Commit 835cc0c8477fdbc59e0217891d6f11061b1ac4e2 introduced the bug
that if the list to be sorted is a power-of-two in length, cmp() may
be passed pointers to the list header rather than to a list element.
This typically causes the caller's cmp() to read from invalid memory
locations off one end or the other of the list_head struct.

Signed-off-by: Don Mullis <don.mullis@gmail.com>
Tested-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
To: Alex Elder <aelder@sgi.com>
To: David Airlie <airlied@linux.ie>
Cc: stable@kernel.org
---
Examination of client code in xfs_buf.c and drm_modes.c showed no
obvious vulnerability to crashing: memory at offsets reachable by
cmp() appeared to always be readable, and the cmp() functions do not
dereference any pointers in the struct that they assume they have been
passed.

 lib/list_sort.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: linux-next/lib/list_sort.c
===================================================================
--- linux-next.orig/lib/list_sort.c	2010-08-23 22:59:59.899177219 -0700
+++ linux-next/lib/list_sort.c	2010-08-23 23:01:48.007177492 -0700
@@ -70,7 +70,7 @@ static void merge_and_restore_back_links
 		 * element comparison is needed, so the client's cmp()
 		 * routine can invoke cond_resched() periodically.
 		 */
-		(*cmp)(priv, tail, tail);
+		(*cmp)(priv, tail->next, tail->next);
 
 		tail->next->prev = tail;
 		tail = tail->next;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/