lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20230417130850.1784777-1-senozhatsky@chromium.org>
Date:   Mon, 17 Apr 2023 22:08:50 +0900
From:   Sergey Senozhatsky <senozhatsky@...omium.org>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Yu Zhao <yuzhao@...gle.com>, Minchan Kim <minchan@...nel.org>,
        Yosry Ahmed <yosryahmed@...gle.com>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        Sergey Senozhatsky <senozhatsky@...omium.org>
Subject: [PATCH] zsmalloc: reset compaction source zspage pointer after putback_zspage()

The current implementation of the compaction loop fails to set
the source zspage pointer to NULL in all cases, leading to a
potential issue where __zs_compact() could use a stale zspage
pointer. This pointer could even point to a previously freed
zspage, causing unexpected behavior in the putback_zspage()
and migrate_write_unlock() functions after returning from the
compaction loop.

Address the issue by ensuring that the source zspage pointer is
always set to NULL when it should be.

Fixes: 5a845e9f2d66 ("zsmalloc: rework compaction algorithm")
Signed-off-by: Sergey Senozhatsky <senozhatsky@...omium.org>
Reported-by: Yu Zhao <yuzhao@...gle.com>
Tested-by: Yu Zhao <yuzhao@...gle.com>
Reviewed-by: Yosry Ahmed <yosryahmed@...gle.com>
---
 mm/zsmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index aea50e2aa350..cc81dfba05a0 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -2239,8 +2239,8 @@ static unsigned long __zs_compact(struct zs_pool *pool,
 		if (fg == ZS_INUSE_RATIO_0) {
 			free_zspage(pool, class, src_zspage);
 			pages_freed += class->pages_per_zspage;
-			src_zspage = NULL;
 		}
+		src_zspage = NULL;
 
 		if (get_fullness_group(class, dst_zspage) == ZS_INUSE_RATIO_100
 		    || spin_is_contended(&pool->lock)) {
-- 
2.40.0.634.g4ca3ef3211-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ