# git rev-parse -q --verify ae085d7f9365de7da27ab5c0d16b12d51ea7fca9^{commit} ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 already have revision, skipping fetch # git checkout -q -f -B kisskb ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 # git clean -qxdf # < git log -1 # commit ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 # Author: Muchun Song # Date: Sun Mar 27 13:18:52 2022 +0800 # # mm: kfence: fix missing objcg housekeeping for SLAB # # The objcg is not cleared and put for kfence object when it is freed, # which could lead to memory leak for struct obj_cgroup and wrong # statistics of NR_SLAB_RECLAIMABLE_B or NR_SLAB_UNRECLAIMABLE_B. # # Since the last freed object's objcg is not cleared, # mem_cgroup_from_obj() could return the wrong memcg when this kfence # object, which is not charged to any objcgs, is reallocated to other # users. # # A real word issue [1] is caused by this bug. # # Link: https://lore.kernel.org/all/000000000000cabcb505dae9e577@google.com/ [1] # Reported-by: syzbot+f8c45ccc7d5d45fc5965@syzkaller.appspotmail.com # Fixes: d3fb45f370d9 ("mm, kfence: insert KFENCE hooks for SLAB") # Signed-off-by: Muchun Song # Cc: Dmitry Vyukov # Cc: Marco Elver # Cc: Andrew Morton # Signed-off-by: Linus Torvalds # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 # < make -s -j 32 ARCH=powerpc O=/kisskb/build/linus_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- skiroot_defconfig # < make -s -j 32 ARCH=powerpc O=/kisskb/build/linus_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- help # make -s -j 32 ARCH=powerpc O=/kisskb/build/linus_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- olddefconfig # make -s -j 32 ARCH=powerpc O=/kisskb/build/linus_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- In file included from /kisskb/src/include/linux/byteorder/little_endian.h:5, from /kisskb/src/arch/powerpc/include/uapi/asm/byteorder.h:12, from /kisskb/src/include/asm-generic/bitops/le.h:6, from /kisskb/src/arch/powerpc/include/asm/bitops.h:336, from /kisskb/src/include/linux/bitops.h:33, from /kisskb/src/include/linux/kernel.h:22, from /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:46: /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c: In function '_base_make_ioc_operational': /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5396:40: warning: array subscript 'Mpi2SasIOUnitPage1_t {aka struct _MPI2_CONFIG_PAGE_SASIOUNIT_1}[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds] 5396 | (le16_to_cpu(sas_iounit_pg1->SASWideMaxQueueDepth)) ? /kisskb/src/include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu' 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) | ^ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5396:14: note: in expansion of macro 'le16_to_cpu' 5396 | (le16_to_cpu(sas_iounit_pg1->SASWideMaxQueueDepth)) ? | ^~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5382:26: note: referencing an object of size 20 allocated by 'kzalloc' 5382 | sas_iounit_pg1 = kzalloc(sz, GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from /kisskb/src/include/linux/byteorder/little_endian.h:5, from /kisskb/src/arch/powerpc/include/uapi/asm/byteorder.h:12, from /kisskb/src/include/asm-generic/bitops/le.h:6, from /kisskb/src/arch/powerpc/include/asm/bitops.h:336, from /kisskb/src/include/linux/bitops.h:33, from /kisskb/src/include/linux/kernel.h:22, from /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:46: /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5400:40: warning: array subscript 'Mpi2SasIOUnitPage1_t {aka struct _MPI2_CONFIG_PAGE_SASIOUNIT_1}[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds] 5400 | (le16_to_cpu(sas_iounit_pg1->SASNarrowMaxQueueDepth)) ? /kisskb/src/include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu' 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) | ^ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5400:14: note: in expansion of macro 'le16_to_cpu' 5400 | (le16_to_cpu(sas_iounit_pg1->SASNarrowMaxQueueDepth)) ? | ^~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5382:26: note: referencing an object of size 20 allocated by 'kzalloc' 5382 | sas_iounit_pg1 = kzalloc(sz, GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5403:43: warning: array subscript 'Mpi2SasIOUnitPage1_t {aka struct _MPI2_CONFIG_PAGE_SASIOUNIT_1}[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds] 5403 | ioc->max_sata_qd = (sas_iounit_pg1->SATAMaxQDepth) ? | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5382:26: note: referencing an object of size 20 allocated by 'kzalloc' 5382 | sas_iounit_pg1 = kzalloc(sz, GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~~~ Completed OK # rm -rf /kisskb/build/linus_skiroot_defconfig_powerpc-gcc11 # Build took: 0:02:42.151721