From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1A3BC43219 for ; Fri, 18 Nov 2022 13:13:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235272AbiKRNNe (ORCPT ); Fri, 18 Nov 2022 08:13:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235188AbiKRNNc (ORCPT ); Fri, 18 Nov 2022 08:13:32 -0500 X-Greylist: delayed 427 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Fri, 18 Nov 2022 05:13:27 PST Received: from forward502o.mail.yandex.net (forward502o.mail.yandex.net [37.140.190.204]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE911D86; Fri, 18 Nov 2022 05:13:27 -0800 (PST) Received: from sas1-37da021029ee.qloud-c.yandex.net (sas1-37da021029ee.qloud-c.yandex.net [IPv6:2a02:6b8:c08:1612:0:640:37da:210]) by forward502o.mail.yandex.net (Yandex) with ESMTP id C0A5425D50C0; Fri, 18 Nov 2022 16:05:53 +0300 (MSK) Received: by sas1-37da021029ee.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id eOks44V6nS-5pVmNm92; Fri, 18 Nov 2022 16:05:52 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clicknet.pro; s=mail; t=1668776752; bh=/wHdhb6bOR6sr6GxP7nToVvgKT4uV8iQ9aNeJQuYTyc=; h=From:In-Reply-To:Cc:Date:References:To:Subject:Message-ID; b=PnxOE3On7J7+RxaOegVmOD9Cjmq8zBQgeNI4H+6xOoRyil6MRagvAHjkaudPAWb7P Nqeh2yBpd6j1CYWT66JdB6fGmEz23W4qwTJB9nBTn5BmGsWcEI3W1eVSMdoVYzNGRZ jV/kfqMyeoywwn6lL7US2uIkqrxzWQDrodXWQ108= Authentication-Results: sas1-37da021029ee.qloud-c.yandex.net; dkim=pass header.i=@clicknet.pro Message-ID: <74337ebd-0222-2e78-9149-8fa40b0c815e@clicknet.pro> Date: Fri, 18 Nov 2022 16:05:36 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: Coverity: zblock_alloc(): Memory - illegal accesses To: coverity-bot Cc: Jonathan Corbet , linux-kernel@vger.kernel.org, Minchan Kim , Andrew Morton , Sergey Senozhatsky , linux-mm@kvack.org, linux-doc@vger.kernel.org, Vitaly Wool , "Gustavo A. R. Silva" , linux-next@vger.kernel.org, linux-hardening@vger.kernel.org References: <202211171419.FCDC8EE@keescook> Content-Language: en-US From: Ananda Badmaev In-Reply-To: <202211171419.FCDC8EE@keescook> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-next@vger.kernel.org 18.11.2022 01:20, coverity-bot пишет: > Coverity reported the following: > > *** CID 1527352: Memory - illegal accesses (OVERRUN) > mm/zblock.c:320 in zblock_alloc() > 314 } > 315 list = &(pool->block_lists[block_type]); > 316 > 317 check: > 318 spin_lock(&list->lock); > 319 /* check if there are free slots in cache */ > vvv CID 1527352: Memory - illegal accesses (OVERRUN) > vvv Overrunning array of 10208 bytes at byte offset 10208 by dereferencing pointer "list". > 320 block = cache_find_block(list); > 321 if (block) > 322 goto found; > 323 spin_unlock(&list->lock); > 324 > 325 /* not found block with free slots try to allocate new empty block */ > > If this is a false positive, please let us know so we can mark it as > such, or teach the Coverity rules to be smarter. If not, please make > sure fixes get into linux-next. :) For patches fixing this, please > include these lines (but double-check the "Fixes" first): > > Reported-by: coverity-bot > Addresses-Coverity-ID: 1527352 ("Memory - illegal accesses") > Fixes: 9097e28c25c8 ("mm: add zblock - new allocator for use via zpool API") > > It looks like block_type is not checked to be < ARRAY_SIZE(block_desc) > after exiting the earlier loop, so the access through "list" may be past > the end of pool->block_lists. > There is no need for this check because it is guaranteed that this code will be executed only if size <= PAGE_SIZE. Since slot_size for the last list even exceeds PAGE_SIZE, block_type will be always valid.