Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp381551rwl; Thu, 6 Apr 2023 21:42:10 -0700 (PDT) X-Google-Smtp-Source: AKy350bwtzhS3+vH/3oHC6M4qAWJ/JwZufl4iUy7v9p7KcnaqemAP+TsjiMrAqXJDk/KF0uQB3ee X-Received: by 2002:a17:90b:17c3:b0:23d:3f32:1cd5 with SMTP id me3-20020a17090b17c300b0023d3f321cd5mr1069434pjb.26.1680842530427; Thu, 06 Apr 2023 21:42:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680842530; cv=none; d=google.com; s=arc-20160816; b=o+PCqZfbtMCVi5Iv/2++TJDXJ/aImjKNbjs45fOjcR47JK0EZIjVSslqTIp7qvEXPb mMLAjsGVO0Cwi9A6mo/OQkPzs9osqGJh13U7BjK523tNoF1yIQTZyP8+iPTAG2jdczgx c7OQKpCWPliFBN1Z3ZJXuY+RQfB4SocK/lWjncOI3jaBR7gnPF9TKWdDVXvRSXhveSSd DvH9YgZknWgWcJCaHudF3ljd2O8WQ8qRE4A2D8RVGZIa1YiZiif2lbYzubrox3cdWC1S 5k/XrPuY7cApb9uLnMksJcP3hgoTBTKNLqP4E8nsJuJRVML/BfwVloYrFiKBDTPT7c/P NKnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=wdyEGACMr8wTME6ID7+luINzq68fBbukHyWDSdP56CGYN6s+3Q3fn5L/pBovQzl3Nw CHZvnW4HZ3Wn7+kZuEYtlY1Y2LweYZVlnlyRfJa5bJQ+J2WleuqnRI9h0USkdrkTBUEp dE4k6cnYSb8Hp1N8t3dtFM/qFt7PSdrwTrGgwMqPhTej1pAshwWzYi2rggRGlQmxjbUQ muI5pU5dW65SuxUUjZseIZ7WP5bPRbefEg+RSzhnu7SDGN8XZw5hq3VpwNf1zKUU/0lR dEuUmU1iAFAlijmaXyFQCB827/xheYxGiBbsxU1YyL8SLUZllZPpFxrLKu5x0y0OsEab jveg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b="btjxM/o5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w7-20020a17090aea0700b0023b3729bcbfsi2855533pjy.6.2023.04.06.21.41.58; Thu, 06 Apr 2023 21:42:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b="btjxM/o5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231171AbjDGEKA (ORCPT + 99 others); Fri, 7 Apr 2023 00:10:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229455AbjDGEJ7 (ORCPT ); Fri, 7 Apr 2023 00:09:59 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 323646A4D for ; Thu, 6 Apr 2023 21:09:58 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id b5-20020a17090a6e0500b0023f32869993so539124pjk.1 for ; Thu, 06 Apr 2023 21:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1680840597; x=1683432597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=btjxM/o5y/IqXBtaNZ/DMdaeS8q7W0fcBp996++PmoaYGUmmjxC5+4oxxfu8uCia4a z/9uPMy8aZ4wrmYFHh2isoSkOuu3PIg3rh383oHcggyXy6bZxTcORAPuWHS5LL/Al5r5 tXN5pQdxmZ5pkQi7wWoAQom/VP4xuGT4xhjUe/dVi62TP9vf4COSlJGWAQTN8BpSyVKW KIKCIGH0wEmaOYsU5v7ipz4jT+4WhkeRS1iUYCLZo5dIJxNNUL7r1dnCoydWF9tqIer9 2NURW97pKYXL+4qBdxTgPc1pPH1xF8JNcAsebHvKj73WL9Q0ZH2c9FKM600UDK0L7Qwj IYIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680840597; x=1683432597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=tR0pIhBp6QIh1PtXKOlbyQyy6fzzmgMpf3sGqBQhKbDZvSNLlVqtifX5z9FszZRQmb nz/x+I5R+8War3Wppbl0D5/y3BrZjKnFR+adyNyUpXS+yuRmBRvfqbIY6QL/nIofe/D4 9P+s2F6U+2S13CFQRht1SgosBKKQwMazHdAxkOx3TLU8wgiVVIxJ4I2U8ZdG+gBrbcEF 9Or65QTC4D6+ISPgKlSib+jQPglugGWB+wAQtesEU3i6J77zQwTCBSEEw7YYySBqrhSX ENQ459pAqdCtvRXs3l6WX4DJ3rFVCez2hCs6Cvx05AeR0OfANd6OVQbpL+RcOJ6f6LrL FfjQ== X-Gm-Message-State: AAQBX9fdpX1qqe8Uh9NB0jqkgggwW/3qc8iq5Jhf+nnAIzHleRIlADtU sQJPLXOYAH1zK98oVQGifdPSJA== X-Received: by 2002:a05:6a20:38a2:b0:de:5082:c9ec with SMTP id n34-20020a056a2038a200b000de5082c9ecmr756627pzf.2.1680840597673; Thu, 06 Apr 2023 21:09:57 -0700 (PDT) Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id b8-20020aa78108000000b0062d7c0dc4f4sm2058010pfi.80.2023.04.06.21.09.54 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 06 Apr 2023 21:09:57 -0700 (PDT) From: Peng Zhang To: Liam.Howlett@oracle.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang , stable@vger.kernel.org Subject: [PATCH 2/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug Date: Fri, 7 Apr 2023 12:07:18 +0800 Message-Id: <20230407040718.99064-2-zhangpeng.00@bytedance.com> X-Mailer: git-send-email 2.37.0 (Apple Git-136) In-Reply-To: <20230407040718.99064-1-zhangpeng.00@bytedance.com> References: <20230407040718.99064-1-zhangpeng.00@bytedance.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In mas_alloc_nodes(), there is such a piece of code: while (requested) { ... node->node_count = 0; ... } "node->node_count = 0" means to initialize the node_count field of the new node, but the node may not be a new node. It may be a node that existed before and node_count has a value, setting it to 0 will cause a memory leak. At this time, mas->alloc->total will be greater than the actual number of nodes in the linked list, which may cause many other errors. For example, out-of-bounds access in mas_pop_node(), and mas_pop_node() may return addresses that should not be used. Fix it by initializing node_count only for new nodes. Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Peng Zhang Cc: --- lib/maple_tree.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index 65fd861b30e1..9e25b3215803 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1249,26 +1249,18 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) node = mas->alloc; node->request_count = 0; while (requested) { - max_req = MAPLE_ALLOC_SLOTS; - if (node->node_count) { - unsigned int offset = node->node_count; - - slots = (void **)&node->slot[offset]; - max_req -= offset; - } else { - slots = (void **)&node->slot; - } - + max_req = MAPLE_ALLOC_SLOTS - node->node_count; + slots = (void **)&node->slot[node->node_count]; max_req = min(requested, max_req); count = mt_alloc_bulk(gfp, max_req, slots); if (!count) goto nomem_bulk; + if (node->node_count == 0) + node->slot[0]->node_count = 0; node->node_count += count; allocated += count; node = node->slot[0]; - node->node_count = 0; - node->request_count = 0; requested -= count; } mas->alloc->total = allocated; -- 2.20.1