projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3f1b6f9) | patch
ida: Free correct IDA bitmap
authorMatthew Wilcox <mawilcox@microsoft.com>
Fri, 3 Mar 2017 17:16:10 +0000 (12:16 -0500)
committerMatthew Wilcox <mawilcox@microsoft.com>
Tue, 7 Mar 2017 18:18:23 +0000 (13:18 -0500)
commit4ecd9542dbc3e07f3bd3870aac12839f72b47db4
tree1345c7ca57563006a0355bec1bbe689dd14ca67ctree | snapshot
parent3f1b6f9d49ba5a209d745fa2448657d8b66ed0c0commit | diff
ida: Free correct IDA bitmap

There's a relatively rare race where we look at the per-cpu preallocated
IDA bitmap, see it's NULL, allocate a new one, and atomically update it.
If the kmalloc() happened to sleep and we were rescheduled to a different
CPU, or an interrupt came in at the exact right time, another task
might have successfully allocated a bitmap and already deposited it.
I forgot what the semantics of cmpxchg() were and ended up freeing the
wrong bitmap leading to KASAN reporting a use-after-free.

Dmitry found the bug with syzkaller & wrote the patch.  I wrote the test
case that will reproduce the bug without his patch being applied.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
lib/radix-tree.c diff | blob | blame | history
tools/testing/radix-tree/idr-test.c diff | blob | blame | history
tools/testing/radix-tree/main.c diff | blob | blame | history
tools/testing/radix-tree/test.h diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)