From: Igor Belousov <igor.b@beldev.am>
To: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Minchan Kim <minchan@kernel.org>,
Yosry Ahmed <yosry.ahmed@linux.dev>,
Vitaly Wool <vitaly.wool@konsulko.se>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
stable@vger.kernel.org
Subject: Re: [PATCH] zsmalloc: don't underflow size calculation in zs_obj_write()
Date: Mon, 05 May 2025 13:05:15 +0400 [thread overview]
Message-ID: <646103e14947d09668f84ed5536afa3a@beldev.am> (raw)
In-Reply-To: <20250504110650.2783619-1-senozhatsky@chromium.org>
On 2025-05-04 15:00, Sergey Senozhatsky wrote:
> Do not mix class->size and object size during offsets/sizes
> calculation in zs_obj_write(). Size classes can merge into
> clusters, based on objects-per-zspage and pages-per-zspage
> characteristics, so some size classes can store objects
> smaller than class->size. This becomes problematic when
> object size is much smaller than class->size - we can determine
> that object spans two physical pages, because we use a larger
> class->size for this, while the actual object is much smaller
> and fits one physical page, so there is nothing to write to
> the second page and memcpy() size calculation underflows.
>
> We always know the exact size in bytes of the object
> that we are about to write (store), so use it instead of
> class->size.
>
> Reported-by: Igor Belousov <igor.b@beldev.am>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Tested-by: Igor Belousov <igor.b@beldev.am>
> ---
> mm/zsmalloc.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
> index 70406ac94bbd..999b513c7fdf 100644
> --- a/mm/zsmalloc.c
> +++ b/mm/zsmalloc.c
> @@ -1233,19 +1233,19 @@ void zs_obj_write(struct zs_pool *pool,
> unsigned long handle,
> class = zspage_class(pool, zspage);
> off = offset_in_page(class->size * obj_idx);
>
> - if (off + class->size <= PAGE_SIZE) {
> + if (!ZsHugePage(zspage))
> + off += ZS_HANDLE_SIZE;
> +
> + if (off + mem_len <= PAGE_SIZE) {
> /* this object is contained entirely within a page */
> void *dst = kmap_local_zpdesc(zpdesc);
>
> - if (!ZsHugePage(zspage))
> - off += ZS_HANDLE_SIZE;
> memcpy(dst + off, handle_mem, mem_len);
> kunmap_local(dst);
> } else {
> /* this object spans two pages */
> size_t sizes[2];
>
> - off += ZS_HANDLE_SIZE;
> sizes[0] = PAGE_SIZE - off;
> sizes[1] = mem_len - sizes[0];
next prev parent reply other threads:[~2025-05-05 9:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-04 11:00 Sergey Senozhatsky
2025-05-05 9:05 ` Igor Belousov [this message]
2025-05-06 4:25 ` Sergey Senozhatsky
2025-05-06 13:56 ` Johannes Weiner
2025-05-07 5:40 ` Sergey Senozhatsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=646103e14947d09668f84ed5536afa3a@beldev.am \
--to=igor.b@beldev.am \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=minchan@kernel.org \
--cc=senozhatsky@chromium.org \
--cc=stable@vger.kernel.org \
--cc=vitaly.wool@konsulko.se \
--cc=yosry.ahmed@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox