@@ -48,7 +48,15 @@ static inline bool __hlist_bl_add_head_valid(struct hlist_bl_head *h,
static inline bool __hlist_bl_del_valid(struct hlist_bl_node *n)
{
unsigned long nlock = (unsigned long)n & LIST_BL_LOCKMASK;
- return !CHECK_DATA_CORRUPTION(nlock, "hlist_bl_del_valid: node locked");
+
+ return !(CHECK_DATA_CORRUPTION(nlock,
+ "hlist_bl_del_valid: node locked") ||
+ CHECK_DATA_CORRUPTION(n->next == LIST_POISON1,
+ "hlist_bl_del corruption, %px->next is LIST_POISON1 (%px)\n",
+ n, LIST_POISON1) ||
+ CHECK_DATA_CORRUPTION(n->pprev == LIST_POISON2,
+ "hlist_bl_del corruption, %px->pprev is LIST_POISON2 (%px)\n",
+ n, LIST_POISON2));
}
#else
static inline bool __hlist_bl_add_head_valid(struct hlist_bl_head *h,
Although deleting an entry from an 'hlist_bl' optionally checks that the node being removed is unlocked before subsequently removing it and poisoning its pointers, we don't actually check for the poison values like we do for other list implementations. Add poison checks to __hlist_bl_del_valid() so that we can catch list corruption without relying on a later fault. Cc: Kees Cook <keescook@chromium.org> Cc: Paul E. McKenney <paulmck@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Will Deacon <will@kernel.org> --- include/linux/list_bl.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)