From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41D2D3002A0 for ; Sun, 10 May 2026 18:37:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778438229; cv=none; b=Zk167ssUvSIkakVTV5iihN5Wr2MVbIWJHDUp2EiLXpHLgs0j+T4U1Jae/B8jpxpefFMGfvAvAR85QNTdbLXLyV0wcbVt4TUbiw8Xzr3D4PRObNySPOmvrs9e+NZ7rbv4AFSG/ChvsCALA84+7dxnnWmC7sQeHP/IBd6INnI0Gv8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778438229; c=relaxed/simple; bh=wVLaoPS4R9Qg0OCrlXw9LP7Go2syiegf5+5tshXzz6k=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=p1ZmT1tPlF8YHNLkcUPjK4HOKWlh/yVF+rdzOvqNCXYv7Ir1Gff1MNksM/943wynwuBQs1NtKqyU8bVeRdIpgVGTf1E7B8JAM8jGlLwd12CZODTy1mNuVZk/sN3obBHi4kfdOETM+mmfd7ZtsDPSuXH+sRdNkWyTU93iZrxqjVE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oGj7GKbn; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oGj7GKbn" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-48d102471a4so35187435e9.2 for ; Sun, 10 May 2026 11:37:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778438227; x=1779043027; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xnzymcOPEl+yMW64Cbp/7wdlyZ5NynKvSomh5XJYSbU=; b=oGj7GKbndAemKjn1qGIHapCg4erW6oWe2aVrBYffwD/RQ/F/XS+QePHMafN0iVapgq CWTVc/kxcdHCTGw6u/I+rMHpD+iOzyWCrVdb4WWsvX/Qp7YL6iT4dkl5YKr3Fz1eafWF vSDgqYES+py3wjB3QQ5nTqy9dIKLF+l+g6P0ZuM22dxl65P+l9Qf7tgVzohCXWmQ0bBb qHe4AGKkH+vzj01s85YEM17lxM0m9wYftwwQAseGd1HfkGtk/U0W8jnFfMoPBpr0aDGY QaNiwTr8w86lg79WsmdL/SKVj0LK+XDwFzR/ulRiexlupi8FqZt0nhQt+QeG1Yi46cAz 2eKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778438227; x=1779043027; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xnzymcOPEl+yMW64Cbp/7wdlyZ5NynKvSomh5XJYSbU=; b=chYYbXbv7Yz0OjCIKsrJVUPdhVkzAQpmC84bYRaiNYZfq/4Ieo2sERtbrmP9y/DF5Q i5C0EN7pO8pG3f1KlqsS/P0NyGzfwEMIhgAT/0m3+FVvXO38+gmbQ3mpQ5Ue+nYE0WoT jh3nAV+4d7Bf2+DEzEYSUz3HBPlBkl09V4vDTV18iNUM1QwoDTiQgwsm6Tw4ulShWt1y n1nZb6WJRHXva7QlsIbz+gAfiu/jEG6gjpzjqPTrDhp4vVu4nk8HQ/X9n5HEinXMHQ3t iv65tlgk1XOUvkBHSX1Y/My5u0m+OhPIs/nntQxUPocuKVtM4Be9TYSgO2bL+XwLDdlf Wr8Q== X-Forwarded-Encrypted: i=1; AFNElJ9+tgV4Lsgb+xcY8bDwiBTCEiiFo8mnX/g0i+tg2v3iwKXbGL/YleH9NyrgFsEb/ap2aSd4jTWD7HHZDUU=@vger.kernel.org X-Gm-Message-State: AOJu0Yz7QAJO80SNixkB3gdFKZTdGmgo0cw5cQm5CDCUXf8rXCJPJ4Um 4Gm0SaGftiG2akULGlsxxz8o4Na6oT7E+onhv7SmmQhiXqa7y7TwqJDdkEeBh/gjYRw= X-Gm-Gg: Acq92OGOA8T01CTzEvsiz5xnfnaAdkwqdRcBY1u3iOr/odwVMzLnbJfo9mhI1mdTTjF TjFJmcNMxyAPXaCnBcysbeeb2NMOAl7LCOlLKc3ENA14EJYJ28u1Zt6MTryeH9lSCxW+fDrkc1i vSkoiWQcBRWmatAVn8CLtLeGR4EVJp8UF/zNyWjLR5qViKdYFWx0NA3/x3Jlpoz4rSr3RJuSqAH 731j9Pqss2GAeczbM5IZ91uGQ3Q2PnZrIlhOsCt8+WYfF6lQtAu+1QM5nix/4SIAzV1aQ0BwLSV WYhvh5UCugV2vF3O0f1Pm7FWyFfbmW0cexKWFBbKLhhZ5lIiwrsf7NtLiir6Up5oaU7Z/Tvig+p N3786afqN1Q3iZpncFNtVrbxuOuAjfgzmvDyu65EGOq8EH04HZSvuwJ6XvCgm6THyFkSqb0nCMl 3kE0pCDF8paVGDLnj/4IAaUFnQmBoM2LxQxRTBV4UYtxmkptRlXmsYcs0f5TnhE9ZNfq/xbAr2W YV5iLjiN0Q= X-Received: by 2002:a05:600c:8b62:b0:47e:e2eb:bc22 with SMTP id 5b1f17b1804b1-48e6748afe8mr168307845e9.5.1778438226440; Sun, 10 May 2026 11:37:06 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e701e957asm132611975e9.6.2026.05.10.11.37.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 11:37:05 -0700 (PDT) From: David Carlier To: Andrew Morton , Dave Chinner , Qi Zheng , Roman Gushchin , Muchun Song , linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: David Carlier Subject: [PATCH] mm/shrinker: avoid out-of-bounds read in set_shrinker_bit() Date: Sun, 10 May 2026 19:37:00 +0100 Message-ID: <20260510183700.102475-1-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit set_shrinker_bit() reads info->unit[shrinker_id_to_index(shrinker_id)] before checking shrinker_id against info->map_nr_max, so an id past the currently visible map_nr_max reads past the unit[] array before the WARN_ON_ONCE() catches it. Move the load into the bounded branch. Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}") Signed-off-by: David Carlier --- mm/shrinker.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mm/shrinker.c b/mm/shrinker.c index 76b3f750cf65..49256f81199f 100644 --- a/mm/shrinker.c +++ b/mm/shrinker.c @@ -197,12 +197,13 @@ void set_shrinker_bit(struct mem_cgroup *memcg, int nid, int shrinker_id) { if (shrinker_id >= 0 && memcg && !mem_cgroup_is_root(memcg)) { struct shrinker_info *info; - struct shrinker_info_unit *unit; rcu_read_lock(); info = rcu_dereference(memcg->nodeinfo[nid]->shrinker_info); - unit = info->unit[shrinker_id_to_index(shrinker_id)]; if (!WARN_ON_ONCE(shrinker_id >= info->map_nr_max)) { + struct shrinker_info_unit *unit; + + unit = info->unit[shrinker_id_to_index(shrinker_id)]; /* Pairs with smp mb in shrink_slab() */ smp_mb__before_atomic(); set_bit(shrinker_id_to_offset(shrinker_id), unit->map); -- 2.53.0