From: Peter Zijlstra peterz@infradead.org
stable inclusion from stable-v6.6.4 commit 328854deec80e115509cee74eeb533e139284a56 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8N1WC
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit bca4104b00fec60be330cd32818dd5c70db3d469 ]
Kent reported an occasional KASAN splat in lockdep. Mark then noted:
I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4 bytes of the redzone and gets (incorrectly/misleadingly) attributed to nr_large_chain_blocks.
That would mean @size == 0, at which point size_to_bucket() returns -1 and the above happens.
alloc_chain_hlocks() has 'size - req', for the first with the precondition 'size >= rq', which allows the 0.
This code is trying to split a block, del_chain_block() takes what we need, and add_chain_block() puts back the remainder, except in the above case the remainder is 0 sized and things go sideways.
Fixes: 810507fe6fd5 ("locking/lockdep: Reuse freed chain_hlocks entries") Reported-by: Kent Overstreet kent.overstreet@linux.dev Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Tested-by: Kent Overstreet kent.overstreet@linux.dev Link: https://lkml.kernel.org/r/20231121114126.GH8262@noisy.programming.kicks-ass.... Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- kernel/locking/lockdep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c index e85b5ad3e206..151bd3de5936 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -3497,7 +3497,8 @@ static int alloc_chain_hlocks(int req) size = chain_block_size(curr); if (likely(size >= req)) { del_chain_block(0, size, chain_block_next(curr)); - add_chain_block(curr + req, size - req); + if (size > req) + add_chain_block(curr + req, size - req); return curr; } }