From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7701CC3ABB0 for ; Mon, 5 May 2025 09:05:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 03BA96B008A; Mon, 5 May 2025 05:05:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F2D8A6B008C; Mon, 5 May 2025 05:04:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DF65B6B0092; Mon, 5 May 2025 05:04:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id C149C6B008A for ; Mon, 5 May 2025 05:04:59 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 40E6355EA7 for ; Mon, 5 May 2025 09:05:01 +0000 (UTC) X-FDA: 83408269602.30.46F8A0A Received: from server4.hayhost.am (server4.hayhost.am [2.56.206.6]) by imf06.hostedemail.com (Postfix) with ESMTP id B404E18000A for ; Mon, 5 May 2025 09:04:58 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=beldev.am header.s=default header.b=FSk5Eozo; dmarc=pass (policy=none) header.from=beldev.am; spf=pass (imf06.hostedemail.com: domain of igor.b@beldev.am designates 2.56.206.6 as permitted sender) smtp.mailfrom=igor.b@beldev.am ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1746435899; a=rsa-sha256; cv=none; b=sFotqYZHyHnA/o/YEtP7EiwtGAxfWD+CoJW1xWxaUf4G6U4r6dAQd41fYfwHrvuEtCsABV 3W8tLqA3NGFQoj6SF3ftK0prQtUNu6q4iZWF8oeamHnLjBB/W1qAZBQwRh0KrpXprx49E5 KQBQ8gtCaz+0UJU8HXc+4vy1EQ87LEI= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=beldev.am header.s=default header.b=FSk5Eozo; dmarc=pass (policy=none) header.from=beldev.am; spf=pass (imf06.hostedemail.com: domain of igor.b@beldev.am designates 2.56.206.6 as permitted sender) smtp.mailfrom=igor.b@beldev.am ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1746435899; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=S5vge2jGhBcL7afUWwjP03igXuS5eEbcN/RA0jomv/k=; b=zR5uijkQAzNHbr0fydtjfoXi/y6r2Gvd/EH/Lhg7UPWLSGZPkvtK/bFjTcBQZKiUdedSi+ MYTA8cP1xOfYfvEyF7vtXw6VhRLKmh7qNHqL96Fgi+mV9do78Ugk3eK8YTOXEUDvikPhc/ glrTw0wSNUiNw0b7MHMB2IvafQ9W2LI= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=beldev.am; s=default; h=Content-Transfer-Encoding:Content-Type:Message-ID:References: In-Reply-To:Subject:Cc:To:From:Date:MIME-Version:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=S5vge2jGhBcL7afUWwjP03igXuS5eEbcN/RA0jomv/k=; b=FSk5EozodsedsVxhzeQjCnJn1r DOqNhtOqxU7QzOXDjUx0ENubv/fGwrhQxSYKk0S6p6TUQ1n8FEdwnSCB7Eu+UtVQ2ZppqAhnEStjH e7PJJm/7/qqUuvxYDZhQdfSfm/o7sN7LuB8kLctEIhM1iUvsv7dGLdrHQn4tf1JMoWTwo6bj+jr1s NKCg/GecUWoDWn5FbPiQ9SAq7iBfBddIbEK8usQz1n4NvCAzRFBPcsEkRi+N9DSc5QQg16yXnCDTZ 1CeHqUqpETNtcIKmRaJeQcpz7olDM4q7eP2vSD2V6tu/33hX0+Tu0tOx0HiWZmZaqA8E96AWfK2sz Kjr4eZeQ==; Received: from [::1] (port=25524 helo=server4.hayhost.am) by server4.hayhost.am with esmtpa (Exim 4.98.1) (envelope-from ) id 1uBrlG-00000000FxV-1JWL; Mon, 05 May 2025 13:05:18 +0400 MIME-Version: 1.0 Date: Mon, 05 May 2025 13:05:15 +0400 From: Igor Belousov To: Sergey Senozhatsky Cc: Andrew Morton , Minchan Kim , Yosry Ahmed , Vitaly Wool , linux-kernel@vger.kernel.org, linux-mm@kvack.org, stable@vger.kernel.org Subject: Re: [PATCH] zsmalloc: don't underflow size calculation in zs_obj_write() In-Reply-To: <20250504110650.2783619-1-senozhatsky@chromium.org> References: <20250504110650.2783619-1-senozhatsky@chromium.org> User-Agent: Roundcube Webmail/1.6.9 Message-ID: <646103e14947d09668f84ed5536afa3a@beldev.am> X-Sender: igor.b@beldev.am Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server4.hayhost.am X-AntiAbuse: Original Domain - kvack.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - beldev.am X-Get-Message-Sender-Via: server4.hayhost.am: authenticated_id: igor.b@beldev.am X-Authenticated-Sender: server4.hayhost.am: igor.b@beldev.am X-Rspam-User: X-Rspamd-Queue-Id: B404E18000A X-Rspamd-Server: rspam04 X-Stat-Signature: dc7rkpb7g41bh1bf8nup4t83fyfuwcyx X-HE-Tag: 1746435898-117390 X-HE-Meta: U2FsdGVkX18zevU6Cvp2PGFPIktV1h77m5nypqzx+5RwhaYNPFN6UWvci6eYewYiDtzF+WTZp+KSqgoYZe9bd8WKoKRajSiMegI4ViRzMeYcj8rSnNVAaYpsBaD3nkpbEFRAnTdLm3W1Y8SPnrXQ/IjYy/O9AvfM0PGc0y/zUA7XJL1STXZULbjkVgf6JhxjU5Yi6PFDe+J03n/wubIDYgASpU0sdywLOziw6iXSaHtvznNbd/bUfvep7siDF8+0NxyQtTGOtweCm6WJJjcf+7tpPqEqe0dMQsg0yphyA8GdqY5BSj/6c3cdCEsZMNjrQsAXPbLWgJ9oLLZFnygjR3plAA1RAOmUeLRorFefkGbTMy2ClHOWMWeJ1UENWTSDoN/v5wumDYyUr4nk6MLs/N9xK3801ih+Awo6TzaeTqku6petMfkoX+uAfnpQTJkHElHDfqTjm/O5rXbwYQjTfc1Umf0ft/RHUJ/Umk2pVH0yOUNBph5fdsx3KdoHRR8AILPYjX/99VF8qVbac7C9BLfpBYQAIWktAsT0RweQtpVxipw7d3qmph3LAw0qOYgMnAIyFzIIl0Eu6/Voy0Fw4BErlJYCVgJHUHo4mAm63FoC0Srt+SjbIQdOnMYb9PZxJEn2vi4xJ8KWztiikeVgU3Co31oAVLUZdD83W4NcT2yNzJAntEXgOx2K7dBx6dxYs0ldHNJJ6hjB5uatcUEZOzpq5W15/OWF3G7tYkGMq4cCEgj42PEjmHLuRF3OHI/Kbp08hPm1ftAhDG37trZkwGwt8/C+JXqDhuXjygi8uH2aBYPdODaihy0HoAvwIiuuh5x1+5d3K40EDGTOSkk1utuFRfpKtpJwONnDOsOOL6RHDuhKqxArSK51DdTwEtIUOUVYoFCiRd6McIYzNxs0vtytJ5DxQUUITjLBvyXpNC3AJ/OOWFtv95yOoYpaUSGOrPCkvrAKcinQ7FNIvVs M7SsngiX w+a5lij8iwd+AiDa14ZVkpcyfh4Gz1HBh9iweYBjTTSsN2M7eQpISrzkFugu7nwDZe+xp4lqfHTHVtUmVM3LdmyHgVKmGXLxIdRiijq1b+riBXocl5mpr0JEiLimkl31mXgHfUghGujDEJUMl6J3Xmm0emDizl9LNoVY5LttOZL3JK9r64NztX4DbCi29NVBs2vC3Jg4ATgVFr4YMHA27gtybpZYCzP2krTDV7L24F7Dqrfxl1Mm+TBaul3IUrjAdO9OgRzWbJ7hnTAEFJemp3iVfKwCEXNSXMUtRgaF+ajt84ggOaMG7dRHxoYKMqLohsL2k0HuxFTRDRyYhKIJxfk6irRRNyA9IwTOYKsU+JpQhz39Kd0kTdQykYNlAozkGPrRUs4/obkuW8rrxeelGtN1ILIa6Y6I6ahxp0rJQWLUVv7f+iHeTjAZTbYcHITaoxsvmqFi47GF6Bn9KwEP/YI0xaCpNtHNiUzDpOwivlJiUxaXoJYF5pNKElfuI7MCKF8mH X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2025-05-04 15:00, Sergey Senozhatsky wrote: > Do not mix class->size and object size during offsets/sizes > calculation in zs_obj_write(). Size classes can merge into > clusters, based on objects-per-zspage and pages-per-zspage > characteristics, so some size classes can store objects > smaller than class->size. This becomes problematic when > object size is much smaller than class->size - we can determine > that object spans two physical pages, because we use a larger > class->size for this, while the actual object is much smaller > and fits one physical page, so there is nothing to write to > the second page and memcpy() size calculation underflows. > > We always know the exact size in bytes of the object > that we are about to write (store), so use it instead of > class->size. > > Reported-by: Igor Belousov > Cc: > Signed-off-by: Sergey Senozhatsky Tested-by: Igor Belousov > --- > mm/zsmalloc.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c > index 70406ac94bbd..999b513c7fdf 100644 > --- a/mm/zsmalloc.c > +++ b/mm/zsmalloc.c > @@ -1233,19 +1233,19 @@ void zs_obj_write(struct zs_pool *pool, > unsigned long handle, > class = zspage_class(pool, zspage); > off = offset_in_page(class->size * obj_idx); > > - if (off + class->size <= PAGE_SIZE) { > + if (!ZsHugePage(zspage)) > + off += ZS_HANDLE_SIZE; > + > + if (off + mem_len <= PAGE_SIZE) { > /* this object is contained entirely within a page */ > void *dst = kmap_local_zpdesc(zpdesc); > > - if (!ZsHugePage(zspage)) > - off += ZS_HANDLE_SIZE; > memcpy(dst + off, handle_mem, mem_len); > kunmap_local(dst); > } else { > /* this object spans two pages */ > size_t sizes[2]; > > - off += ZS_HANDLE_SIZE; > sizes[0] = PAGE_SIZE - off; > sizes[1] = mem_len - sizes[0];