diff options
| author | Peter Zijlstra <[email protected]> | 2023-11-21 11:41:26 +0000 |
|---|---|---|
| committer | Peter Zijlstra <[email protected]> | 2023-11-24 10:04:54 +0000 |
| commit | bca4104b00fec60be330cd32818dd5c70db3d469 (patch) | |
| tree | f9e831af7baf488267fbfe0bcac55dab0a0ad0d7 /drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c | |
| parent | Linux 6.7-rc2 (diff) | |
| download | kernel-bca4104b00fec60be330cd32818dd5c70db3d469.tar.gz kernel-bca4104b00fec60be330cd32818dd5c70db3d469.zip | |
lockdep: Fix block chain corruption
Kent reported an occasional KASAN splat in lockdep. Mark then noted:
> I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4
> bytes of the redzone and gets (incorrectly/misleadingly) attributed to
> nr_large_chain_blocks.
That would mean @size == 0, at which point size_to_bucket() returns -1
and the above happens.
alloc_chain_hlocks() has 'size - req', for the first with the
precondition 'size >= rq', which allows the 0.
This code is trying to split a block, del_chain_block() takes what we
need, and add_chain_block() puts back the remainder, except in the
above case the remainder is 0 sized and things go sideways.
Fixes: 810507fe6fd5 ("locking/lockdep: Reuse freed chain_hlocks entries")
Reported-by: Kent Overstreet <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Tested-by: Kent Overstreet <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c')
0 files changed, 0 insertions, 0 deletions