Re: [PATCH v3] kasan/quarantine: fix bugs on qlist_move_cache()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2016-07-01 23:03 GMT+09:00 Dmitry Vyukov <dvyukov@xxxxxxxxxx>:
> On Fri, Jul 1, 2016 at 4:02 PM,  <js1304@xxxxxxxxx> wrote:
>> From: Joonsoo Kim <iamjoonsoo.kim@xxxxxxx>
>>
>> There are two bugs on qlist_move_cache(). One is that qlist's tail
>> isn't set properly. curr->next can be NULL since it is singly linked
>> list and NULL value on tail is invalid if there is one item on qlist.
>> Another one is that if cache is matched, qlist_put() is called and
>> it will set curr->next to NULL. It would cause to stop the loop
>> prematurely.
>>
>> These problems come from complicated implementation so I'd like to
>> re-implement it completely. Implementation in this patch is really
>> simple. Iterate all qlist_nodes and put them to appropriate list.
>>
>> Unfortunately, I got this bug sometime ago and lose oops message.
>> But, the bug looks trivial and no need to attach oops.
>>
>> v3: fix build warning
>>
>> Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@xxxxxxx>
>> ---
>>  mm/kasan/quarantine.c | 21 +++++++--------------
>>  1 file changed, 7 insertions(+), 14 deletions(-)
>>
>> diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c
>> index 4973505..cf92494 100644
>> --- a/mm/kasan/quarantine.c
>> +++ b/mm/kasan/quarantine.c
>> @@ -238,30 +238,23 @@ static void qlist_move_cache(struct qlist_head *from,
>>                                    struct qlist_head *to,
>>                                    struct kmem_cache *cache)
>>  {
>> -       struct qlist_node *prev = NULL, *curr;
>> +       struct qlist_node *curr;
>>
>>         if (unlikely(qlist_empty(from)))
>>                 return;
>>
>>         curr = from->head;
>> +       qlist_init(from);
>>         while (curr) {
>>                 struct qlist_node *qlink = curr;
>>                 struct kmem_cache *obj_cache = qlink_to_cache(qlink);
>>
>> -               if (obj_cache == cache) {
>> -                       if (unlikely(from->head == qlink)) {
>> -                               from->head = curr->next;
>> -                               prev = curr;
>> -                       } else
>> -                               prev->next = curr->next;
>> -                       if (unlikely(from->tail == qlink))
>> -                               from->tail = curr->next;
>> -                       from->bytes -= cache->size;
>> -                       qlist_put(to, qlink, cache->size);
>> -               } else {
>> -                       prev = curr;
>> -               }
>>                 curr = curr->next;
>> +
>> +               if (obj_cache == cache)
>> +                       qlist_put(to, qlink, cache->size);
>> +               else
>> +                       qlist_put(from, qlink, cache->size);
>
> This line is wrong. If obj_cache != cache, object size != cache->size.
> Quarantine contains objects of different sizes.

You're right. 11 pm is not good time to work. :/
If it is fixed, the patch looks correct to you?
I will fix it and send v4 on next week.

Thanks.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]