+ zsmalloc-dont-underflow-size-calculation-in-zs_obj_write.patch added to mm-hotfixes-unstable branch - Linux-stable-mirror

6 May 2025

The patch titled
     Subject: zsmalloc: don't underflow size calculation in zs_obj_write()
has been added to the -mm mm-hotfixes-unstable branch.  Its filename is
     zsmalloc-dont-underflow-size-calculation-in-zs_obj_write.patch
This patch will shortly appear at
     https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches...
This patch will later appear in the mm-hotfixes-unstable branch at
    git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Sergey Senozhatsky senozhatsky@chromium.org
Subject: zsmalloc: don't underflow size calculation in zs_obj_write()
Date: Sun, 4 May 2025 20:00:22 +0900
Do not mix class->size and object size during offsets/sizes calculation in
zs_obj_write().  Size classes can merge into clusters, based on
objects-per-zspage and pages-per-zspage characteristics, so some size
classes can store objects smaller than class->size.  This becomes
problematic when object size is much smaller than class->size - we can
determine that object spans two physical pages, because we use a larger
class->size for this, while the actual object is much smaller and fits one
physical page, so there is nothing to write to the second page and
memcpy() size calculation underflows.
We always know the exact size in bytes of the object that we are about to
write (store), so use it instead of class->size.
Link: https://lkml.kernel.org/r/20250504110650.2783619-1-senozhatsky@chromium.org
Signed-off-by: Sergey Senozhatsky senozhatsky@chromium.org
Reported-by: Igor Belousov igor.b@beldev.am
Tested-by: Igor Belousov igor.b@beldev.am
Cc: Minchan Kim minchan@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton akpm@linux-foundation.org
---
mm/zsmalloc.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/mm/zsmalloc.c~zsmalloc-dont-underflow-size-calculation-in-zs_obj_write
+++ a/mm/zsmalloc.c
@@ -1243,19 +1243,19 @@ void zs_obj_write(struct zs_pool *pool,
    class = zspage_class(pool, zspage);
    off = offset_in_page(class->size * obj_idx);
-	if (off + class->size <= PAGE_SIZE) {
+	if (!ZsHugePage(zspage))
+		off += ZS_HANDLE_SIZE;
+
+	if (off + mem_len <= PAGE_SIZE) {
    	/* this object is contained entirely within a page */
    	void *dst = kmap_local_zpdesc(zpdesc);
-		if (!ZsHugePage(zspage))
-			off += ZS_HANDLE_SIZE;
    	memcpy(dst + off, handle_mem, mem_len);
    	kunmap_local(dst);
    } else {
    	/* this object spans two pages */
    	size_t sizes[2];
-		off += ZS_HANDLE_SIZE;
    	sizes[0] = PAGE_SIZE - off;
    	sizes[1] = mem_len - sizes[0];
_
Patches currently in -mm which might be from senozhatsky@chromium.org are
zsmalloc-dont-underflow-size-calculation-in-zs_obj_write.patch
zsmalloc-prefer-the-the-original-pages-node-for-compressed-data-fix.patch
zram-modernize-writeback-interface.patch
zram-modernize-writeback-interface-v3.patch
zram-modernize-writeback-interface-v4.patch
zsmalloc-cleanup-headers-includes.patch
documentation-zram-update-idle-pages-tracking-documentation.patch

    