| From: Kemeng Shi <shikemeng@huaweicloud.com> |
| Subject: mm: swap: fix potential buffer overflow in setup_clusters() |
| Date: Thu, 22 May 2025 20:25:53 +0800 |
| |
| In setup_swap_map(), we only ensure badpages are in range (0, last_page]. |
| As maxpages might be < last_page, setup_clusters() will encounter a buffer |
| overflow when a badpage is >= maxpages. |
| |
| Only call inc_cluster_info_page() for badpage which is < maxpages to fix |
| the issue. |
| |
| Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com |
| Fixes: b843786b0bd0 ("mm: swapfile: fix SSD detection with swapfile on btrfs") |
| Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com> |
| Reviewed-by: Baoquan He <bhe@redhat.com> |
| Cc: Johannes Weiner <hannes@cmpxchg.org> |
| Cc: Kairui Song <kasong@tencent.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| mm/swapfile.c | 10 +++++++--- |
| 1 file changed, 7 insertions(+), 3 deletions(-) |
| |
| --- a/mm/swapfile.c~mm-swap-fix-potensial-buffer-overflow-in-setup_clusters |
| +++ a/mm/swapfile.c |
| @@ -3208,9 +3208,13 @@ static struct swap_cluster_info *setup_c |
| * and the EOF part of the last cluster. |
| */ |
| inc_cluster_info_page(si, cluster_info, 0); |
| - for (i = 0; i < swap_header->info.nr_badpages; i++) |
| - inc_cluster_info_page(si, cluster_info, |
| - swap_header->info.badpages[i]); |
| + for (i = 0; i < swap_header->info.nr_badpages; i++) { |
| + unsigned int page_nr = swap_header->info.badpages[i]; |
| + |
| + if (page_nr >= maxpages) |
| + continue; |
| + inc_cluster_info_page(si, cluster_info, page_nr); |
| + } |
| for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++) |
| inc_cluster_info_page(si, cluster_info, i); |
| |
| _ |
