Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4970901rwl; Mon, 10 Apr 2023 21:17:33 -0700 (PDT) X-Google-Smtp-Source: AKy350abl97upkcvW2dQnwrI+7myxC3O2Yqs/tjxf1ufkLbxEmFhHj36M+68ED+B3JIjUtWPV3Ce X-Received: by 2002:a17:906:3b52:b0:94a:8771:fb60 with SMTP id h18-20020a1709063b5200b0094a8771fb60mr4591302ejf.37.1681186653386; Mon, 10 Apr 2023 21:17:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681186653; cv=none; d=google.com; s=arc-20160816; b=lf0udJwkDzqUqK6UbYU75r+eMhMc68elmjT+egiP4c2ORG2EcfdxV18ra9cdotT8Ih L5gNPe6I0/x3E7VoVa2dFIn4ZdczO+KGkWshBbE6TBNHZVnb3p5Hke2j0jbXF07ImTlm ef+oHxbiDPDhGonwuHFkO5kUZUiKsPIK/yh4GyKKhNsZwrVc7gFI5VnIG+2sVYtb63l+ +Kqo/mALTHG9IG5rzsX8JErf2uoe9b7un9W/LwcBWSOURog+chA5EVY1agIa6pcyYzK1 d09Ml5ChTkxtyLUYh1oKWdlfxiNIlLyeRgj/5b6KA2XPHPz/PVDhrjpMwH+X4tcuyKfg BD3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=; b=cZzBXC9xRIZNCE5tzz3Ne3V+CpnWMwG9tuajzkTEWiqqk1B9btQOf61W51OylM0LGt +ioMHRKhlsZCrCnQ062jfDycoy+FUhm41PJeiml4iK7LXN8iS2509xrCfogIq8dREUph X4iAIbJxN/BJ7hioSoGQxBJA0pcmC1ZiT4A+ARUjA90yO6O50Jsve7FjEk4mgXE8W0FR GurXzCO2WEeihKRt6m5QabZ6S85s2p5JRS1zdutoG2EnngQPVIQPBtbBGvh23E08Lr1Y WLmvcXOp+HxFJovwqjdIsw55/MbuFZ5iOnh/VhJnMy1TcbRTABF0kSz6FVazgp4R+JPB 2pjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=UZFe1vqI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q4-20020a170906a08400b00948f3dc58d8si11579790ejy.1047.2023.04.10.21.17.08; Mon, 10 Apr 2023 21:17:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=UZFe1vqI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229499AbjDKEKq (ORCPT + 99 others); Tue, 11 Apr 2023 00:10:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230025AbjDKEKm (ORCPT ); Tue, 11 Apr 2023 00:10:42 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC7B419BE for ; Mon, 10 Apr 2023 21:10:15 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id o2-20020a17090a0a0200b00246da660bd2so853224pjo.0 for ; Mon, 10 Apr 2023 21:10:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1681186215; x=1683778215; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=; b=UZFe1vqI+wN9iQAUaKh6UKtom6rHOvL9AJb7n/MojmI9ZlaKauWs5yldPgww5XsKyn AlJQyJYQhn+WWTx5NiuImiFc8uLeQZ5Y7sTp5zmkOliTiMGJ9ZWK8AJUNJx4aFfXqLY6 5Yylfkgcg2+ivHSGJaPPTRC+JShlBzyW8LxWC6vHPEeEuKIywsq7dT5fxb5vW6i8TfEn 4F217cam94a5ZTgzS/rY9XurNwkQkqtQKY66vg39eNTvW2+UVcTwccas4Afk1giVpINj l3q7iKBhwrFa9UDTdMtI1CgWPG5ugokypEJ2HJq+hfikd0mBJZjB7m1d6mBR1tyyJaxe CSug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681186215; x=1683778215; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=; b=3IYejwIhbG0YFcY5Q/L0LvX5UwWxjVYWxf1IiRnGQjmSyNAytt/xc8r+v28fB+z2wE a39ZKRuDzkb/JXOhKFlb4CKd5/jBzQt5uZzrMU9FfA6CSftTtnBkXbkm0lqL7PwxNslr A2wpTUbEmGQ8oppPE81ZhyplIpdSjyjU4slOaIMC5OOWmAhPw1+E4DAyPTn+9ObLFyCz 0tHw68MWltBA/iPM9b9Ds/XJk8eWqcCfPENjyPR0v4mB8lCOwXYx8vbwK7TOJ9XcyqNy RcsHGILis8BhsCjTrZI5kfauY45/1H/JncUcCqAWXOqXzTTyXgaKOXC1+wnq8xgskz64 Ee7g== X-Gm-Message-State: AAQBX9dpiqym/J3LjvS9mdrgVjZfSHlqxYszPDNscxHP3S8+uh1BFCLz AigNRmudgcA5iD/eFiVw0LSkYg== X-Received: by 2002:a17:902:d2d2:b0:1a1:bcf:db5f with SMTP id n18-20020a170902d2d200b001a10bcfdb5fmr20291415plc.25.1681186215375; Mon, 10 Apr 2023 21:10:15 -0700 (PDT) Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id g13-20020a170902868d00b00198f36a8941sm5567317plo.221.2023.04.10.21.10.12 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 10 Apr 2023 21:10:14 -0700 (PDT) From: Peng Zhang To: Liam.Howlett@oracle.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang , stable@vger.kernel.org Subject: [PATCH v2 1/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug Date: Tue, 11 Apr 2023 12:10:04 +0800 Message-Id: <20230411041005.26205-1-zhangpeng.00@bytedance.com> X-Mailer: git-send-email 2.37.0 (Apple Git-136) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In mas_alloc_nodes(), "node->node_count = 0" means to initialize the node_count field of the new node, but the node may not be a new node. It may be a node that existed before and node_count has a value, setting it to 0 will cause a memory leak. At this time, mas->alloc->total will be greater than the actual number of nodes in the linked list, which may cause many other errors. For example, out-of-bounds access in mas_pop_node(), and mas_pop_node() may return addresses that should not be used. Fix it by initializing node_count only for new nodes. Also, by the way, an if-else statement was removed to simplify the code. Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Peng Zhang Cc: --- lib/maple_tree.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index dd1a114d9e2b..938634bea2d6 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1303,26 +1303,21 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) node = mas->alloc; node->request_count = 0; while (requested) { - max_req = MAPLE_ALLOC_SLOTS; - if (node->node_count) { - unsigned int offset = node->node_count; - - slots = (void **)&node->slot[offset]; - max_req -= offset; - } else { - slots = (void **)&node->slot; - } - + max_req = MAPLE_ALLOC_SLOTS - node->node_count; + slots = (void **)&node->slot[node->node_count]; max_req = min(requested, max_req); count = mt_alloc_bulk(gfp, max_req, slots); if (!count) goto nomem_bulk; + if (node->node_count == 0) { + node->slot[0]->node_count = 0; + node->slot[0]->request_count = 0; + } + node->node_count += count; allocated += count; node = node->slot[0]; - node->node_count = 0; - node->request_count = 0; requested -= count; } mas->alloc->total = allocated; -- 2.20.1