From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Ukjj=3X=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5334CC33CAC
	for <linux-mm@archiver.kernel.org>; Mon,  3 Feb 2020 11:02:45 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id C9D6A20658
	for <linux-mm@archiver.kernel.org>; Mon,  3 Feb 2020 11:02:44 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C9D6A20658
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 200806B0636; Mon,  3 Feb 2020 06:02:44 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1B18B6B0637; Mon,  3 Feb 2020 06:02:44 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0A06D6B0638; Mon,  3 Feb 2020 06:02:44 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0046.hostedemail.com [216.40.44.46])
	by kanga.kvack.org (Postfix) with ESMTP id E3C6A6B0636
	for <linux-mm@kvack.org>; Mon,  3 Feb 2020 06:02:43 -0500 (EST)
Received: from smtpin17.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 8D998180AD802
	for <linux-mm@kvack.org>; Mon,  3 Feb 2020 11:02:43 +0000 (UTC)
X-FDA: 76448527806.17.judge85_6eff30a4c6b4d
X-HE-Tag: judge85_6eff30a4c6b4d
X-Filterd-Recvd-Size: 2587
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	by imf45.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon,  3 Feb 2020 11:02:42 +0000 (UTC)
Received: from fsav104.sakura.ne.jp (fsav104.sakura.ne.jp [27.133.134.231])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 013B2TId038639;
	Mon, 3 Feb 2020 20:02:29 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav104.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav104.sakura.ne.jp);
 Mon, 03 Feb 2020 20:02:29 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav104.sakura.ne.jp)
Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 013B2PXb038275
	(version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 3 Feb 2020 20:02:29 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Subject: Re: [PATCH] lib/stackdepot: fix global out-of-bounds in stack_slabs
To: glider@google.com
Cc: walter-zh.wu@mediatek.com, dvyukov@google.com, gregkh@linuxfoundation.org,
        akpm@linux-foundation.org, matthias.bgg@gmail.com, tglx@linutronix.de,
        jpoimboe@redhat.com, kstewart@linuxfoundation.org, linux-mm@kvack.org
References: <20200203102953.17349-1-glider@google.com>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Message-ID: <f2adce7f-3f2f-60d4-4dea-3b146b9d35f5@I-love.SAKURA.ne.jp>
Date: Mon, 3 Feb 2020 20:02:26 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <20200203102953.17349-1-glider@google.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 2020/02/03 19:29, glider@google.com wrote:
> --- a/lib/stackdepot.c
> +++ b/lib/stackdepot.c
> @@ -84,7 +84,9 @@ static bool init_stack_slab(void **prealloc)
>  	if (stack_slabs[depot_index] == NULL) {
>  		stack_slabs[depot_index] = *prealloc;
>  	} else {
> -		stack_slabs[depot_index + 1] = *prealloc;
> +		/* If this is the last depot slab, do not touch the next one. */
> +		if (depot_index + 1 < STACK_ALLOC_MAX_SLABS)
> +			stack_slabs[depot_index + 1] = *prealloc;

What prevents memory leak (caused by "*prealloc = NULL;")
when we hit depot_index + 1 >= STACK_ALLOC_MAX_SLABS condition?

>  		/*
>  		 * This smp_store_release pairs with smp_load_acquire() from
>  		 * |next_slab_inited| above and in stack_depot_save().
>