lockdep: Fix block chain corruption

Kent reported an occasional KASAN splat in lockdep. Mark then noted: > I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4 > bytes of the redzone and gets (incorrectly/misleadingly) attributed to > nr_large_chain_blocks. That would mean @SiZe == 0, at which point size_to_bucket() returns -1 and the above happens. alloc_chain_hlocks() has 'size - req', for the first with the precondition 'size >= rq', which allows the 0. This code is trying to split a block, del_chain_block() takes what we need, and add_chain_block() puts back the remainder, except in the above case the remainder is 0 sized and things go sideways. Fixes: 810507f ("locking/lockdep: Reuse freed chain_hlocks entries") Reported-by: Kent Overstreet <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Tested-by: Kent Overstreet <[email protected]> Link: https://lkml.kernel.org/r/[email protected]
wafgo · Nov 24, 2023 · bca4104 · bca4104
1 parent 98b1cc8
commit bca4104
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
@@ -3497,7 +3497,8 @@ static int alloc_chain_hlocks(int req)
 		size = chain_block_size(curr);
 		if (likely(size >= req)) {
 			del_chain_block(0, size, chain_block_next(curr));
-			add_chain_block(curr + req, size - req);
+			if (size > req)
+				add_chain_block(curr + req, size - req);
 			return curr;
 		}
 	}