From patchwork Thu Feb 4 08:41:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konstantin Khlebnikov X-Patchwork-Id: 8214901 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 79A38BEEE5 for ; Thu, 4 Feb 2016 08:41:51 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8F58F20384 for ; Thu, 4 Feb 2016 08:41:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 923002037E for ; Thu, 4 Feb 2016 08:41:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933461AbcBDIlf (ORCPT ); Thu, 4 Feb 2016 03:41:35 -0500 Received: from mail-lb0-f175.google.com ([209.85.217.175]:34314 "EHLO mail-lb0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755575AbcBDIle (ORCPT ); Thu, 4 Feb 2016 03:41:34 -0500 Received: by mail-lb0-f175.google.com with SMTP id cw1so26864647lbb.1; Thu, 04 Feb 2016 00:41:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:from:to:cc:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=JMM3gljdIPYukRazd77zXlQvMNtsS/ydGExATtezp4A=; b=STWQUS2TIOCM1Rqpw6ni/m+cxgSrAcPZpjjzCu1Xq/vcNcC+rTTkCzOvULl2QTaXag u0PDf+eFI2pcBJelJLQSg6U34Y1nFjwsF5QOy8LBAutmGTvt6t/7bzBZk9b/6iNDO748 T/XkeXDw1U3RUg2MpJD/QJAel7XmpMIqKuaz1x1vt0UI138Ly/IMHghA1q6NwQ/r9477 qFDd5eZD31v/vrQT811puHYwiiai19B0WwpH2LH8e+Unsc0d1GJ0fi3XzznbG0ZYvyLW 8BxXBXZwS/x6HCzIX3YCxEfJemCMCCt+MkEjrcBDy9jqJvth3uGuq0AdftPdPwX97180 8gZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:from:to:cc:date:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=JMM3gljdIPYukRazd77zXlQvMNtsS/ydGExATtezp4A=; b=U05r0ZSHRrJIJYw5b85J2NOgAt8xkj6eF64FZe0Fq58d/Mb/T5B61JRcU9I4NmaWQ2 qJbEHfIgOEldpyi91Kgasv/+AOFpVPE4kPHVA15oc3CpnVX2mEJ7TvRHI/baeHUsAkuD CxXFg2crKdTCe10ltK8aVqYd0qYHTIQ9LcvrHbcgeST3XRBE1dh2nYrH9VmtnLeR+vZ7 QrjOl+bTnEukYM36NpbdGu8G1REQhA9Qi0eIJxsIgiTWyIIz+JKfZzTq6/t70JK+gGhr mkPyUjx5jXJM9p8bD4UP3yLqluU4cjqQAFBUcK3hkPz2FwxUb0inR0TDRNWvWYtPDO+A j/8Q== X-Gm-Message-State: AG10YOQj2RG8kezSma358EndABMR9oVKJrCCrpwtBHrTYDjMbv/ImHAm7vkHwMlowsahlw== X-Received: by 10.112.189.161 with SMTP id gj1mr2919259lbc.0.1454575292493; Thu, 04 Feb 2016 00:41:32 -0800 (PST) Received: from localhost (ppp79-139-147-94.pppoe.spdop.ru. [79.139.147.94]) by smtp.gmail.com with ESMTPSA id b10sm1378323lbs.37.2016.02.04.00.41.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Feb 2016 00:41:30 -0800 (PST) Subject: [PATCH] radix-tree: fix oops after radix_tree_iter_retry From: Konstantin Khlebnikov To: Matthew Wilcox , Andrew Morton , linux-kernel@vger.kernel.org Cc: Ohad Ben-Cohen , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, Hugh Dickins , stable@vger.kernel.org Date: Thu, 04 Feb 2016 11:41:27 +0300 Message-ID: <145457528789.31321.4441662473067711123.stgit@zurg> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Helper radix_tree_iter_retry resets next_index to the current index. In following radix_tree_next_slot current chunk size becomes zero. This isn't checked and it tries to dereference null pointer in slot. Tagged iterator is fine because retry happens only at slot 0 where tag bitmask in iter->tags is filled with single bit. Signed-off-by: Konstantin Khlebnikov Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup") Cc: Matthew Wilcox Cc: Hugh Dickins Cc: Ohad Ben-Cohen Cc: --- include/linux/radix-tree.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h index 00b17c526c1f..f54be7082207 100644 --- a/include/linux/radix-tree.h +++ b/include/linux/radix-tree.h @@ -400,7 +400,7 @@ void **radix_tree_iter_retry(struct radix_tree_iter *iter) * @iter: pointer to radix tree iterator * Returns: current chunk size */ -static __always_inline unsigned +static __always_inline long radix_tree_chunk_size(struct radix_tree_iter *iter) { return iter->next_index - iter->index; @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags) return slot + offset + 1; } } else { - unsigned size = radix_tree_chunk_size(iter) - 1; + long size = radix_tree_chunk_size(iter); - while (size--) { + while (--size > 0) { slot++; iter->index++; if (likely(*slot))