From patchwork Fri Apr 7 04:07:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 80657 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp43512vqo; Thu, 6 Apr 2023 21:40:45 -0700 (PDT) X-Google-Smtp-Source: AKy350YLMsCo8OjvV2l1er6ZIakXlmGUhF0m/6LPHL1ZTLPsbztvREjVnBObscqjuBVBdUEIvCp6 X-Received: by 2002:a05:6402:14d5:b0:501:e26e:502b with SMTP id f21-20020a05640214d500b00501e26e502bmr1238775edx.29.1680842445395; Thu, 06 Apr 2023 21:40:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680842445; cv=none; d=google.com; s=arc-20160816; b=fRgMDTnK2aSqk/E7BTGwcuM7lM2+Obaw8VjEEKGCfeINZ0VtuYoDxe6m9zgMDNbkr2 NzX/rJq8aqwbinWHBoi+rA+jC8XEDtJqU+q6TkKAQjQCxEM3HOeTJ3+GYNZtYyX1itkU Uogli/qGALNRfAtD7kJQqf6PYoO0mQzw1NbVW28lD0n9nEOeTJ1eIjsiSIbjebyqkSf+ aYvsYR0QZ4kAGMYkOgR0pexmLDTmXuGunPJJTqwghsDeO7HeDeDxJUMLZOUn/kzPq1aa BImFGs6V9hkq8ydVkJUIEOhouH+V4d/iuDxwO08R3BZUFifOU6D4vraamN9yBbUUC4S4 RvNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=+bhWUm9eJrATUzUGu/SdqQI045fo0z6oxhiOFKc2Mv8=; b=G0CEZY4BY9pYlM/c+SEQFxJnSs2VojhINibPiM7GAWyNW/8MZjaA9AjVr9DUqBSuFm 3ZRlf6sMxcG8WWlMMfCtRfwNOHTV1Y1SN9hi1ALyq+KmNvDJQcFHzh16zAHbeOzdXfkx dPajeFjwnehJyEAOsRplyeOVhxtu4PfDreYxBSZWsjKuwYrEduBMJwjm4/65npPaudgx nrcPLrUJQ77aWQ5E3igTSBcb+bE5vD2LTdFrR0ODXDchYPLSO4umG5Cm3cEYaoQvqGmy d7to6KvaTSR5AKTrw1uynFR6ynV32z4Mw9D/kahtMxzII4U0UQcE1pdVUmstp2NZUoA8 TkMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=ihB3MHeX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n21-20020a056402515500b005027e754e86si2570774edd.452.2023.04.06.21.40.19; Thu, 06 Apr 2023 21:40:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=ihB3MHeX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231902AbjDGEKW (ORCPT + 99 others); Fri, 7 Apr 2023 00:10:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229455AbjDGEKU (ORCPT ); Fri, 7 Apr 2023 00:10:20 -0400 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06BF26E82 for ; Thu, 6 Apr 2023 21:09:55 -0700 (PDT) Received: by mail-pl1-x633.google.com with SMTP id ja10so39153655plb.5 for ; Thu, 06 Apr 2023 21:09:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1680840594; x=1683432594; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+bhWUm9eJrATUzUGu/SdqQI045fo0z6oxhiOFKc2Mv8=; b=ihB3MHeXkG035KRhU6cjwh5VirqAivcRwBk4ijiwvbkp9V0iXQyBBn4uq1bVHfiGxK 3XTqKhnadMIO8SgpX+QjdyQkfqskuVf9n/kBh1yER20FWF3yvmwDXFi8dKGCrbtvS1vJ vDsgQ6B7smN5GKDMRjxbZd2xFlc59jireHwxgiVShEr7jerGcZ7NPjsUQtikK8/TI4SM L+xv/nvnWvQqBXXWCrEhpASQnsjEK1dbCeqUXZ/UqeL719UOcFd7GT1dHjDY9flWz3NZ bEyVjTl/OaTP/JxvvVn+KeRliAR0H0OmbXJWlrVxVPqJbDUyQwfsuvTDhNt6HrbXta0v WXsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680840594; x=1683432594; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+bhWUm9eJrATUzUGu/SdqQI045fo0z6oxhiOFKc2Mv8=; b=ACSPfpNxlrV1yWwYj2aVuMfCFdRihyqwQmnK0mrODv73d4/es35d5HvClxj7OniZn5 uyYJXoqbBMibpjrlcPzuBfXn3z6KmGBMBt/ONF/ja7sk6RZo1jx1y8vNs/nlzxTy8K7a DlKbxwew8OU6ws72O0R4M5SZGJW7bLzeR4IQhxeAhKHTnC/eduowN3HNuLPYWKfAzNjR 0efU5Y6zQlAI/7Tg2Tncjw+cjOScps2dgHi3BHb+3o44nFamglmyDTq6MTWwFuJGcXsq qkJl0jkJGI7fBpYmoHNwPkEdDVXGH+a2Xvdawt4JRfCMTTzXLmH/z3h5Jq7Kmx+GMAvj 8wRQ== X-Gm-Message-State: AAQBX9d1xTEK/yZHqzyDup7jcqtLBmZpU0u8xbCAJ46QF7nYgdX+Mq8v GFq7kOrqOTcahlY40AMswnS8rw== X-Received: by 2002:a05:6a20:4c15:b0:da:53ca:8f26 with SMTP id fm21-20020a056a204c1500b000da53ca8f26mr1772163pzb.30.1680840594452; Thu, 06 Apr 2023 21:09:54 -0700 (PDT) Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id b8-20020aa78108000000b0062d7c0dc4f4sm2058010pfi.80.2023.04.06.21.09.51 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 06 Apr 2023 21:09:54 -0700 (PDT) From: Peng Zhang To: Liam.Howlett@oracle.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang Subject: [PATCH 1/2] maple_tree: Add a test case to check maple_alloc Date: Fri, 7 Apr 2023 12:07:17 +0800 Message-Id: <20230407040718.99064-1-zhangpeng.00@bytedance.com> X-Mailer: git-send-email 2.37.0 (Apple Git-136) MIME-Version: 1.0 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762491048201220165?= X-GMAIL-MSGID: =?utf-8?q?1762491048201220165?= Add a test case to check whether the number of maple_alloc structures is actually equal to mas->alloc->total. Signed-off-by: Peng Zhang --- tools/testing/radix-tree/maple.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tools/testing/radix-tree/maple.c b/tools/testing/radix-tree/maple.c index 958ee9bdb316..26389e0dcfff 100644 --- a/tools/testing/radix-tree/maple.c +++ b/tools/testing/radix-tree/maple.c @@ -55,6 +55,28 @@ struct rcu_reader_struct { struct rcu_test_struct2 *test; }; +static int get_alloc_node_count(struct ma_state *mas) +{ + int count = 1; + struct maple_alloc *node = mas->alloc; + + if (!node || ((unsigned long)node & 0x1)) + return 0; + while (node->node_count) { + count += node->node_count; + node = node->slot[0]; + } + return count; +} + +static void check_mas_alloc_node_count(struct ma_state *mas) +{ + mas_node_count_gfp(mas, MAPLE_ALLOC_SLOTS + 1, GFP_KERNEL); + mas_node_count_gfp(mas, MAPLE_ALLOC_SLOTS + 3, GFP_KERNEL); + MT_BUG_ON(mas->tree, get_alloc_node_count(mas) != mas->alloc->total); + mas_destroy(mas); +} + /* * check_new_node() - Check the creation of new nodes and error path * verification. @@ -69,6 +91,8 @@ static noinline void check_new_node(struct maple_tree *mt) MA_STATE(mas, mt, 0, 0); + check_mas_alloc_node_count(&mas); + /* Try allocating 3 nodes */ mtree_lock(mt); mt_set_non_kernel(0); From patchwork Fri Apr 7 04:07:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 80656 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp41855vqo; Thu, 6 Apr 2023 21:36:22 -0700 (PDT) X-Google-Smtp-Source: AKy350acVxA14ZSbalKnHEYz5UecyDk3Pxr4jJYmr9G0OwgP0Gnq7I2a6xdia1D0XuLNd7s1+g7N X-Received: by 2002:aa7:d701:0:b0:4fe:1b62:4741 with SMTP id t1-20020aa7d701000000b004fe1b624741mr1322321edq.28.1680842182733; Thu, 06 Apr 2023 21:36:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680842182; cv=none; d=google.com; s=arc-20160816; b=sxcX+kopp8PnDInuZNhPwLhfg+PPlEsL186F/PaY/Bft4Lu2sUZC16aY661I2TDKQF CSnTUJopxqkcwUjxPQjPi4XcHyQuPQqb4I3rRW2sj2ulGL+55Vq9LYYeCQn14+cgWos0 omUycR5GS/J6z1/MMrI29jXep9DMJ9qYYQcdSBewazbS3jlxntLp4AjYTbTv0BjcFPdy Gm37QRGy1lVYdD+zoTRr+T0tjbUrwDVh1IPmOq1U06tvM10ejODI9v4N/eIIeTfi5Dnj AynG5ET9/iEUv+7q0xeNyS83V8V+ggDxH0rP28oORKXRj+imHiUy7sd/Pueh4BSx49ct E3og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=wdyEGACMr8wTME6ID7+luINzq68fBbukHyWDSdP56CGYN6s+3Q3fn5L/pBovQzl3Nw CHZvnW4HZ3Wn7+kZuEYtlY1Y2LweYZVlnlyRfJa5bJQ+J2WleuqnRI9h0USkdrkTBUEp dE4k6cnYSb8Hp1N8t3dtFM/qFt7PSdrwTrGgwMqPhTej1pAshwWzYi2rggRGlQmxjbUQ muI5pU5dW65SuxUUjZseIZ7WP5bPRbefEg+RSzhnu7SDGN8XZw5hq3VpwNf1zKUU/0lR dEuUmU1iAFAlijmaXyFQCB827/xheYxGiBbsxU1YyL8SLUZllZPpFxrLKu5x0y0OsEab jveg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b="btjxM/o5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n21-20020a056402515500b005027e754e86si2570774edd.452.2023.04.06.21.35.58; Thu, 06 Apr 2023 21:36:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b="btjxM/o5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231404AbjDGEKB (ORCPT + 99 others); Fri, 7 Apr 2023 00:10:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229455AbjDGEJ7 (ORCPT ); Fri, 7 Apr 2023 00:09:59 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 323646A4D for ; Thu, 6 Apr 2023 21:09:58 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id b5-20020a17090a6e0500b0023f32869993so539124pjk.1 for ; Thu, 06 Apr 2023 21:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1680840597; x=1683432597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=btjxM/o5y/IqXBtaNZ/DMdaeS8q7W0fcBp996++PmoaYGUmmjxC5+4oxxfu8uCia4a z/9uPMy8aZ4wrmYFHh2isoSkOuu3PIg3rh383oHcggyXy6bZxTcORAPuWHS5LL/Al5r5 tXN5pQdxmZ5pkQi7wWoAQom/VP4xuGT4xhjUe/dVi62TP9vf4COSlJGWAQTN8BpSyVKW KIKCIGH0wEmaOYsU5v7ipz4jT+4WhkeRS1iUYCLZo5dIJxNNUL7r1dnCoydWF9tqIer9 2NURW97pKYXL+4qBdxTgPc1pPH1xF8JNcAsebHvKj73WL9Q0ZH2c9FKM600UDK0L7Qwj IYIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680840597; x=1683432597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0Aui47sYym6eUyJHeRSbvJzsgj2hZgpPMPWCUjUt8JA=; b=tR0pIhBp6QIh1PtXKOlbyQyy6fzzmgMpf3sGqBQhKbDZvSNLlVqtifX5z9FszZRQmb nz/x+I5R+8War3Wppbl0D5/y3BrZjKnFR+adyNyUpXS+yuRmBRvfqbIY6QL/nIofe/D4 9P+s2F6U+2S13CFQRht1SgosBKKQwMazHdAxkOx3TLU8wgiVVIxJ4I2U8ZdG+gBrbcEF 9Or65QTC4D6+ISPgKlSib+jQPglugGWB+wAQtesEU3i6J77zQwTCBSEEw7YYySBqrhSX ENQ459pAqdCtvRXs3l6WX4DJ3rFVCez2hCs6Cvx05AeR0OfANd6OVQbpL+RcOJ6f6LrL FfjQ== X-Gm-Message-State: AAQBX9fdpX1qqe8Uh9NB0jqkgggwW/3qc8iq5Jhf+nnAIzHleRIlADtU sQJPLXOYAH1zK98oVQGifdPSJA== X-Received: by 2002:a05:6a20:38a2:b0:de:5082:c9ec with SMTP id n34-20020a056a2038a200b000de5082c9ecmr756627pzf.2.1680840597673; Thu, 06 Apr 2023 21:09:57 -0700 (PDT) Received: from GL4FX4PXWL.bytedance.net ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id b8-20020aa78108000000b0062d7c0dc4f4sm2058010pfi.80.2023.04.06.21.09.54 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 06 Apr 2023 21:09:57 -0700 (PDT) From: Peng Zhang To: Liam.Howlett@oracle.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang , stable@vger.kernel.org Subject: [PATCH 2/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug Date: Fri, 7 Apr 2023 12:07:18 +0800 Message-Id: <20230407040718.99064-2-zhangpeng.00@bytedance.com> X-Mailer: git-send-email 2.37.0 (Apple Git-136) In-Reply-To: <20230407040718.99064-1-zhangpeng.00@bytedance.com> References: <20230407040718.99064-1-zhangpeng.00@bytedance.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762490772784612893?= X-GMAIL-MSGID: =?utf-8?q?1762490772784612893?= In mas_alloc_nodes(), there is such a piece of code: while (requested) { ... node->node_count = 0; ... } "node->node_count = 0" means to initialize the node_count field of the new node, but the node may not be a new node. It may be a node that existed before and node_count has a value, setting it to 0 will cause a memory leak. At this time, mas->alloc->total will be greater than the actual number of nodes in the linked list, which may cause many other errors. For example, out-of-bounds access in mas_pop_node(), and mas_pop_node() may return addresses that should not be used. Fix it by initializing node_count only for new nodes. Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Peng Zhang Cc: --- lib/maple_tree.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index 65fd861b30e1..9e25b3215803 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1249,26 +1249,18 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) node = mas->alloc; node->request_count = 0; while (requested) { - max_req = MAPLE_ALLOC_SLOTS; - if (node->node_count) { - unsigned int offset = node->node_count; - - slots = (void **)&node->slot[offset]; - max_req -= offset; - } else { - slots = (void **)&node->slot; - } - + max_req = MAPLE_ALLOC_SLOTS - node->node_count; + slots = (void **)&node->slot[node->node_count]; max_req = min(requested, max_req); count = mt_alloc_bulk(gfp, max_req, slots); if (!count) goto nomem_bulk; + if (node->node_count == 0) + node->slot[0]->node_count = 0; node->node_count += count; allocated += count; node = node->slot[0]; - node->node_count = 0; - node->request_count = 0; requested -= count; } mas->alloc->total = allocated;