From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CAD56FB1; Tue, 5 Dec 2023 03:36:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="F42X0QMg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0D581C433C7; Tue, 5 Dec 2023 03:36:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1701747392; bh=ek9h/DlBnedH/VtwyMHB8d/tRmHQfvvqDVCZSByIZuo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F42X0QMg335bXfdhMEjepKrIaqYldn76UOjfOGN2Q5oKrwndBB/DFlhtvcx/DFC+/ 4OKhvdoOiWf6wRa2wxa3qWd8ZNV3Iyc+89Vfo/1Gg/TBPVJ6d8Ch+LqgJQauV9MGIu Jq4BqjRblqaGfW7zsOGb9ogR4VipTYye3qOuUr9A= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Kent Overstreet , "Peter Zijlstra (Intel)" , Sasha Levin Subject: [PATCH 5.10 035/135] lockdep: Fix block chain corruption Date: Tue, 5 Dec 2023 12:15:56 +0900 Message-ID: <20231205031532.882473089@linuxfoundation.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231205031530.557782248@linuxfoundation.org> References: <20231205031530.557782248@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Peter Zijlstra [ Upstream commit bca4104b00fec60be330cd32818dd5c70db3d469 ] Kent reported an occasional KASAN splat in lockdep. Mark then noted: > I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4 > bytes of the redzone and gets (incorrectly/misleadingly) attributed to > nr_large_chain_blocks. That would mean @size == 0, at which point size_to_bucket() returns -1 and the above happens. alloc_chain_hlocks() has 'size - req', for the first with the precondition 'size >= rq', which allows the 0. This code is trying to split a block, del_chain_block() takes what we need, and add_chain_block() puts back the remainder, except in the above case the remainder is 0 sized and things go sideways. Fixes: 810507fe6fd5 ("locking/lockdep: Reuse freed chain_hlocks entries") Reported-by: Kent Overstreet Signed-off-by: Peter Zijlstra (Intel) Tested-by: Kent Overstreet Link: https://lkml.kernel.org/r/20231121114126.GH8262@noisy.programming.kicks-ass.net Signed-off-by: Sasha Levin --- kernel/locking/lockdep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c index 6cbd2b4444769..7471d85f54ae5 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -3357,7 +3357,8 @@ static int alloc_chain_hlocks(int req) size = chain_block_size(curr); if (likely(size >= req)) { del_chain_block(0, size, chain_block_next(curr)); - add_chain_block(curr + req, size - req); + if (size > req) + add_chain_block(curr + req, size - req); return curr; } } -- 2.42.0