From patchwork Fri Jan 11 16:51:45 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qian Cai <cai@lca.pw>
X-Patchwork-Id: 10760307
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 23B8414E5
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 11 Jan 2019 16:52:15 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1219729CE5
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 11 Jan 2019 16:52:15 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0698829D2E; Fri, 11 Jan 2019 16:52:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4317C29CE5
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 11 Jan 2019 16:52:14 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4451B8E0004; Fri, 11 Jan 2019 11:52:13 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3F2A08E0001; Fri, 11 Jan 2019 11:52:13 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2E1BD8E0004; Fri, 11 Jan 2019 11:52:13 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com
 [209.85.222.199])
	by kanga.kvack.org (Postfix) with ESMTP id 01BEA8E0001
	for <linux-mm@kvack.org>; Fri, 11 Jan 2019 11:52:13 -0500 (EST)
Received: by mail-qk1-f199.google.com with SMTP id z68so9857836qkb.14
        for <linux-mm@kvack.org>; Fri, 11 Jan 2019 08:52:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:from:to:cc:subject:date
         :message-id:in-reply-to:references;
        bh=5c0IsZMMIxSQRMKEkH3v3tXYrnoS8N4XvTLcKo9Se1Y=;
        b=TncwrhceafGVjX4v0E/zcdMCyPWKRTDFvrDqOvENydVOYQRVEFM661MYZB7isHHZA7
         yEgBE+v5rDqmHxM9Ppa0DHn8Ji6U9vacsYqv9cDAzkdXl8N7rto77thjyVBlETUVhxZM
         Hk0jaoYsrLNmZL/XFQLfpCidkrQ7edrqd3etZMZW2GPCKAS0G3K5tGvmuuPP0utWetbS
         KzQRq4xkoQ6iiVsXojFHX3KJPbSFjcF8faemLdRIt/gtaijJvBuND8y3BFJbakWyWHDz
         CvzSVzralhEVD/r/+RWpA2d4fj0rC2fJ1hNqwo8uhfka2xZCAByfOz4bByCmQPCuPY1G
         B9HA==
X-Gm-Message-State: AJcUukc/Sur3BpCVhXxTU7L2i54+u2OBkC/RbgQuHTjIT6ugU/KZ3Die
	LP0g4jZNXswU1Wh3rU0C7huHpeKXMQfnmB4zr70ZN/b+DaTUbt4U3bQyTMdUqWczfwZlEixQpVt
	T2W0Wa1cgP9mq3Wl0TO8WHkJZGaJWbgFs8oFA/dj1jXoT/Y4XhNelTIwhNCYeEPXuJO2gd/0bMq
	tgbjivTCGet7ZAYcjtMrtHChhqYah2BIGtBMW36ddgx/r08OwH9ykuhzo59nCsxHxNtGyQ6ZMfw
	+eqEcrAWa72V1cULWy6qSgclN7IFM1+jX9UhHUr9yBjlLMDYHD9dR7N6dXJ0PJRbZg/FwUXxjf0
	gJTHHyhH7AP2M9OTX3fIwjwW6lpuFNnqGpsuW2KvUYz3lo2AWCsr2Ner4EvLqX2RpYUSqCMVw7d
	x
X-Received: by 2002:ac8:31ed:: with SMTP id
 i42mr14100573qte.323.1547225532760;
        Fri, 11 Jan 2019 08:52:12 -0800 (PST)
X-Received: by 2002:ac8:31ed:: with SMTP id
 i42mr14100523qte.323.1547225531845;
        Fri, 11 Jan 2019 08:52:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547225531; cv=none;
        d=google.com; s=arc-20160816;
        b=ZLGJ9lgLvzxOJeRWcTIHPrmL/b5KC48W6sXEu4Xm3iOEMrfCYgRsqrumpoq1Vz78v9
         NZonKg7FFRL6c3EsjcUZUb4PyF4wZa3c0yPlVAqnik38dR/MjRds75rcJOsNX3Lxzp97
         DY2AYhHqEW07jzf1zjDBPow2MKkgRwECxxoZWe9+NFxTrjCY3KACeIv4g2bZ5M9Rj4V2
         wu4+cVU6zzuEsN0G6/Dciq5ZjyTWdfoZiq0nsqMXM5LbXyVPp88hQpW3eejkSllsOOf9
         RDHr1lzQKRktvb5iivwnGtX0Z4mWVvsU33dfDC9fdoRfg+zWZZJrwTkYFHRjoJii1eIy
         sgag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=5c0IsZMMIxSQRMKEkH3v3tXYrnoS8N4XvTLcKo9Se1Y=;
        b=fl1w1wwkPCIlUk7LcJkBGK+rSImur3uAutBpux2pn71i1HibWdF14EIN+VHQjcRJyb
         8eGJMw4ctCZrKw3cOkQNqBWYgFzH/N3pPGHZNaVb6MDnz3XyOpRJaqQxUYy2fteDU/Rb
         zgu4lcB267WuVXZwa58UCXgQrC5vjgtdmf+YwLt8SPkHemWRjUYr9K5X4iXKWmJnQ3H+
         gmA2HdYlZPrAZSzxeczDRucmwwm7DkKemOKT1fJwn0Q8+oDETPtwSzlG+h0HmQuvwopw
         hbFNoL4cYIG6T81dsX8x1xIrUrDyH5rOOwZZbNcgwBQBn5yFrBmOccS3wnmRHf2BMOxa
         ylNw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=U8nAz1g3;
       spf=pass (google.com: domain of cai@lca.pw designates 209.85.220.65 as
 permitted sender) smtp.mailfrom=cai@lca.pw
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com.
 [209.85.220.65])
        by mx.google.com with SMTPS id
 s10sor70380800qvs.25.2019.01.11.08.52.11
        for <linux-mm@kvack.org>
        (Google Transport Security);
        Fri, 11 Jan 2019 08:52:11 -0800 (PST)
Received-SPF: pass (google.com: domain of cai@lca.pw designates 209.85.220.65
 as permitted sender) client-ip=209.85.220.65;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=U8nAz1g3;
       spf=pass (google.com: domain of cai@lca.pw designates 209.85.220.65 as
 permitted sender) smtp.mailfrom=cai@lca.pw
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=5c0IsZMMIxSQRMKEkH3v3tXYrnoS8N4XvTLcKo9Se1Y=;
        b=U8nAz1g3ESsFYCPhG703DwbhJD3GHpUuQSi5LfSjD9Lu5AiTsJd8+LqwAjLvEiDNMT
         bzbAE8zFDRQT+kFKdMtXoPl1l5ugc2osfIGsWhL9Ed5rfVF81c7ltG9Djop6yr6ZrqLJ
         J5SpialTHWqLdXzDovGiTBwgUrGDApBvrqwbWVKcVPKJ4Wz2GpEAVz7iwzaNQrVkhxJN
         EOMObyAMW8uG9a2IlBmrpjTpUExPFSVvt29T7EfpfkZR7X3qyWKWiL3jeropPhNOA/3B
         CAARnAriqjPQFfm2d1Lft2SC7Iuy9OQNx7MmK2KTzL73uyrYQ24dcCrdqzYB1QdpetYE
         yl4w==
X-Google-Smtp-Source: 
 ALg8bN6l/X/kTFWF+wU4UZuoqtOti0ggC3CBf2nJG8iuG6wQzULOv6yZtoC2wZL3nEzBQs78Czqxtw==
X-Received: by 2002:a0c:8382:: with SMTP id k2mr15111726qva.0.1547225531638;
        Fri, 11 Jan 2019 08:52:11 -0800 (PST)
Received: from ovpn-120-55.rdu2.redhat.com
 (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id
 n71sm21946926qkl.72.2019.01.11.08.52.10
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 11 Jan 2019 08:52:11 -0800 (PST)
From: Qian Cai <cai@lca.pw>
To: akpm@linux-foundation.org
Cc: esploit@protonmail.ch,
	jejb@linux.ibm.com,
	dgilbert@interlog.com,
	martin.petersen@oracle.com,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Qian Cai <cai@lca.pw>
Subject: [PATCH] rbtree: fix the red root
Date: Fri, 11 Jan 2019 11:51:45 -0500
Message-Id: <20190111165145.23628-1-cai@lca.pw>
X-Mailer: git-send-email 2.17.2 (Apple Git-113)
In-Reply-To: 
 <YrcPMrGmYbPe_xgNEV6Q0jqc5XuPYmL2AFSyeNmg1gW531bgZnBGfEUK5_ktqDBaNW37b-NP2VXvlliM7_PsBRhSfB649MaW1Ne7zT9lHc=@protonmail.ch>
References: 
 <YrcPMrGmYbPe_xgNEV6Q0jqc5XuPYmL2AFSyeNmg1gW531bgZnBGfEUK5_ktqDBaNW37b-NP2VXvlliM7_PsBRhSfB649MaW1Ne7zT9lHc=@protonmail.ch>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

A GFP was reported,

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
        kasan_die_handler.cold.22+0x11/0x31
        notifier_call_chain+0x17b/0x390
        atomic_notifier_call_chain+0xa7/0x1b0
        notify_die+0x1be/0x2e0
        do_general_protection+0x13e/0x330
        general_protection+0x1e/0x30
        rb_insert_color+0x189/0x1480
        create_object+0x785/0xca0
        kmemleak_alloc+0x2f/0x50
        kmem_cache_alloc+0x1b9/0x3c0
        getname_flags+0xdb/0x5d0
        getname+0x1e/0x20
        do_sys_open+0x3a1/0x7d0
        __x64_sys_open+0x7e/0xc0
        do_syscall_64+0x1b3/0x820
        entry_SYSCALL_64_after_hwframe+0x49/0xbe

It turned out,

gparent = rb_red_parent(parent);
tmp = gparent->rb_right; <-- GFP triggered here.

Apparently, "gparent" is NULL which indicates "parent" is rbtree's root
which is red. Otherwise, it will be treated properly a few lines above.

/*
 * If there is a black parent, we are done.
 * Otherwise, take some corrective action as,
 * per 4), we don't want a red root or two
 * consecutive red nodes.
 */
if(rb_is_black(parent))
	break;

Hence, it violates the rule #1 and need a fix up.

Reported-by: Esme <esploit@protonmail.ch>
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
Tested-by: Joey Pabalinas <joeypabalinas@gmail.com>
---
 lib/rbtree.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/rbtree.c b/lib/rbtree.c
index d3ff682fd4b8..acc969ad8de9 100644
--- a/lib/rbtree.c
+++ b/lib/rbtree.c
@@ -127,6 +127,13 @@ __rb_insert(struct rb_node *node, struct rb_root *root,
 			break;
 
 		gparent = rb_red_parent(parent);
+		if (unlikely(!gparent)) {
+			/*
+			 * The root is red so correct it.
+			 */
+			rb_set_parent_color(parent, NULL, RB_BLACK);
+			break;
+		}
 
 		tmp = gparent->rb_right;
 		if (parent != tmp) {	/* parent == gparent->rb_left */