From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com [91.218.175.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 373D03033DE for ; Mon, 11 May 2026 02:45:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.185 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778467527; cv=none; b=ivCBTMoYzC3RkQiRe1GPk9lN/J6Af04vVZJm+av6IC7R578W9uSFv448QNFnkFttCSf+sg8kFRGU29nUaxMpjl7Ou099/9iEiVUc37qrzcaoBAsXBhqcCF0yGHXO8Z9dmlVAAGfzHjQukfvu/9gyxYUAi39ddjlqMTkBn2rfs1k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778467527; c=relaxed/simple; bh=2O5nIqsrD1cx2znbdn0DjNv/Pbg9K1hXOL6VVVLMm1A=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type; b=lL/MTv/LKUVEuWTEgUw0xM30uGzViWL118vf1w4KPaD9+nsV1WABYkLjOFUHAsn88JXo4EBmWkrMybx8tta5RsSTMOtDgAQ7Crc6ya4QWe6BkBR9Wkx0aRX2uGFnvvE9LflMKlCRlhAYupfDD/qsZroFC64wBBqJ5O2t2+WrhiI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=jSEzpJZo; arc=none smtp.client-ip=91.218.175.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="jSEzpJZo" Message-ID: <874e88a3-414c-4e9f-8bbb-5184fb8516e8@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1778467518; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AZx4U0acqa09XiBdDPPrzlR/K/xeEgEPoWFYly7N2Wk=; b=jSEzpJZopF3I/eeWce4wCqU+7McFWjb5PY44X+9DfR+LNkUrHTp0eOAcBI2d+BXuXXLRSH 9DPYSdzC9ixZBnPOh2jn6OljdpIEFn1Lh3ittkZQSRlMKg+u58ppssGqC7oGmxM3HoYndq oVKL3cu3BI4ML1at5nJDNBs03oB6HJU= Date: Mon, 11 May 2026 10:45:12 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH] mm/shrinker: avoid out-of-bounds read in set_shrinker_bit() To: David Carlier , Andrew Morton , Dave Chinner , Roman Gushchin , Muchun Song , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20260510183700.102475-1-devnexen@gmail.com> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Qi Zheng In-Reply-To: <20260510183700.102475-1-devnexen@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT Hi David, On 5/11/26 2:37 AM, David Carlier wrote: > set_shrinker_bit() reads info->unit[shrinker_id_to_index(shrinker_id)] > before checking shrinker_id against info->map_nr_max, so an id past the > currently visible map_nr_max reads past the unit[] array before the > WARN_ON_ONCE() catches it. Did you run into this problem in practice, of just find it via code inspection? It's virtually impossible to happened, which is why WARN_ON_ONCE() was added to catch it. > > Move the load into the bounded branch. > > Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}") > Signed-off-by: David Carlier > --- > mm/shrinker.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) Anyway, It LGTM, so: Reviewed-by: Qi Zheng Thanks, Qi > > diff --git a/mm/shrinker.c b/mm/shrinker.c > index 76b3f750cf65..49256f81199f 100644 > --- a/mm/shrinker.c > +++ b/mm/shrinker.c > @@ -197,12 +197,13 @@ void set_shrinker_bit(struct mem_cgroup *memcg, int nid, int shrinker_id) > { > if (shrinker_id >= 0 && memcg && !mem_cgroup_is_root(memcg)) { > struct shrinker_info *info; > - struct shrinker_info_unit *unit; > > rcu_read_lock(); > info = rcu_dereference(memcg->nodeinfo[nid]->shrinker_info); > - unit = info->unit[shrinker_id_to_index(shrinker_id)]; > if (!WARN_ON_ONCE(shrinker_id >= info->map_nr_max)) { > + struct shrinker_info_unit *unit; > + > + unit = info->unit[shrinker_id_to_index(shrinker_id)]; > /* Pairs with smp mb in shrink_slab() */ > smp_mb__before_atomic(); > set_bit(shrinker_id_to_offset(shrinker_id), unit->map);