lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Feb 2016 19:34:06 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Konstantin Khlebnikov <koct9i@...il.com>, Matthew Wilcox <willy@...ux.intel.com>, Hugh Dickins <hughd@...gle.com>, Ohad Ben-Cohen <ohad@...ery.com>, Jeremiah Mahler <jmmahler@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: [PATCH 3.10 49/54] radix-tree: fix oops after radix_tree_iter_retry 3.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Konstantin Khlebnikov <koct9i@...il.com> commit 732042821cfa106b3c20b9780e4c60fee9d68900 upstream. Helper radix_tree_iter_retry() resets next_index to the current index. In following radix_tree_next_slot current chunk size becomes zero. This isn't checked and it tries to dereference null pointer in slot. Tagged iterator is fine because retry happens only at slot 0 where tag bitmask in iter->tags is filled with single bit. Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup") Signed-off-by: Konstantin Khlebnikov <koct9i@...il.com> Cc: Matthew Wilcox <willy@...ux.intel.com> Cc: Hugh Dickins <hughd@...gle.com> Cc: Ohad Ben-Cohen <ohad@...ery.com> Cc: Jeremiah Mahler <jmmahler@...il.com> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- include/linux/radix-tree.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/include/linux/radix-tree.h +++ b/include/linux/radix-tree.h @@ -343,7 +343,7 @@ void **radix_tree_iter_retry(struct radi * @iter: pointer to radix tree iterator * Returns: current chunk size */ -static __always_inline unsigned +static __always_inline long radix_tree_chunk_size(struct radix_tree_iter *iter) { return iter->next_index - iter->index; @@ -377,9 +377,9 @@ radix_tree_next_slot(void **slot, struct return slot + offset + 1; } } else { - unsigned size = radix_tree_chunk_size(iter) - 1; + long size = radix_tree_chunk_size(iter); - while (size--) { + while (--size > 0) { slot++; iter->index++; if (likely(*slot))
Powered by blists - more mailing lists