From: Andrew Morton <akpm@linux-foundation.org>
To: mm-commits@vger.kernel.org,roman.gushchin@linux.dev,qi.zheng@linux.dev,muchun.song@linux.dev,david@fromorbit.com,devnexen@gmail.com,akpm@linux-foundation.org
Subject: [merged mm-stable] mm-shrinker-avoid-out-of-bounds-read-in-set_shrinker_bit.patch removed from -mm tree
Date: Tue, 02 Jun 2026 15:23:52 -0700 [thread overview]
Message-ID: <20260602222352.DB31B1F00899@smtp.kernel.org> (raw)
The quilt patch titled
Subject: mm/shrinker: avoid out-of-bounds read in set_shrinker_bit()
has been removed from the -mm tree. Its filename was
mm-shrinker-avoid-out-of-bounds-read-in-set_shrinker_bit.patch
This patch was dropped because it was merged into the mm-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
------------------------------------------------------
From: David Carlier <devnexen@gmail.com>
Subject: mm/shrinker: avoid out-of-bounds read in set_shrinker_bit()
Date: Sun, 10 May 2026 19:37:00 +0100
set_shrinker_bit() reads info->unit[shrinker_id_to_index(shrinker_id)]
before checking shrinker_id against info->map_nr_max, so an id past the
currently visible map_nr_max reads past the unit[] array before the
WARN_ON_ONCE() catches it.
Determined from code inspection.
Move the load into the bounded branch.
Link: https://lore.kernel.org/20260510183700.102475-1-devnexen@gmail.com
Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Qi Zheng <qi.zheng@linux.dev>
Acked-by: Muchun Song <muchun.song@linux.dev>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
mm/shrinker.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/shrinker.c~mm-shrinker-avoid-out-of-bounds-read-in-set_shrinker_bit
+++ a/mm/shrinker.c
@@ -197,12 +197,13 @@ void set_shrinker_bit(struct mem_cgroup
{
if (shrinker_id >= 0 && memcg && !mem_cgroup_is_root(memcg)) {
struct shrinker_info *info;
- struct shrinker_info_unit *unit;
rcu_read_lock();
info = rcu_dereference(memcg->nodeinfo[nid]->shrinker_info);
- unit = info->unit[shrinker_id_to_index(shrinker_id)];
if (!WARN_ON_ONCE(shrinker_id >= info->map_nr_max)) {
+ struct shrinker_info_unit *unit;
+
+ unit = info->unit[shrinker_id_to_index(shrinker_id)];
/* Pairs with smp mb in shrink_slab() */
smp_mb__before_atomic();
set_bit(shrinker_id_to_offset(shrinker_id), unit->map);
_
Patches currently in -mm which might be from devnexen@gmail.com are
mm-swap-pm-hibernate-atomically-replace-hibernation-pin.patch
reply other threads:[~2026-06-02 22:23 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260602222352.DB31B1F00899@smtp.kernel.org \
--to=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=devnexen@gmail.com \
--cc=mm-commits@vger.kernel.org \
--cc=muchun.song@linux.dev \
--cc=qi.zheng@linux.dev \
--cc=roman.gushchin@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.