[PATCH] pagevec: Add remaining space check before adding folio to batch.
From: Juntong Deng
Date: Tue Oct 03 2023 - 05:20:12 EST
Currently there is no check for remaining space before adding folio to
batch, which means that folios can still be added via folio_batch_add()
when the batch is full and cause errors.
The following is related bug reported by Syzbot:
UBSAN: array-index-out-of-bounds in ./include/linux/pagevec.h:74:2
index 255 is out of range for type 'struct folio *[15]'
Checking the remaining space before adding folio to the batch can
solve this bug.
Reported-by: syzbot+e295147e14b474e4ad70@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
Signed-off-by: Juntong Deng <juntong.deng@xxxxxxxxxxx>
---
include/linux/pagevec.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/pagevec.h b/include/linux/pagevec.h
index 87cc678adc85..208f9a99889f 100644
--- a/include/linux/pagevec.h
+++ b/include/linux/pagevec.h
@@ -71,7 +71,9 @@ static inline unsigned int folio_batch_space(struct folio_batch *fbatch)
static inline unsigned folio_batch_add(struct folio_batch *fbatch,
struct folio *folio)
{
- fbatch->folios[fbatch->nr++] = folio;
+ if (folio_batch_space(fbatch))
+ fbatch->folios[fbatch->nr++] = folio;
+
return folio_batch_space(fbatch);
}
--
2.39.2