| Message ID | 20210507064504.1712559-1-linux@rasmusvillemoes.dk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mm/page_alloc: __alloc_pages_bulk(): do bounds check before accessing array | expand |
On Fri, May 07, 2021 at 08:45:03AM +0200, Rasmus Villemoes wrote: > In the event that somebody would call this with an already fully > populated page_array, the last loop iteration would do an access > beyond the end of page_array. > > It's of course extremely unlikely that would ever be done, but this > triggers my internal static analyzer. Also, if it really is not > supposed to be invoked this way (i.e., with no NULL entries in > page_array), the nr_populated<nr_pages check could simply be removed > instead. > > Fixes: 0f87d9d30f21 (mm/page_alloc: add an array-based interface to the bulk page allocator) > Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Acked-by: Mel Gorman <mgorman@techsingularity.net>
On 07/05/2021 12.26, Mel Gorman wrote: > On Fri, May 07, 2021 at 08:45:03AM +0200, Rasmus Villemoes wrote: >> In the event that somebody would call this with an already fully >> populated page_array, the last loop iteration would do an access >> beyond the end of page_array. >> >> It's of course extremely unlikely that would ever be done, but this >> triggers my internal static analyzer. Also, if it really is not >> supposed to be invoked this way (i.e., with no NULL entries in >> page_array), the nr_populated<nr_pages check could simply be removed >> instead. >> >> Fixes: 0f87d9d30f21 (mm/page_alloc: add an array-based interface to the bulk page allocator) >> Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> > > Acked-by: Mel Gorman <mgorman@techsingularity.net> > Andrew, will you get this to Linus before 5.13 is released? I got a mail on May 9 that it had been added to your queue, but I don't see it in master yet. Rasmus
On Mon, 21 Jun 2021 18:01:17 +0200 Rasmus Villemoes <linux@rasmusvillemoes.dk> wrote: > On 07/05/2021 12.26, Mel Gorman wrote: > > On Fri, May 07, 2021 at 08:45:03AM +0200, Rasmus Villemoes wrote: > >> In the event that somebody would call this with an already fully > >> populated page_array, the last loop iteration would do an access > >> beyond the end of page_array. > >> > >> It's of course extremely unlikely that would ever be done, but this > >> triggers my internal static analyzer. Also, if it really is not > >> supposed to be invoked this way (i.e., with no NULL entries in > >> page_array), the nr_populated<nr_pages check could simply be removed > >> instead. > >> > >> Fixes: 0f87d9d30f21 (mm/page_alloc: add an array-based interface to the bulk page allocator) > >> Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> > > > > Acked-by: Mel Gorman <mgorman@techsingularity.net> > > > > Andrew, will you get this to Linus before 5.13 is released? I got a mail > on May 9 that it had been added to your queue, but I don't see it in > master yet. I had it queued for 5.14-rc1. I'll move it into the 5.13 queue as it fixes a post-5.12 thing, but nothing in the changelog indicates that it's at all urgent? Was the changelog missing some important info? : In the event that somebody would call this with an already fully populated : page_array, the last loop iteration would do an access beyond the end of : page_array. : : It's of course extremely unlikely that would ever be done, but this : triggers my internal static analyzer. Also, if it really is not supposed : to be invoked this way (i.e., with no NULL entries in page_array), the : nr_populated<nr_pages check could simply be removed instead.
diff --git a/mm/page_alloc.c b/mm/page_alloc.c index bcdc0c6f21f1..66785946eb28 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -5053,7 +5053,7 @@ unsigned long __alloc_pages_bulk(gfp_t gfp, int preferred_nid, * Skip populated array elements to determine if any pages need * to be allocated before disabling IRQs. */ - while (page_array && page_array[nr_populated] && nr_populated < nr_pages) + while (page_array && nr_populated < nr_pages && page_array[nr_populated]) nr_populated++; /* Use the single page allocator for one page. */
In the event that somebody would call this with an already fully populated page_array, the last loop iteration would do an access beyond the end of page_array. It's of course extremely unlikely that would ever be done, but this triggers my internal static analyzer. Also, if it really is not supposed to be invoked this way (i.e., with no NULL entries in page_array), the nr_populated<nr_pages check could simply be removed instead. Fixes: 0f87d9d30f21 (mm/page_alloc: add an array-based interface to the bulk page allocator) Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> --- mm/page_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)