From patchwork Fri Jun 25 01:40:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 12343479 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C87F1C49EA5 for ; Fri, 25 Jun 2021 01:40:07 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 802C1613B9 for ; Fri, 25 Jun 2021 01:40:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 802C1613B9 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8FA768D0001; Thu, 24 Jun 2021 21:40:06 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8A9576B0073; Thu, 24 Jun 2021 21:40:06 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 771248D0001; Thu, 24 Jun 2021 21:40:06 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0027.hostedemail.com [216.40.44.27]) by kanga.kvack.org (Postfix) with ESMTP id 3E78B6B0072 for ; Thu, 24 Jun 2021 21:40:06 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 5DD68250AF for ; Fri, 25 Jun 2021 01:40:06 +0000 (UTC) X-FDA: 78290540412.20.3159C4A Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf02.hostedemail.com (Postfix) with ESMTP id 13A2A4080F7B for ; Fri, 25 Jun 2021 01:40:05 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 2A341613B9; Fri, 25 Jun 2021 01:40:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1624585205; bh=fc57rGUi4X2nQ1DLWGi2dQ1r5fKN1CBZVzhE+leYQwQ=; h=Date:From:To:Subject:In-Reply-To:From; b=NVByqePAEyb8OnyNgG2jq0xVIkXqEpx64AmSFJP1dnQ0alFZZvwoPB/BYFGgYcLG9 n0EhY6WP4uI0Xlr7vzgyW6++RfbDQ/qRYkqhf594HPVHV1WzCmw1aDWAQ0wW0OF+5o 78lgmAdh2DMSQEYmjyYh7P9SQ1dR8h+RK1oDtkIs= Date: Thu, 24 Jun 2021 18:40:04 -0700 From: Andrew Morton To: akpm@linux-foundation.org, linux-mm@kvack.org, linux@rasmusvillemoes.dk, mgorman@techsingularity.net, mm-commits@vger.kernel.org, torvalds@linux-foundation.org Subject: [patch 21/24] mm/page_alloc: __alloc_pages_bulk(): do bounds check before accessing array Message-ID: <20210625014004.eP5GNGyvo%akpm@linux-foundation.org> In-Reply-To: <20210624183838.ac3161ca4a43989665ac8b2f@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 13A2A4080F7B X-Stat-Signature: hc8z5rqxqaxja1qcbsnrp5yfo4ddxk9b Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=NVByqePA; dmarc=none; spf=pass (imf02.hostedemail.com: domain of akpm@linux-foundation.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org X-HE-Tag: 1624585205-202718 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Rasmus Villemoes Subject: mm/page_alloc: __alloc_pages_bulk(): do bounds check before accessing array In the event that somebody would call this with an already fully populated page_array, the last loop iteration would do an access beyond the end of page_array. It's of course extremely unlikely that would ever be done, but this triggers my internal static analyzer. Also, if it really is not supposed to be invoked this way (i.e., with no NULL entries in page_array), the nr_populated Acked-by: Mel Gorman Reviewed-by: Andrew Morton Signed-off-by: Andrew Morton --- mm/page_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/page_alloc.c~mm-page_alloc-__alloc_pages_bulk-do-bounds-check-before-accessing-array +++ a/mm/page_alloc.c @@ -5053,7 +5053,7 @@ unsigned long __alloc_pages_bulk(gfp_t g * Skip populated array elements to determine if any pages need * to be allocated before disabling IRQs. */ - while (page_array && page_array[nr_populated] && nr_populated < nr_pages) + while (page_array && nr_populated < nr_pages && page_array[nr_populated]) nr_populated++; /* Use the single page allocator for one page. */