From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=ECrd=4J=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 56BA6C11D28
	for <linux-mm@archiver.kernel.org>; Fri, 21 Feb 2020 04:04:33 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 1CD0A207FD
	for <linux-mm@archiver.kernel.org>; Fri, 21 Feb 2020 04:04:33 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="0uHSHy1U"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1CD0A207FD
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 6A3196B0098; Thu, 20 Feb 2020 23:04:32 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 62CFA6B009A; Thu, 20 Feb 2020 23:04:32 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 56C876B009C; Thu, 20 Feb 2020 23:04:32 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0092.hostedemail.com [216.40.44.92])
	by kanga.kvack.org (Postfix) with ESMTP id 332B26B0098
	for <linux-mm@kvack.org>; Thu, 20 Feb 2020 23:04:32 -0500 (EST)
Received: from smtpin17.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 22725181AEF1F
	for <linux-mm@kvack.org>; Fri, 21 Feb 2020 04:04:32 +0000 (UTC)
X-FDA: 76512792384.17.eyes31_7ede41672ce63
X-HE-Tag: eyes31_7ede41672ce63
X-Filterd-Recvd-Size: 3308
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf09.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri, 21 Feb 2020 04:04:31 +0000 (UTC)
Received: from X1 (nat-ab2241.sltdut.senawave.net [162.218.216.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 6BF7C24650;
	Fri, 21 Feb 2020 04:04:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1582257870;
	bh=VeMMDsWOrLkkKKT7pK/6KpxUXKR/ybJy5aCuITWhPfk=;
	h=Date:From:To:Subject:From;
	b=0uHSHy1UyIVh1Uf65a0ERv/C9kS97Q2p2jXS92ZWU86HN08EAS7sa4xb6a4/3LKmZ
	 DTDfhsW5/TWcK5nGDrDGf8gCcYQ0yfA+edrr3Vwlwl+wY12/jzWhs/qkdqw5UtdPRS
	 Os2Ec1W71hegC1lejKAYbXXdnvaGlp4dvKczUi68=
Date: Thu, 20 Feb 2020 20:04:30 -0800
From: akpm@linux-foundation.org
To: walter-zh.wu@mediatek.com, tglx@linutronix.de,
 stable@vger.kernel.org, matthias.bgg@gmail.com,
 kstewart@linuxfoundation.org, jpoimboe@redhat.com,
 gregkh@linuxfoundation.org, dvyukov@google.com, glider@google.com,
 akpm@linux-foundation.org, mm-commits@vger.kernel.org,
 linux-mm@kvack.org, torvalds@linux-foundation.org
Subject:  [patch 14/15] lib/stackdepot.c: fix global out-of-bounds in
 stack_slabs
Message-ID: <20200221040430.yhCYr%akpm@linux-foundation.org>
User-Agent: s-nail v14.9.10
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Alexander Potapenko <glider@google.com>
Subject: lib/stackdepot.c: fix global out-of-bounds in stack_slabs

Walter Wu has reported a potential case in which init_stack_slab() is
called after stack_slabs[STACK_ALLOC_MAX_SLABS - 1] has already been
initialized.  In that case init_stack_slab() will overwrite
stack_slabs[STACK_ALLOC_MAX_SLABS], which may result in a memory
corruption.

Link: http://lkml.kernel.org/r/20200218102950.260263-1-glider@google.com
Fixes: cd11016e5f521 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
Signed-off-by: Alexander Potapenko <glider@google.com>
Reported-by: Walter Wu <walter-zh.wu@mediatek.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/stackdepot.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/lib/stackdepot.c~lib-stackdepot-fix-global-out-of-bounds-in-stack_slabs
+++ a/lib/stackdepot.c
@@ -83,15 +83,19 @@ static bool init_stack_slab(void **preal
 		return true;
 	if (stack_slabs[depot_index] == NULL) {
 		stack_slabs[depot_index] = *prealloc;
+		*prealloc = NULL;
 	} else {
-		stack_slabs[depot_index + 1] = *prealloc;
+		/* If this is the last depot slab, do not touch the next one. */
+		if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) {
+			stack_slabs[depot_index + 1] = *prealloc;
+			*prealloc = NULL;
+		}
 		/*
 		 * This smp_store_release pairs with smp_load_acquire() from
 		 * |next_slab_inited| above and in stack_depot_save().
 		 */
 		smp_store_release(&next_slab_inited, 1);
 	}
-	*prealloc = NULL;
 	return true;
 }
 
_