Commit c9a24119 authored Jul 20, 2022 by liubo Committed by Laibin Qiu Jul 20, 2022

etmem:fix kasan slab-out-of-bounds in do_swapcache_reclaim

euleros inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5GN7K


CVE: NA

--------------------------------
In the do_swapcache_reclaim interface,
there is a slab-out-of-bounds kasan problem;

The reason for the problem is that when
list_for_each_entry_safe_reverse_from traverses
the LRU linked list, it does not consider that next may be
equal to the head address, which may lead to the
head address being accessed as the page address,
causing problems.

In response to the above problems,
add a judgment about whether pos is head.

Signed-off-by: liubo <liubo254@huawei.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: wangkefeng <wangkefeng.wang@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

parent 622ecb59

mm/vmscan.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -4555,7 +4555,6 @@ EXPORT_SYMBOL_GPL(get_page_from_vaddr);
		static int add_page_for_reclaim_swapcache(struct page *page,
		struct list_head pagelist, struct lruvec lruvec, enum lru_list lru)
		{
		struct list_head *src = &lruvec->lists[lru];
		struct page *head;

		/* If the page is mapped by more than one process, do not swap it */
		@@ -4574,7 +4573,6 @@ static int add_page_for_reclaim_swapcache(struct page *page,
		reliable_lru_add(lru, head, -hpage_nr_pages(head));
		break;
		case -EBUSY:
		list_move(&head->lru, src);
		return -1;
		default:
		break;
		@@ -4744,7 +4742,7 @@ int do_swapcache_reclaim(unsigned long *swapcache_watermark,
		* check if pos page is been released or not in LRU list, if true,
		* cancel the subsequent page scanning of the current node.
		*/
		if (!pos) {
		if (!pos \|\| &pos->lru == src) {
		spin_unlock_irq(&pgdat->lru_lock);
		continue;
		}