ga/vH+gLVLoxh0pPqR6edctDXExtx
         Bc7/bblhZFmfEy7t+H3KT8i7jlKrWgKZw453GXcEjT4HXWUcHysmHn8YHVRM3SbSJEsw
         mrlCLnvbDVhn9NQt23cvlwMX4gus8ia1+12zLXZb3zhz7IiOQhBFQtY4p5fB3Vsgo+l4
         X2vM5iVo8/+FP1Aft3F+fAdrXbUfT9sgCF3sgL1woV/JSJAQP23qwzC5woJrEXOcC8lG
         Gemg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from:arc-authentication-results;
        bh=H2lCLlhKmoT3YtBG4jr5SpLGyImDytQOZqVueXSKwf8=;
        b=zt13WJdS1PQvJgDi1ZcfYtzJbxyOkvGsZOhSht52ThbCI34GEchu2C2bZkBvxBjmnu
         pMQaJ5uPNG/VNoa4ejaqhFm2bXIwr3YjEBIvyMhdO+c41sSydrYMTnYP5jPu1/0fNWKZ
         b47dPTGswVAZD+Rfd9UfxHbjKc6o1T5hW5/yVB53o5Xl0JRn2oV+oqgx2SXZB4Zity72
         hRWxOrv04lro0ZUAzuCdD13Qh5IYXAzQf1hRUNJzXMYUFRyGpyspBd5wbUwUNO5xnuNt
         c9kWMllP1cHnvwAR08s7dLdb5lq4BLTAX3XADx3gKZqM9trIYQLYHh+QMxk7YKHy5VsS
         hubg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g14-v6si6379696pgr.419.2018.06.04.04.02.56;
        Mon, 04 Jun 2018 04:03:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752413AbeFDLCW (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Mon, 4 Jun 2018 07:02:22 -0400
Received: from szxga07-in.huawei.com ([45.249.212.35]:52022 "EHLO huawei.com"
        rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752029AbeFDLCV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Jun 2018 07:02:21 -0400
Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.60])
        by Forcepoint Email with ESMTP id 0C33A23E975A8;
        Mon,  4 Jun 2018 19:02:18 +0800 (CST)
Received: from linux-work.huawei.com (10.67.189.174) by
 DGGEMS403-HUB.china.huawei.com (10.3.19.203) with Microsoft SMTP Server id
 14.3.382.0; Mon, 4 Jun 2018 19:02:12 +0800
From:   nixiaoming <nixiaoming@huawei.com>
To:     <akpm@linux-foundation.org>, <vdavydov.dev@gmail.com>,
        <hannes@cmpxchg.org>, <garsilva@embeddedor.com>,
        <ktkhai@virtuozzo.com>, <stummala@codeaurora.org>
CC:     <nixiaoming@huawei.com>, <linux-kernel@vger.kernel.org>,
        <linux-mm@kvack.org>
Subject: [PATCH] mm: Add conditions to avoid out-of-bounds
Date:   Mon, 4 Jun 2018 18:37:35 +0800
Message-ID: <20180604103735.42781-1-nixiaoming@huawei.com>
X-Mailer: git-send-email 2.10.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.67.189.174]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In the function memcg_init_list_lru
if call goto fail when i == 0, will cause out-of-bounds at lru->node[i]

The same out-of-bounds access scenario exists in the functions
memcg_update_list_lru and __memcg_init_list_lru_node

Signed-off-by: nixiaoming <nixiaoming@huawei.com>
---
 mm/list_lru.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/mm/list_lru.c b/mm/list_lru.c
index fcfb6c8..ec6bdd9 100644
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -298,6 +298,9 @@ static void __memcg_destroy_list_lru_node(struct list_lru_memcg *memcg_lrus,
 {
 	int i;
 
+	if (unlikely(begin >= end))
+		return;
+
 	for (i = begin; i < end; i++)
 		kfree(memcg_lrus->lru[i]);
 }
@@ -422,6 +425,8 @@ static int memcg_init_list_lru(struct list_lru *lru, bool memcg_aware)
 	}
 	return 0;
 fail:
+	if (unlikely(i == 0))
+		return -ENOMEM;
 	for (i = i - 1; i >= 0; i--) {
 		if (!lru->node[i].memcg_lrus)
 			continue;
@@ -456,6 +461,8 @@ static int memcg_update_list_lru(struct list_lru *lru,
 	}
 	return 0;
 fail:
+	if (unlikely(i == 0))
+		return -ENOMEM;
 	for (i = i - 1; i >= 0; i--) {
 		if (!lru->node[i].memcg_lrus)
 			continue;
-- 
2.10.1