Coverity: zram_recompress(): OVERRUN

All of lore.kernel.org
 help / color / mirror / Atom feed

From: coverity-bot <keescook@chromium.org>
To: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Alexey Romanov <avromanov@sberdevices.ru>,
	linux-kernel@vger.kernel.org, Nick Terrell <terrelln@fb.com>,
	Minchan Kim <minchan@kernel.org>,
	Suleiman Souhlal <suleiman@google.com>,
	Nitin Gupta <ngupta@vflare.org>, Jens Axboe <axboe@kernel.dk>,
	Nhat Pham <nphamcs@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-block@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	linux-next@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Coverity: zram_recompress(): OVERRUN
Date: Thu, 10 Nov 2022 08:47:12 -0800	[thread overview]
Message-ID: <202211100847.388C61B3@keescook> (raw)

Hello!

This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20221110 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan

You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:

  Wed Nov 9 20:33:48 2022 -0800
    03e6c729aa64 ("zram: introduce recompress sysfs knob")

Coverity reported the following:

*** CID 1527270:    (OVERRUN)
drivers/block/zram/zram_drv.c:1727 in zram_recompress()
1721     		zstrm = zcomp_stream_get(zram->comps[prio]);
1722     		src = kmap_atomic(page);
1723     		ret = zcomp_compress(zstrm, src, &comp_len_new);
1724     		kunmap_atomic(src);
1725
1726     		if (ret) {
vvv     CID 1527270:    (OVERRUN)
vvv     Overrunning array "zram->comps" of 4 8-byte elements at element index 4 (byte offset 39) using index "prio" (which evaluates to 4).
1727     			zcomp_stream_put(zram->comps[prio]);
1728     			return ret;
1729     		}
1730
1731     		class_index_new = zs_lookup_class_index(zram->mem_pool,
1732     							comp_len_new);
drivers/block/zram/zram_drv.c:1786 in zram_recompress()
1780     	handle_new = zs_malloc(zram->mem_pool, comp_len_new,
1781     			       __GFP_KSWAPD_RECLAIM |
1782     			       __GFP_NOWARN |
1783     			       __GFP_HIGHMEM |
1784     			       __GFP_MOVABLE);
1785     	if (IS_ERR_VALUE(handle_new)) {
vvv     CID 1527270:    (OVERRUN)
vvv     Overrunning array "zram->comps" of 4 8-byte elements at element index 4 (byte offset 39) using index "prio" (which evaluates to 4).
1786     		zcomp_stream_put(zram->comps[prio]);
1787     		return PTR_ERR((void *)handle_new);
1788     	}
1789
1790     	dst = zs_map_object(zram->mem_pool, handle_new, ZS_MM_WO);
1791     	memcpy(dst, zstrm->buffer, comp_len_new);
drivers/block/zram/zram_drv.c:1737 in zram_recompress()
1731     		class_index_new = zs_lookup_class_index(zram->mem_pool,
1732     							comp_len_new);
1733
1734     		/* Continue until we make progress */
1735     		if (class_index_new >= class_index_old ||
1736     		    (threshold && comp_len_new >= threshold)) {
vvv     CID 1527270:    (OVERRUN)
vvv     Overrunning array "zram->comps" of 4 8-byte elements at element index 4 (byte offset 39) using index "prio" (which evaluates to 4).
1737     			zcomp_stream_put(zram->comps[prio]);
1738     			continue;
1739     		}
1740
1741     		/* Recompression was successful so break out */
1742     		break;
drivers/block/zram/zram_drv.c:1721 in zram_recompress()
1715     		 * priority algorithm (or same algorithm).
1716     		 */
1717     		if (prio <= zram_get_priority(zram, index))
1718     			continue;
1719
1720     		num_recomps++;
vvv     CID 1527270:    (OVERRUN)
vvv     Overrunning array "zram->comps" of 4 8-byte elements at element index 4 (byte offset 39) using index "prio" (which evaluates to 4).
1721     		zstrm = zcomp_stream_get(zram->comps[prio]);
1722     		src = kmap_atomic(page);
1723     		ret = zcomp_compress(zstrm, src, &comp_len_new);
1724     		kunmap_atomic(src);
1725
1726     		if (ret) {
drivers/block/zram/zram_drv.c:1710 in zram_recompress()
1704     	class_index_old = zs_lookup_class_index(zram->mem_pool, comp_len_old);
1705     	/*
1706     	 * Iterate the secondary comp algorithms list (in order of priority)
1707     	 * and try to recompress the page.
1708     	 */
1709     	for (; prio < prio_max; prio++) {
vvv     CID 1527270:    (OVERRUN)
vvv     Overrunning array "zram->comps" of 4 8-byte elements at element index 4 (byte offset 39) using index "prio" (which evaluates to 4).
1710     		if (!zram->comps[prio])
1711     			continue;
1712
1713     		/*
1714     		 * Skip if the object is already re-compressed with a higher
1715     		 * priority algorithm (or same algorithm).

If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1527270 ("OVERRUN")
Fixes: 03e6c729aa64 ("zram: introduce recompress sysfs knob")

Thanks for your attention!

-- 
Coverity-bot

next             reply	other threads:[~2022-11-10 16:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-10 16:47 coverity-bot [this message]
2022-11-11  0:26 ` Coverity: zram_recompress(): OVERRUN Sergey Senozhatsky
2022-11-11  3:15   ` Kees Cook
2022-11-11 10:39     ` Sergey Senozhatsky
2022-11-11  0:37 ` Sergey Senozhatsky
2022-11-11  0:42   ` Sergey Senozhatsky
2022-11-11  3:16     ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202211100847.388C61B3@keescook \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=avromanov@sberdevices.ru \
    --cc=axboe@kernel.dk \
    --cc=gustavo@embeddedor.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-next@vger.kernel.org \
    --cc=minchan@kernel.org \
    --cc=ngupta@vflare.org \
    --cc=nphamcs@gmail.com \
    --cc=senozhatsky@chromium.org \
    --cc=suleiman@google.com \
    --cc=terrelln@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.