lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Feb 2016 11:05:31 +0100 From: Jiri Slaby <jslaby@...e.cz> To: stable@...r.kernel.org Cc: linux-kernel@...r.kernel.org, Konstantin Khlebnikov <koct9i@...il.com>, Matthew Wilcox <willy@...ux.intel.com>, Hugh Dickins <hughd@...gle.com>, Ohad Ben-Cohen <ohad@...ery.com>, Jeremiah Mahler <jmmahler@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Jiri Slaby <jslaby@...e.cz> Subject: [PATCH 3.12 136/142] radix-tree: fix oops after radix_tree_iter_retry From: Konstantin Khlebnikov <koct9i@...il.com> 3.12-stable review patch. If anyone has any objections, please let me know. =============== commit 732042821cfa106b3c20b9780e4c60fee9d68900 upstream. Helper radix_tree_iter_retry() resets next_index to the current index. In following radix_tree_next_slot current chunk size becomes zero. This isn't checked and it tries to dereference null pointer in slot. Tagged iterator is fine because retry happens only at slot 0 where tag bitmask in iter->tags is filled with single bit. Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup") Signed-off-by: Konstantin Khlebnikov <koct9i@...il.com> Cc: Matthew Wilcox <willy@...ux.intel.com> Cc: Hugh Dickins <hughd@...gle.com> Cc: Ohad Ben-Cohen <ohad@...ery.com> Cc: Jeremiah Mahler <jmmahler@...il.com> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Jiri Slaby <jslaby@...e.cz> --- include/linux/radix-tree.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h index 3c2ce3cdd16a..16604454e95f 100644 --- a/include/linux/radix-tree.h +++ b/include/linux/radix-tree.h @@ -341,7 +341,7 @@ void **radix_tree_iter_retry(struct radix_tree_iter *iter) * @iter: pointer to radix tree iterator * Returns: current chunk size */ -static __always_inline unsigned +static __always_inline long radix_tree_chunk_size(struct radix_tree_iter *iter) { return iter->next_index - iter->index; @@ -375,9 +375,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags) return slot + offset + 1; } } else { - unsigned size = radix_tree_chunk_size(iter) - 1; + long size = radix_tree_chunk_size(iter); - while (size--) { + while (--size > 0) { slot++; iter->index++; if (likely(*slot)) -- 2.7.1
Powered by blists - more mailing lists