In the function memcg_init_list_lru
if call goto fail when i == 0, will cause out-of-bounds at lru->node[i]
The same out-of-bounds access scenario exists in the functions
memcg_update_list_lru and __memcg_init_list_lru_node
Signed-off-by: nixiaoming <nixiaoming@xxxxxxxxxx>
---
mm/list_lru.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/list_lru.c b/mm/list_lru.c
index fcfb6c8..ec6bdd9 100644
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -298,6 +298,9 @@ static void __memcg_destroy_list_lru_node(struct list_lru_memcg *memcg_lrus,
{
int i;
+ if (unlikely(begin >= end))
+ return;
+
for (i = begin; i < end; i++)
kfree(memcg_lrus->lru[i]);
}
@@ -422,6 +425,8 @@ static int memcg_init_list_lru(struct list_lru *lru, bool memcg_aware)
}
return 0;
fail:
+ if (unlikely(i == 0))
+ return -ENOMEM;
for (i = i - 1; i >= 0; i--) {
if (!lru->node[i].memcg_lrus)
continue;
@@ -456,6 +461,8 @@ static int memcg_update_list_lru(struct list_lru *lru,
}
return 0;
fail:
+ if (unlikely(i == 0))
+ return -ENOMEM;
for (i = i - 1; i >= 0; i--) {
if (!lru->node[i].memcg_lrus)
continue;
--
2.10.1
