From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75AD0C76196 for ; Mon, 10 Apr 2023 13:28:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DC903280018; Mon, 10 Apr 2023 09:28:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D77CB280002; Mon, 10 Apr 2023 09:28:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C3FE8280018; Mon, 10 Apr 2023 09:28:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id B5997280002 for ; Mon, 10 Apr 2023 09:28:18 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 6F8F01C5F26 for ; Mon, 10 Apr 2023 13:28:18 +0000 (UTC) X-FDA: 80665560276.03.122A67A Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) by imf16.hostedemail.com (Postfix) with ESMTP id 8EDB5180014 for ; Mon, 10 Apr 2023 13:28:16 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=dCYCTrkb; spf=pass (imf16.hostedemail.com: domain of perlyzhang@gmail.com designates 209.85.214.194 as permitted sender) smtp.mailfrom=perlyzhang@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1681133296; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vPdI8YYBvkU0rtwv6q9PYIJ+2TW8RoJU3kOJcZfGvD8=; b=uuUc/DKoSAUeKEaSIGhgzeJPSEbl2GAcNkYt1PuMpRrjo1XnRjon24QVj7kla4EtaeAbUW 1Mdm0YRWjre1kK9GITrkHOdoy6z3I1n6e6ClJtnhB16/JXHMWolaF3gztepfeOkylqC9+5 +UpUIAo1SAJoB/zc2P//PxLPWEiHY7I= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=dCYCTrkb; spf=pass (imf16.hostedemail.com: domain of perlyzhang@gmail.com designates 209.85.214.194 as permitted sender) smtp.mailfrom=perlyzhang@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1681133296; a=rsa-sha256; cv=none; b=VWL+5CTOiRw+hXNFnN32y1pvwgM9FOPLiD+hAb//Sxk0Eg7Gco873kbdqzwjvOr2I2u5ew MrVYdQx5+uGPf4Z5gJyyF+fP2eAhuQo6A5U8uDwdYcxREiz0P5Ar1nul56jGULjYG5jwwe 19ysW6W/LdTKgawIj7RqXUQ3gbdFkJA= Received: by mail-pl1-f194.google.com with SMTP id o2so4635849plg.4 for ; Mon, 10 Apr 2023 06:28:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681133295; h=content-transfer-encoding:in-reply-to:from:references:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=vPdI8YYBvkU0rtwv6q9PYIJ+2TW8RoJU3kOJcZfGvD8=; b=dCYCTrkbfniUH5qxoZuUGOd1uSGwAzLSXRrTqGZG4KRFnYfeTw9tIG2rD9fAw2HbXb fw2/JoEDOdSqjMEnj6a3sVC+x3ZJmDH/qZraTrAYP5DgEgVMuN/aCn+oEw1AgG4xXqAn zucfS0i1P4BqASVh5XZrNbXSua/7mkAun0Mmc9VwMJsDPe0iEtSAtfUl7JODFs7SXQL3 jVr2htLWRnPplwYvDYw+0tzKUH5bEp0wFEPw9NJkqBsYHsEaC0z19u94BBLXlu1jhlFq 6NZCvpbiHYIrOOk1MWfb7xGH8FVDJq2CJOu370RdMz4HhdJuGC1/2bTtKhFMojpYWmxD XW2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681133295; h=content-transfer-encoding:in-reply-to:from:references:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=vPdI8YYBvkU0rtwv6q9PYIJ+2TW8RoJU3kOJcZfGvD8=; b=nBmRj1+/sFje5HRA9/HhzrnHHQGJ/ENfN8kotTY2yCNDs8S9e6Dq2CqotfRAQ2muyd 8AoHzRk6YxZK3P7JZUv7sCR/VLohye3MUFrWmrVd500L0BarkS4JF6lNIxQmTMuETniW LJD24pJPx0lZqMglKQrRKtDg+qPEpWywdHjFI4msjtsM7Xq7kuJKIlVQS8kL2t1BwhLb hz0iVTbpTKXVwZWNI4rzPaRdKztRk4ouGjydM1kDZ0EHvBpsPO1Vd/sNnqA4SlWA+oRw ioakhAmyHLB4gL8CQYWspF/u7sfwQMAv9ZueBZHOBP2ChH6iwFbFKKWTpOk4cmvi0Bf0 NnFA== X-Gm-Message-State: AAQBX9cYbRrDkV4vdtxep4mFZ6648kppROKyrTMB45qVnIOa4Nt+NNwX zYpOGN4vsoDmq1PmpvCj2iE= X-Google-Smtp-Source: AKy350YlZemfIfaB7aH5HZnQXUj9bbnYBvWCn2tCSEB4gEWt8gAd9iSvKhVCW+/MBPr8yFp13JvjVQ== X-Received: by 2002:a17:902:c40b:b0:1a1:8fd4:251 with SMTP id k11-20020a170902c40b00b001a18fd40251mr15282780plk.55.1681133295290; Mon, 10 Apr 2023 06:28:15 -0700 (PDT) Received: from [10.200.10.217] ([139.177.225.248]) by smtp.gmail.com with ESMTPSA id m12-20020a1709026bcc00b001a183ade911sm7748976plt.56.2023.04.10.06.28.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 10 Apr 2023 06:28:14 -0700 (PDT) Message-ID: Date: Mon, 10 Apr 2023 21:28:10 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: [PATCH 2/2] maple_tree: Fix a potential memory leak, OOB access, or other unpredictable bug To: "Liam R. Howlett" , Peng Zhang , akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, stable@vger.kernel.org References: <20230407040718.99064-1-zhangpeng.00@bytedance.com> <20230407040718.99064-2-zhangpeng.00@bytedance.com> <20230410124331.kijufkik2qlxoxjz@revolver> <84c50299-5b5b-867e-1e96-2d3a0c6ade2a@gmail.com> <20230410131258.txkiqa5eudgsrmht@revolver> From: Peng Zhang In-Reply-To: <20230410131258.txkiqa5eudgsrmht@revolver> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 8EDB5180014 X-Rspam-User: X-Stat-Signature: ro7ka8j9fjjieokiqk6j54xagqm4fugm X-HE-Tag: 1681133296-813269 X-HE-Meta: U2FsdGVkX18XjiVekkOU9lb7ZJ3YBf5Y/pHbVM9tix3i7t8P7KgzoL5EWDSiLnxkHpcd6hduawPnNMEuPnDBEwd+Bar4QnTIC71X/pjdYMIjowVTKUA+xFquk5FN29yWgD9Yqc0qgxPfBstcI/7I9aEpiB4alEo267YL2qYFgMraWAXvnVqcMs4QHeX9UUiOhW/wRijwCeGT7xlOzy69gzaXoAOPke8gnzivI6pHWZ0/rh65gMEwMRIPIJPc2hpHa2o+Q4hrPRV/ZfPXlKYPKKsWh9Vl/45y/+oqcnhr9EIn4uiYZhLBkXm15e5a8ExgBlUNi2sfuRD28THG1Y8KXsyF6Y3q136UNbIOpM2HHkEnEAoM4ujhqqloDeuH+YufTmMVjoPsAzAtUHnX2+nFsSudbv0aQc32JD43Pt93BRtMfAe//LAIfrF7B3BsfNH3v4mzGY4deTvJ4YrhgzdznoFEW6SQQTA98zZnFkDSplGxYxMGdxhTI2q6YO69AygrNZHt72tz+UAZ2HwiDD8WwYGg/W3dPgGpN4JGIkJ8dRmhe+Rqm2A+/z4O5ozk/WTSRhEq8eKTt4G2LQcEGY9/jcbcJJYaxKDeAummZqOjlsLE6ENfQgW0UMg9skRGAzzI1bkOKu908OtGTK017WVlV3t8DW7fGiF5WOdGZEgD77+QS1lPhzmIFWDSXaTnBh697Y+hyWCl27mS/agq4ZJu3xgOKQdCh6RUz+mDFWvhg2iW6NycByp3bSO/F7XkOgz+45i0G/4JtqB1afucp8FA0BUshNBKzt/q2LVM8SVJStwkntaw0hgoR1uttwdvug36cYBRolSp6QHMSz+h6nLII/r/8uUOEb4slg1xzUu2opydNFLCGgXE/PrSGj/MX3nwPw0lMeYDX1wHoEwA7ZPwQLL7LDWKiDv51oIiGEj5ib3lBJRa384lxJc/I/VD2/9QJZTBGOXsF4BN1tpXQmJ 3uTnchvv PYH4qsaCIZYTn1MT0WfR8Bx7EMpjlbfcJPQAzKGUfoX1lNHYUsOX3ic8TuIXh61587Gfgr1eHzoI1OFH8rbQ4ME2voppd8akQ0seN6g+GLkoECirblr9gOiKaz/q/Cn0KIv2wiXtAoxntIvI8imQ7nH46iTufK/nSpq+2Ztf60DIl+W6PcX1zOgIrVHEuT1JtDJM4Wx8qZxRkT7II4K6UM+ySpTGsz3KIsyTufqdz85RG+mALBMSVwy6G/62Mcp9Oa47DMdgcUx25/X/F2pMxqTA8yvbYcAJD5HzlVsmwHRzy6uYOL3gWt8Px4Svw7FjQJCDlaivGxkGc1xibKas0JtFgMm31n7G0uRKIRsQQGBw7ySFZDqQhHKjPVsAQlPRI5YN0jDDPT8Sougl+cviE+MDtMjoatnTdAes8iiToJ5ES7VrdjmuP2gBry08axHz4prbPREomPgmiJPHng7MvXGAWy26staIYiIiaWmmfnc5Q9t9dDsFSoV1KaPxvzs4vsxe56p6pPkSc9xFluFJPf77fCS/3nW4MQ8ASS8zFIZF+9sxsJPPA6dfRfjhdiEcuZd7zAWEYfURL5twKZHBbxmcGvBzCYKw+bKv48DiWLZ85sY3lXTqmNytkS/YNnZQWJuwq X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: 在 2023/4/10 21:12, Liam R. Howlett 写道: > * Peng Zhang [230410 08:58]: >> 在 2023/4/10 20:43, Liam R. Howlett 写道: >>> * Peng Zhang [230407 00:10]: >>>> In mas_alloc_nodes(), there is such a piece of code: >>>> while (requested) { >>>> ... >>>> node->node_count = 0; >>>> ... >>>> } >>> You don't need to quote code in your commit message since it is >>> available in the change log or in the file itself. >> Ok, I will change it in the next version. >>>> "node->node_count = 0" means to initialize the node_count field of the >>>> new node, but the node may not be a new node. It may be a node that >>>> existed before and node_count has a value, setting it to 0 will cause a >>>> memory leak. At this time, mas->alloc->total will be greater than the >>>> actual number of nodes in the linked list, which may cause many other >>>> errors. For example, out-of-bounds access in mas_pop_node(), and >>>> mas_pop_node() may return addresses that should not be used. >>>> Fix it by initializing node_count only for new nodes. >>>> >>>> Fixes: 54a611b60590 ("Maple Tree: add new data structure") >>>> Signed-off-by: Peng Zhang >>>> Cc: >>>> --- >>>> lib/maple_tree.c | 16 ++++------------ >>>> 1 file changed, 4 insertions(+), 12 deletions(-) >>>> >>>> diff --git a/lib/maple_tree.c b/lib/maple_tree.c >>>> index 65fd861b30e1..9e25b3215803 100644 >>>> --- a/lib/maple_tree.c >>>> +++ b/lib/maple_tree.c >>>> @@ -1249,26 +1249,18 @@ static inline void mas_alloc_nodes(struct ma_state *mas, gfp_t gfp) >>>> node = mas->alloc; >>>> node->request_count = 0; >>>> while (requested) { >>>> - max_req = MAPLE_ALLOC_SLOTS; >>>> - if (node->node_count) { >>>> - unsigned int offset = node->node_count; >>>> - >>>> - slots = (void **)&node->slot[offset]; >>>> - max_req -= offset; >>>> - } else { >>>> - slots = (void **)&node->slot; >>>> - } >>>> - >>>> + max_req = MAPLE_ALLOC_SLOTS - node->node_count; >>>> + slots = (void **)&node->slot[node->node_count]; >>> Thanks, this is much cleaner. >>> >>>> max_req = min(requested, max_req); >>>> count = mt_alloc_bulk(gfp, max_req, slots); >>>> if (!count) >>>> goto nomem_bulk; >>>> + if (node->node_count == 0) >>>> + node->slot[0]->node_count = 0; >>>> node->node_count += count; >>>> allocated += count; >>>> node = node->slot[0]; >>>> - node->node_count = 0; >>>> - node->request_count = 0; >>> Why are we not clearing request_count anymore? >> Because the node pointed to by the variable "node" >> must not be the head node of the linked list at >> this time, we only need to maintain the information >> of the head node. > Right, at this time it is not the head node, but could it become the > head node with invalid data? I think it can, because we don't > explicitly set it in mas_pop_node()? 1. Actually in mas_pop_node(), when a node becomes the head node,    we initialize its total field and request_count field. 2. The total field and request_count field of any non-head node,    even if we initialize it, cannot be considered a valid value.    Imagine if the request_count of the head node is changed, then    we don't actually change the request_count of the non-head nodes,    so it is an invalid value anyway. > > In any case, be sure to mention that you make a change like this in the > change log, like "Drop setting the resquest_count as it is unnecessary > because.." in a new paragraph, so that it is not missed. I thought it was a small change that wasn't written in the changelog. In the next version and any future patches, I will write down the details of any changes. Thanks. > > >>>> requested -= count; >>>> } >>>> mas->alloc->total = allocated; >>>> -- >>>> 2.20.1 >>>>