Re: [PATCH] mm: Fix int overflow in callers of do_shrink_slab()

From: Kirill Tkhai
Date: Fri Sep 28 2018 - 20:00:06 EST

Next message: Dmitry Torokhov: "Re: [PATCH] input: sun4i-lradc: Convert to using %pOFn instead of device_node.name"
Previous message: Dmitry Torokhov: "[git pull] Input updates for v4.19-rc5"
In reply to: Cyrill Gorcunov: "Re: [PATCH] mm: Fix int overflow in callers of do_shrink_slab()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 29.09.2018 00:15, Andrew Morton wrote:
> On Fri, 28 Sep 2018 14:28:32 +0300 Kirill Tkhai <ktkhai@xxxxxxxxxxxxx> wrote:
>
>> do_shrink_slab() returns unsigned long value, and
>> the placing into int variable cuts high bytes off.
>> Then we compare ret and 0xfffffffe (since SHRINK_EMPTY
>> is converted to ret type).
>>
>> Thus, big number of objects returned by do_shrink_slab()
>> may be interpreted as SHRINK_EMPTY, if low bytes of
>> their value are equal to 0xfffffffe. Fix that
>> by declaration ret as unsigned long in these functions.
>
> Sigh. How many times has this happened.
>
>> Reported-by: Cyrill Gorcunov <gorcunov@xxxxxxxxxx>
>
> What did he report? Was it code inspection? Did the kernel explode?
> etcetera. I'm thinking that the fix should be backported but to
> determine that, we need to understand the end-user runtime effects, as
> always. Please.

Yeah, it was just code inspection. It's need to be a really unlucky person
to meet this in real life -- the probability is very small.

The runtime effect would be the following. Such the unlucky person would
have a single shrinker, which is never called for a single memory cgroup,
despite there are objects charged.

Thanks,
Kirill

Next message: Dmitry Torokhov: "Re: [PATCH] input: sun4i-lradc: Convert to using %pOFn instead of device_node.name"
Previous message: Dmitry Torokhov: "[git pull] Input updates for v4.19-rc5"
In reply to: Cyrill Gorcunov: "Re: [PATCH] mm: Fix int overflow in callers of do_shrink_slab()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]