From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC832C369DC for ; Sun, 4 May 2025 11:07:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D0D7D6B0085; Sun, 4 May 2025 07:07:06 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CBAC36B0088; Sun, 4 May 2025 07:07:06 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B832E6B0089; Sun, 4 May 2025 07:07:06 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 98DF66B0085 for ; Sun, 4 May 2025 07:07:06 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id B2DFA1A1B11 for ; Sun, 4 May 2025 11:07:06 +0000 (UTC) X-FDA: 83404948452.14.F8B40A7 Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by imf27.hostedemail.com (Postfix) with ESMTP id 0AAC74000A for ; Sun, 4 May 2025 11:07:04 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=nk1sFcMt; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf27.hostedemail.com: domain of senozhatsky@chromium.org designates 209.85.215.179 as permitted sender) smtp.mailfrom=senozhatsky@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1746356825; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=/pI9Obv7HIXjCZcC433R6qPEf3axp+1OaRirOCKBrC0=; b=Os2rpl1Jl22mng9y958AA6kn6yZxL7b9+aNdc2fZHgvBB30tq+GWqFVRUGSgxnKnTZr7tg E7JM0Izs0s9i1glg2fvAnpdxXv0+qZGzFBmqURYy0qEMNIXxs8ETiuGqVgqTz/cQvZfn5/ s3Kuaao8qDQncrTtOLhhZLOxIr2IHX0= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=nk1sFcMt; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf27.hostedemail.com: domain of senozhatsky@chromium.org designates 209.85.215.179 as permitted sender) smtp.mailfrom=senozhatsky@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1746356825; a=rsa-sha256; cv=none; b=YkqDMD9BX89MzjthUMkjX+jiUGLD7O9NykMIduKnAfoWirhussZvkJhaFjPjwgZ2tu0Ft+ DrgJm+NegTDNu9FHSimXfQKCb3UmvbShsrfRzKj1Z886uH/jd6H4pUolEYJf9qRLwkbcZ0 551AxOfQdSn1ShnbciwoT7006o5RyjY= Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-b1fcb97d209so191077a12.1 for ; Sun, 04 May 2025 04:07:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1746356824; x=1746961624; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/pI9Obv7HIXjCZcC433R6qPEf3axp+1OaRirOCKBrC0=; b=nk1sFcMt9uIUUpASFpCsW/uJh18gBpg/sDhPDFueozkA6M2WN7Iy7CjloTsoqP7D2G UoH62eiMRNfKcoKlBHPDtWIEWO0sthclQuBeuLkLqUoGqNQf64ci+5rsLT91MfrJA4b4 wH7fWuMJcCUdyJCE0lsWlkaQm+mR6fRWh+lls= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746356824; x=1746961624; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/pI9Obv7HIXjCZcC433R6qPEf3axp+1OaRirOCKBrC0=; b=cxbhv+A1TBUjlY8QHaX135BZ9u4kn3Cvfwwz50L+DV4tSSwpRgFry9Ek6oLqEifuax LpCXArLNGTh4ku34oLAdGGHY+BjZttNBhxmjBoNkvPeJGGJyAWKb7CdgXYmNtOEHlPT0 Q9qK+pdvVAVQL+J5wR/aec0zHqi62YXTXZGknjunhKW6STIMSbwjAD7Ohu3vhZuGKkya kZTbj8uaGtnSpGkY63WmwrFByNlaFrGWwd4TOYuKUiYkQoEjvHyMq1WuSJkGZ9m/jW5a bGhhIe7xcRFBswA1UeWqkXzpx0Qj2zOjUKCUhTiwyrL4wlFXi13XaGcsNzf5LxszE8Eg UjWA== X-Forwarded-Encrypted: i=1; AJvYcCUIIj8ylAG4Zn9RXZt22lLLjEQOPIP14dcJ4dJjJjBTTN9ui3t8TL0DuYIBssUd5Eh4Sp5C5Xm3rA==@kvack.org X-Gm-Message-State: AOJu0Yzm9fqFiXiuYg7bVHREQwKcCQSXnAe6y8ZeM0wR4hUq5t0KZgDv HcB7fP0JSTepAr4107geayoJDDgnWTw20+hu/4x2+3pFnqh7SpYtwuzO6uBgjg== X-Gm-Gg: ASbGncuHc/d4a8vWSQY/P2yUWA4fOnFxP+k88Pzd4b/CM6rpBndoTI7SoJq1hhYCYx5 Kq1blDBlocZ7FvBDeeHT853RkqbdY8MeFOZdbfl0OVi+IJgwLL/YscOgFg7gdfZI9AxTWnJk4F8 BVPVt/ZjDtd4OfBJoPctNeB/kEbZNpLs4hkLnUPPv2Y4AQMDG5+2yaRv49kokF/32cybL6f2sfs q678WJs1B16O4ymu2bd89ktLn9H0ZtboIeOZkrgc43QpxHXkAM9zfrwT1LXIQVWFNNGpZ/ZLqUI c209UEgyuj4WZAim1hwVBRDiOepgjE+Ig4Lk0eSUyZawgIz2778XE41sdae7pg1Q5rg= X-Google-Smtp-Source: AGHT+IFlS4+lefR+0LAoamLgv5CoWQCVZEeaRDI30l0lwLe1UVce2xjnxOQ2Kr4rtaaHpkdhR34kEw== X-Received: by 2002:a17:90b:5247:b0:30a:204e:fe47 with SMTP id 98e67ed59e1d1-30a4e238283mr13971701a91.16.1746356823799; Sun, 04 May 2025 04:07:03 -0700 (PDT) Received: from tigerii.tok.corp.google.com ([2401:fa00:8f:203:c979:b45c:9e0c:bf77]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a3480e9d4sm9273491a91.36.2025.05.04.04.07.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 May 2025 04:07:03 -0700 (PDT) From: Sergey Senozhatsky To: Andrew Morton Cc: Minchan Kim , Yosry Ahmed , Vitaly Wool , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Sergey Senozhatsky , Igor Belousov , stable@vger.kernel.org Subject: [PATCH] zsmalloc: don't underflow size calculation in zs_obj_write() Date: Sun, 4 May 2025 20:00:22 +0900 Message-ID: <20250504110650.2783619-1-senozhatsky@chromium.org> X-Mailer: git-send-email 2.49.0.906.g1f30a19c02-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Stat-Signature: 1w7th1wrh9e5yj19c1xricje7fq6wi37 X-Rspamd-Queue-Id: 0AAC74000A X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1746356824-49621 X-HE-Meta: U2FsdGVkX1/89pys+ZRa6yPmUxffDNlzTLEveLEj7jtPomgJy0Y3VE4vzA6IFhQOMttMGbmMpNnaRLTvWKa2UYOVJot4nM6I0QuJxIfRxxCw8J4DldTqrmTBbf0vbAXG6BbLueQTjUA0sbZ8nqmSGyd/v5PYZ14r95aK2aREYKZqqAb/ceroQmvJtYzpwaLIIgS2Fv/Ob6uRRq+O0s2KCX4DMLaLDag6Yg0JgXZ+CGH9wY0hn9KN3TgK+A+yuu6kKkSW2HRnUvLBvc66XSUxXDNEdB0EXzfQUxCpBmptB+QWSvCvWsaDlcKDBl6cX6wyzeCXryQtOhXYJVCLYXrcboUPknMFtLM0PX2LpWC8vWia/XcoGij1LtMUp7ppcoCJSX6ziOjoBhdKVSN0wmnRv4uzx1e4jFVHJrcJkd0f3DpR4j+D01jfPdTo9ptc6VKRhLmqZBIqalDfGqgYNpocLDJiCxh+T+r0jFWtTitHi0mc1wrqarbhVRjmDo2jxn3JSSqcvAFl2qnuSVaaZcTZ6p7DVL/rfjbbDM1aw6xRML/XJAoaM1FENPx1ECoIJfqTVg7unun4Sh5/QJNZI9uNuXwv8bI13Edu+16S/T3jt30w3qYi7pTpBu97kUqcMSNjevHrKtM7UytsrC4TjkYtY06xBd1R2RZd8CbXTkDmMLrszXFh9bPit/RRUAuHAT67LOgYS/MS2hSG98DSNq6UVeN4so00tOy2/mrz6VcZo/89eclwJojR30Lsc7hOyC+aimBjboIhZvXYJjHObfSl5zGumI7CzO/2aiz2avV300G59w4LXNPvGXZ+dLFXBn2U0vh8k004pJFNP8m+TZPFX+FlW6PIGFnZ0T/BIHvgEVn8iN0BIxGi1e6hqT7NGYpev2++o2Yly1sYe1USIje6Sgk5p2AeL70hqfHhw28/P4aolrJhab9lVXwqkwi2CtKuBpCA7HQxdkxlL7L6NCv jUjjFRS3 NcictZiy4H5SO2bBMdCQ2DrhE4X21uQaPghB76KW86T6qgmlQ4sQe/zaW1GgJQKwguszB8uJ+sLxqlkM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Do not mix class->size and object size during offsets/sizes calculation in zs_obj_write(). Size classes can merge into clusters, based on objects-per-zspage and pages-per-zspage characteristics, so some size classes can store objects smaller than class->size. This becomes problematic when object size is much smaller than class->size - we can determine that object spans two physical pages, because we use a larger class->size for this, while the actual object is much smaller and fits one physical page, so there is nothing to write to the second page and memcpy() size calculation underflows. We always know the exact size in bytes of the object that we are about to write (store), so use it instead of class->size. Reported-by: Igor Belousov Cc: Signed-off-by: Sergey Senozhatsky --- mm/zsmalloc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 70406ac94bbd..999b513c7fdf 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -1233,19 +1233,19 @@ void zs_obj_write(struct zs_pool *pool, unsigned long handle, class = zspage_class(pool, zspage); off = offset_in_page(class->size * obj_idx); - if (off + class->size <= PAGE_SIZE) { + if (!ZsHugePage(zspage)) + off += ZS_HANDLE_SIZE; + + if (off + mem_len <= PAGE_SIZE) { /* this object is contained entirely within a page */ void *dst = kmap_local_zpdesc(zpdesc); - if (!ZsHugePage(zspage)) - off += ZS_HANDLE_SIZE; memcpy(dst + off, handle_mem, mem_len); kunmap_local(dst); } else { /* this object spans two pages */ size_t sizes[2]; - off += ZS_HANDLE_SIZE; sizes[0] = PAGE_SIZE - off; sizes[1] = mem_len - sizes[0]; -- 2.49.0.906.g1f30a19c02-goog