[v2,1/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug
| Message ID | 20230411041005.26205-1-zhangpeng.00@bytedance.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2326906vqo;
Mon, 10 Apr 2023 21:38:34 -0700 (PDT)
X-Google-Smtp-Source:
AKy350aoK/aml3RKstAY9KeoKAh65FH9un2e8pmOV96zF8M88sT5+JSmOXE6pcQgC3Z7iuIsqIqV
X-Received: by 2002:aa7:94b8:0:b0:637:1845:cbca with SMTP id
a24-20020aa794b8000000b006371845cbcamr6399835pfl.28.1681187913723;
Mon, 10 Apr 2023 21:38:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681187913; cv=none;
d=google.com; s=arc-20160816;
b=tMzo7cV09HjlqjcXRuw+ZdLOBatAcdn0XfSB84PDeIfz3Ul1UK/Rwk7RAYjqTHocVF
FsxNefjVCnjyyV+0D5OzY4rTpLEozi7l0c7+Tw34/jvrV5pLlmAkwnP/nzTHbLk0733X
Vj8PE7tC3S+tNlcosgf6QeHuJD3rHCfF6yL2soLCmLp7ME1DPJDeiH/fs0YmmPcv/od9
ijJLtdQiaiFomxIjsFFVlduMp5tWRigRpCZ0eEgd6QeYgRrlRvPNfsRQkbbrGKmVZzYf
vaV+9r4Rnzvr9qFqeuI+ROZ8UdFFZ91ApJSe8hHYPvNqBaNSuGZj4nXE7LzDIQC4eIhz
tt3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=;
b=cZzBXC9xRIZNCE5tzz3Ne3V+CpnWMwG9tuajzkTEWiqqk1B9btQOf61W51OylM0LGt
+ioMHRKhlsZCrCnQ062jfDycoy+FUhm41PJeiml4iK7LXN8iS2509xrCfogIq8dREUph
X4iAIbJxN/BJ7hioSoGQxBJA0pcmC1ZiT4A+ARUjA90yO6O50Jsve7FjEk4mgXE8W0FR
GurXzCO2WEeihKRt6m5QabZ6S85s2p5JRS1zdutoG2EnngQPVIQPBtbBGvh23E08Lr1Y
WLmvcXOp+HxFJovwqjdIsw55/MbuFZ5iOnh/VhJnMy1TcbRTABF0kSz6FVazgp4R+JPB
2pjQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@bytedance.com header.s=google header.b=UZFe1vqI;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=bytedance.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
l7-20020a622507000000b005a8ef5a4becsi12268880pfl.311.2023.04.10.21.38.21;
Mon, 10 Apr 2023 21:38:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@bytedance.com header.s=google header.b=UZFe1vqI;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=bytedance.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230002AbjDKEKq (ORCPT <rfc822;yuanzuo1009@gmail.com>
+ 99 others); Tue, 11 Apr 2023 00:10:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60868 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230025AbjDKEKm (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 11 Apr 2023 00:10:42 -0400
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com
[IPv6:2607:f8b0:4864:20::1029])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC7B419BE
for <linux-kernel@vger.kernel.org>;
Mon, 10 Apr 2023 21:10:15 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id
o2-20020a17090a0a0200b00246da660bd2so853224pjo.0
for <linux-kernel@vger.kernel.org>;
Mon, 10 Apr 2023 21:10:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=bytedance.com; s=google; t=1681186215; x=1683778215;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=;
b=UZFe1vqI+wN9iQAUaKh6UKtom6rHOvL9AJb7n/MojmI9ZlaKauWs5yldPgww5XsKyn
AlJQyJYQhn+WWTx5NiuImiFc8uLeQZ5Y7sTp5zmkOliTiMGJ9ZWK8AJUNJx4aFfXqLY6
5Yylfkgcg2+ivHSGJaPPTRC+JShlBzyW8LxWC6vHPEeEuKIywsq7dT5fxb5vW6i8TfEn
4F217cam94a5ZTgzS/rY9XurNwkQkqtQKY66vg39eNTvW2+UVcTwccas4Afk1giVpINj
l3q7iKBhwrFa9UDTdMtI1CgWPG5ugokypEJ2HJq+hfikd0mBJZjB7m1d6mBR1tyyJaxe
CSug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112; t=1681186215; x=1683778215;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=eN2VsvcD5hPHo+/vlmQCptxa+XrNBTPC8kVbJFk1whI=;
b=3IYejwIhbG0YFcY5Q/L0LvX5UwWxjVYWxf1IiRnGQjmSyNAytt/xc8r+v28fB+z2wE
a39ZKRuDzkb/JXOhKFlb4CKd5/jBzQt5uZzrMU9FfA6CSftTtnBkXbkm0lqL7PwxNslr
A2wpTUbEmGQ8oppPE81ZhyplIpdSjyjU4slOaIMC5OOWmAhPw1+E4DAyPTn+9ObLFyCz
0tHw68MWltBA/iPM9b9Ds/XJk8eWqcCfPENjyPR0v4mB8lCOwXYx8vbwK7TOJ9XcyqNy
RcsHGILis8BhsCjTrZI5kfauY45/1H/JncUcCqAWXOqXzTTyXgaKOXC1+wnq8xgskz64
Ee7g==
X-Gm-Message-State: AAQBX9dpiqym/J3LjvS9mdrgVjZfSHlqxYszPDNscxHP3S8+uh1BFCLz
AigNRmudgcA5iD/eFiVw0LSkYg==
X-Received: by 2002:a17:902:d2d2:b0:1a1:bcf:db5f with SMTP id
n18-20020a170902d2d200b001a10bcfdb5fmr20291415plc.25.1681186215375;
Mon, 10 Apr 2023 21:10:15 -0700 (PDT)
Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248])
by smtp.gmail.com with ESMTPSA id
g13-20020a170902868d00b00198f36a8941sm5567317plo.221.2023.04.10.21.10.12
(version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
Mon, 10 Apr 2023 21:10:14 -0700 (PDT)
From: Peng Zhang <zhangpeng.00@bytedance.com>
To: Liam.Howlett@oracle.com
Cc: akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org,
Peng Zhang <zhangpeng.00@bytedance.com>, stable@vger.kernel.org
Subject: [PATCH v2 1/2] maple_tree: Fix a potential memory leak, OOB access,
or other unpredictable bug
Date: Tue, 11 Apr 2023 12:10:04 +0800
Message-Id: <20230411041005.26205-1-zhangpeng.00@bytedance.com>
X-Mailer: git-send-email 2.37.0 (Apple Git-136)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1762853297739616200?=
X-GMAIL-MSGID: =?utf-8?q?1762853297739616200?=
|
| Series |
[v2,1/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug
|
|
Commit Message
Peng Zhang
April 11, 2023, 4:10 a.m. UTC
In mas_alloc_nodes(), "node->node_count = 0" means to initialize the
node_count field of the new node, but the node may not be a new node.
It may be a node that existed before and node_count has a value, setting
it to 0 will cause a memory leak. At this time, mas->alloc->total will
be greater than the actual number of nodes in the linked list, which may
cause many other errors. For example, out-of-bounds access in mas_pop_node(),
and mas_pop_node() may return addresses that should not be used. Fix it
by initializing node_count only for new nodes.
Also, by the way, an if-else statement was removed to simplify the code.
Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Signed-off-by: Peng Zhang <zhangpeng.00@bytedance.com>
Cc: <stable@vger.kernel.org>
---
lib/maple_tree.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
Comments
* Peng Zhang <zhangpeng.00@bytedance.com> [230411 00:10]: > In mas_alloc_nodes(), "node->node_count = 0" means to initialize the > node_count field of the new node, but the node may not be a new node. > It may be a node that existed before and node_count has a value, setting > it to 0 will cause a memory leak. At this time, mas->alloc->total will > be greater than the actual number of nodes in the linked list, which may > cause many other errors. For example, out-of-bounds access in mas_pop_node(), > and mas_pop_node() may return addresses that should not be used. Fix it > by initializing node_count only for new nodes. > > Also, by the way, an if-else statement was removed to simplify the code. > > Fixes: 54a611b60590 ("Maple Tree: add new data structure") > Signed-off-by: Peng Zhang <zhangpeng.00@bytedance.com> > Cc: <stable@vger.kernel.org> Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com> > --- > lib/maple_tree.c | 19 +++++++------------ > 1 file changed, 7 insertions(+), 12 deletions(-) > > diff --git a/lib/maple_tree.c b/lib/maple_tree.c > index dd1a114d9e2b..938634bea2d6 100644 > --- a/lib/maple_tree.c > +++ b/lib/maple_tree.c > @@ -1303,26 +1303,21 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) > node = mas->alloc; > node->request_count = 0; > while (requested) { > - max_req = MAPLE_ALLOC_SLOTS; > - if (node->node_count) { > - unsigned int offset = node->node_count; > - > - slots = (void **)&node->slot[offset]; > - max_req -= offset; > - } else { > - slots = (void **)&node->slot; > - } > - > + max_req = MAPLE_ALLOC_SLOTS - node->node_count; > + slots = (void **)&node->slot[node->node_count]; > max_req = min(requested, max_req); > count = mt_alloc_bulk(gfp, max_req, slots); > if (!count) > goto nomem_bulk; > > + if (node->node_count == 0) { > + node->slot[0]->node_count = 0; > + node->slot[0]->request_count = 0; > + } > + > node->node_count += count; > allocated += count; > node = node->slot[0]; > - node->node_count = 0; > - node->request_count = 0; > requested -= count; > } > mas->alloc->total = allocated; > -- > 2.20.1 >
diff --git a/lib/maple_tree.c b/lib/maple_tree.c index dd1a114d9e2b..938634bea2d6 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1303,26 +1303,21 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) node = mas->alloc; node->request_count = 0; while (requested) { - max_req = MAPLE_ALLOC_SLOTS; - if (node->node_count) { - unsigned int offset = node->node_count; - - slots = (void **)&node->slot[offset]; - max_req -= offset; - } else { - slots = (void **)&node->slot; - } - + max_req = MAPLE_ALLOC_SLOTS - node->node_count; + slots = (void **)&node->slot[node->node_count]; max_req = min(requested, max_req); count = mt_alloc_bulk(gfp, max_req, slots); if (!count) goto nomem_bulk; + if (node->node_count == 0) { + node->slot[0]->node_count = 0; + node->slot[0]->request_count = 0; + } + node->node_count += count; allocated += count; node = node->slot[0]; - node->node_count = 0; - node->request_count = 0; requested -= count; } mas->alloc->total = allocated;