From patchwork Sun Mar 2 18:01:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lilith Gkini X-Patchwork-Id: 13997980 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A44A5C19F32 for ; Sun, 2 Mar 2025 18:01:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CDF066B007B; Sun, 2 Mar 2025 13:01:11 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C8F1B6B0083; Sun, 2 Mar 2025 13:01:11 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B56B56B0085; Sun, 2 Mar 2025 13:01:11 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 8B67A6B007B for ; Sun, 2 Mar 2025 13:01:11 -0500 (EST) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 28EBAB0F77 for ; Sun, 2 Mar 2025 18:01:11 +0000 (UTC) X-FDA: 83177377542.24.C404C67 Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) by imf14.hostedemail.com (Postfix) with ESMTP id 4363E10000C for ; Sun, 2 Mar 2025 18:01:09 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="WE8/hSuF"; spf=pass (imf14.hostedemail.com: domain of lilithpgkini@gmail.com designates 209.85.218.43 as permitted sender) smtp.mailfrom=lilithpgkini@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740938469; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=1pO2IRMmN4dez2NTshL35onaa+4/Spjpn9HgFLANMb0=; b=W3z+chGTNxYWzQR4cka2KlA08iAHmk6dKAsVac3Id7t6fdIEEL+cVh7wuTh2NBPxOjqM+8 7oEYY/JBDnhcTHwtYABPBy1SzDtabl6N6XVOdjzsl2Pfw8HpknkI++AdIOdBtJT+m2lgaT oWugPqvkRnEzNSOJAWGcsZrTvcX81Ho= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740938469; a=rsa-sha256; cv=none; b=HfCc+H7Nt9H4G7KukjTqrsJi9Pni7u0A2dJm7NFl6DtEzmuAtV9it+7fCt5ltAsUnVRSKK rXI0d/O1l0jaj2Jodv6bGqCuGU3XBZhcstKv7gJ+IkTVSQ8521o5qcgCCa/Qp4+PHgnlrV zs0VAN2ZUDDnwNCyef9A7/eoUz9Pn4g= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="WE8/hSuF"; spf=pass (imf14.hostedemail.com: domain of lilithpgkini@gmail.com designates 209.85.218.43 as permitted sender) smtp.mailfrom=lilithpgkini@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-abf628d653eso135357366b.0 for ; Sun, 02 Mar 2025 10:01:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740938467; x=1741543267; darn=kvack.org; h=content-disposition:mime-version:message-id:subject:to:date:from :from:to:cc:subject:date:message-id:reply-to; bh=1pO2IRMmN4dez2NTshL35onaa+4/Spjpn9HgFLANMb0=; b=WE8/hSuFaMBIIltg4Pwx78yMw3qQnrCxN25MeasUjh4MO/zcmO56fFzm2wQz0yfT9t kAGy94Z5SSuNJY0sd2ZnBAKYOsIZGb3izws9idsVOp1DqnrWs0xTEozPTp8qpwGUKk8g htUGEAimuUehrjRxDtaHb/fIAV9QG3b2BqIQrqOKOAMP8iYhIhZeEH+lrVN32EN9bQoz z4yduBGGF9JUJWY2ZhR2wuLBALtAnpAVIGoRhV2u+aHDTWxpYqenNcMguUbRcyVyfYh2 0/t8MHLqFhG1EC3debOf6A38T2/hoUyteJi2mm+DAabds/6Yky66LNvqfzcFY4QDPZha xq/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740938467; x=1741543267; h=content-disposition:mime-version:message-id:subject:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1pO2IRMmN4dez2NTshL35onaa+4/Spjpn9HgFLANMb0=; b=YQSqNLMYnatx3T3u9MnYCq6PmGPzm4oqQ0t2o86iT4ZjyZUha3wpOX10x/9tkU2zUN W8zovPO+yqIAANru9XUPM1rYhqONFmlsPMRsWAuIk5c7cLW+9uBDiJNX4k07U3kx6GOT ubrWTmWq+7TZGGDGoqO68MM2QHS+Zf+2Qs0brOMLe0DaDFN737AKOFx98/xcEf6mm0G2 8b157lwmOylPLxxoEDD0o5iAH5oolIzn+/IVsSBlHiuBfdYbYSzCEQq5l5EybzhYYvWn n4MCbvu7wtSWDMEn3ViCuPTt9Tg1diMGdsaHqBiL888FEr1NIr+iNsDHw/bB9xjdBkYN iCFw== X-Forwarded-Encrypted: i=1; AJvYcCXe4WA0QolFKu3cD6xFLHE4sfJBC/sy8IZbSByZXLb6f2oLoXtso0S+PrAYk/PZMR56qaziWFzVqg==@kvack.org X-Gm-Message-State: AOJu0YwHHhtXAI9trEuhauuENyNQAJwTrz9eJ92oHcszLFxmSZQ0l0m5 9Ec4EDioYo4lfkRq38Qa3U8iYQzRau9kdwV/883d/WC+rTdL6tJB X-Gm-Gg: ASbGncvh0JjpuR74jKInNmV7WkVqApKOK28x7uclb7096bezGGvFK+lMEZgtf5juN5y M9+iDhDCXlj7iEaL2y3R5/8cLu9+LRYDiUq6TrcQ36KBcOGaLhGExmhfk6SEUoU+3EgqjAkjcIJ QW3MXKYgE3+A4D6LkjvIZgmOKXdb3fbZtTQ+eI/TZrzN7tluVzMM4xEOTLi58DVdsVpHjtc1fAq fNhNnlT5Sj0XQjGbRonsM4aYhVmwyz/SYDqdzBpCgbW5I9oZL8oiUw90QKzvGxSlDDOA2jPUD2h P6x/fWWHJZvRXdSzhv3plTaos7OJCg7itCVB4GtF8zD9sYA= X-Google-Smtp-Source: AGHT+IGoi6Qa491wgsRww2KUYD6qI0sT4MyrI1EIffk2NCbri74Ktp3AteJARJAzTHWmFEvQRJa6ww== X-Received: by 2002:a17:907:608d:b0:abf:b2d5:9692 with SMTP id a640c23a62f3a-abfb2d5b06bmr87908266b.29.1740938467242; Sun, 02 Mar 2025 10:01:07 -0800 (PST) Received: from localhost ([2a02:587:860d:d0f9:2a79:b9e6:e503:40e9]) by smtp.gmail.com with UTF8SMTPSA id a640c23a62f3a-abf1d1a84b7sm607283166b.19.2025.03.02.10.01.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 02 Mar 2025 10:01:06 -0800 (PST) From: Lilith Persefoni Gkini X-Google-Original-From: Lilith Persefoni Gkini Date: Sun, 2 Mar 2025 20:01:04 +0200 To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Vlastimil Babka , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, harry.yoo@oracle.com Subject: [PATCH] slub: Fix Off-By-One in the While condition in on_freelist() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Rspamd-Server: rspam02 X-Stat-Signature: x7d3fo5ahpa6w1je5uiy1iq1rucefdti X-Rspamd-Queue-Id: 4363E10000C X-Rspam-User: X-HE-Tag: 1740938469-705147 X-HE-Meta: U2FsdGVkX1+TAtSdKA0+kElIGsy8Kr0TXarNgT6hBO2jIQpUaMOZqcWdcHHVkTGe0mBRxSTQzsarlIq/tPd85n9hT1FvO+Z0gGp+fw64EUOZUByua+dGqxzKdPJQd2S/QTWfkxyZ9fO5BL8RhYc/up3mzIX44jsUk9pBKBCGoUcO8EK6Av3YBkbdHT4dUJw16s+e8vg6J6tZRdlwIscjRnyW6nwCzMrHs9Uv8JsiIzrVt025vUe1xqvxUn/kGuUS5WoqvZ3xpgtW8SDHmtURVMLr+HX9KjJYGoEzTcgarEEZ7i6yPHmuWx11I+eW9wakchrNu+7Xxb8KRQpZdTwQTi+JGN37L/1nywJr2fP40Tnl9DZL4kxb8NtOycn1DugcRY/qHNhCK/xP4g3602RdDexaYzbSbNb1tU6Kfm6gAvTCI0f/zYSSnCN51kvZjVtQcQQGl82/RqszUyvmRqt8V0H3pp72IqpKc6KsQYbzWLPfP6WkUU6EFSV8RMetz26/CDGogltbDho9uHohwcu9REM2FIk11G9RhOPBNiEhZn0Efn5LEaM++wo+HeTdW8PgmlCt8N7YwBVGCkHsSpufhN9aoXpqWmnEACh4cDlIm28ZcZTgBpQo2LHbBqGsIbS5BXeIddT+U2FBbQC2OIx0KmeHmGd/q1kQO8PAndHi4AG5L1zzDRGtb7tKyh1kgbe7qWDxPR/PHxT0WHTbZ0GfNxDmsJzBLqlGXhwMZiywL/mhI51cL179xWK9VFsT+C33MbPBZ8W+ZZ4JwEw4FbC1LyeRyu6hsaNRcPBYkOoumm3D1c29Utm3JRKaqcDkaLOgHTOVs4Gl9H7hr1yfdd0nWmpLs3x7mE4Hp+ssLsXDs3ZspOhnoZZEDOQ4CnnS22ygHYpa2sQTtCWH92FN2iHDcCcHqBpowXJEObf/ZAVNI1yWph7YT3MqDr6Iignkz31Y+G0IF4TT52t0BW3tboJ 2yMf3eKq HAfce/0jk2uvQTs/wLnILNqMLQEHFdQI1XP+fygoy/EPZlwHbIPP9Ngsu30nlBTgef7pMOPsgP0QC8L55hneTuib6mLnBS5TGTKACT70EQ/azwfuq8ktW5hlYroJjb8NIt1WNq1l4HYeieIe1EMN55c4JpXZB5Ipq/mjsXgS8RFgUJK2zK7q85u3sw68EJ83zt0J2gzAedU36V/LlL3y9Q6GwNHjPGU+TYBOMT19LfeqMf9II3oU0OF4M+wv3dIhrZvBAQW+kToaYdTLApVESCzUdNbNRaiRyaA0rIwOeXIfT2KByOGiXiA8kec11fJx9cKXZxlio4jnB5c0xE814atlgrw4d922TuIZ0dNI4yVnz0erAEVffilesMPvAZIUF0LeE1qgGVEqyABR4XSsy/gVx354x6rpEXgXKclMEI4PRH35srNnIFOWW7V8eJCFCKVJzKEmSSrMOhuahFEIP+mY02AgDxDDq24VAaFy06NZwpoWBVzM/q1sYOQEk0nNsSKbUu3pUvdlr6s/1MC2diOk0PX7h3UXNTvA+Qq0paL0mOq+4yazclv3bV+B7bAfcxMqKHxCZBN6xZzBcgiBhjqkLytkvrxSGf80Y3GsLZR2aAYFklYyW1Ab8ww== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000109, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The on_freelist() uses a while loop to walk through the linked list freelist of a particular slab until it finds the `search` pattern and breaks if there is a freepointer in the list that is NULL, or invalid (fails the check_valid_pointer() check), or the number of objects (nr) in the freelist is more than `slab->objects + 1` No valid freelist should have more than slab->objects non NULL pointers, therefore the while conditional should check until slab->objects amount of times, not more. If the `search` pattern is not found in the freelist then the function should return `fp == search` where fp is the last freepointer from the while loop. If the caller of the function was searching for NULL and the freelist is valid it should return True (1), otherwise False (0). Signed-off-by: Lilith Persefoni Gkini --- mm/slub.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index 1f50129dcfb3..0d3dd429b095 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1435,7 +1435,7 @@ static int on_freelist(struct kmem_cache *s, struct slab *slab, void *search) int max_objects; fp = slab->freelist; - while (fp && nr <= slab->objects) { + while (fp && nr < slab->objects) { if (fp == search) return 1; if (!check_valid_pointer(s, slab, fp)) { @@ -1473,7 +1473,7 @@ static int on_freelist(struct kmem_cache *s, struct slab *slab, void *search) slab->inuse = slab->objects - nr; slab_fix(s, "Object count adjusted"); } - return search == NULL; + return fp == search; } static void trace(struct kmem_cache *s, struct slab *slab, void *object,