From: Dan Carpenter <dan.carpenter@oracle.com>
To: yuzhao@google.com
Cc: linux-mm@kvack.org
Subject: [bug report] mm: multi-gen LRU: debugfs interface
Date: Mon, 22 Aug 2022 14:21:55 +0300 [thread overview]
Message-ID: <YwNm06F4v7XF8zX5@kili> (raw)
Hello Yu Zhao,
The patch e02f70ddcaca: "mm: multi-gen LRU: debugfs interface" from
Aug 15, 2022, leads to the following Smatch static checker warning:
mm/vmscan.c:5706 lru_gen_seq_write()
warn: uncapped user index 'cur[end]'
mm/vmscan.c
5654 static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
5655 size_t len, loff_t *pos)
5656 {
5657 void *buf;
5658 char *cur, *next;
5659 unsigned int flags;
5660 struct blk_plug plug;
5661 int err = -EINVAL;
5662 struct scan_control sc = {
5663 .may_writepage = true,
5664 .may_unmap = true,
5665 .may_swap = true,
5666 .reclaim_idx = MAX_NR_ZONES - 1,
5667 .gfp_mask = GFP_KERNEL,
5668 };
5669
5670 buf = kvmalloc(len + 1, GFP_KERNEL);
5671 if (!buf)
5672 return -ENOMEM;
5673
5674 if (copy_from_user(buf, src, len)) {
5675 kvfree(buf);
5676 return -EFAULT;
5677 }
5678
5679 set_task_reclaim_state(current, &sc.reclaim_state);
5680 flags = memalloc_noreclaim_save();
5681 blk_start_plug(&plug);
5682 if (!set_mm_walk(NULL)) {
5683 err = -ENOMEM;
5684 goto done;
5685 }
5686
5687 next = buf;
5688 next[len] = '\0';
5689
5690 while ((cur = strsep(&next, ",;\n"))) {
5691 int n;
5692 int end;
5693 char cmd;
5694 unsigned int memcg_id;
5695 unsigned int nid;
5696 unsigned long seq;
5697 unsigned int swappiness = -1;
5698 unsigned long opt = -1;
5699
5700 cur = skip_spaces(cur);
5701 if (!*cur)
5702 continue;
5703
5704 n = sscanf(cur, "%c %u %u %lu %n %u %n %lu %n", &cmd, &memcg_id, &nid,
5705 &seq, &end, &swappiness, &end, &opt, &end);
--> 5706 if (n < 4 || cur[end]) {
^^^^^^^^
The static checker is correct that "end" comes from the user and it
can be any unsigned int. This is debugfs code so there is no security
impact.
5707 err = -EINVAL;
5708 break;
5709 }
5710
5711 err = run_cmd(cmd, memcg_id, nid, seq, &sc, swappiness, opt);
5712 if (err)
5713 break;
5714 }
5715 done:
5716 clear_mm_walk();
5717 blk_finish_plug(&plug);
5718 memalloc_noreclaim_restore(flags);
5719 set_task_reclaim_state(current, NULL);
5720
5721 kvfree(buf);
5722
5723 return err ? : len;
5724 }
regards,
dan carpenter
next reply other threads:[~2022-08-22 11:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-22 11:21 Dan Carpenter [this message]
2022-08-22 16:49 ` [bug report] mm: multi-gen LRU: debugfs interface Yu Zhao
2022-08-23 6:39 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwNm06F4v7XF8zX5@kili \
--to=dan.carpenter@oracle.com \
--cc=linux-mm@kvack.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.