diff options
author | Matthew Wilcox <mawilcox@microsoft.com> | 2017-03-03 12:16:10 -0500 |
---|---|---|
committer | Matthew Wilcox <mawilcox@microsoft.com> | 2017-03-07 13:18:23 -0500 |
commit | 4ecd9542dbc3e07f3bd3870aac12839f72b47db4 (patch) | |
tree | 1345c7ca57563006a0355bec1bbe689dd14ca67c /lib/radix-tree.c | |
parent | 3f1b6f9d49ba5a209d745fa2448657d8b66ed0c0 (diff) | |
download | lwn-4ecd9542dbc3e07f3bd3870aac12839f72b47db4.tar.gz lwn-4ecd9542dbc3e07f3bd3870aac12839f72b47db4.zip |
ida: Free correct IDA bitmap
There's a relatively rare race where we look at the per-cpu preallocated
IDA bitmap, see it's NULL, allocate a new one, and atomically update it.
If the kmalloc() happened to sleep and we were rescheduled to a different
CPU, or an interrupt came in at the exact right time, another task
might have successfully allocated a bitmap and already deposited it.
I forgot what the semantics of cmpxchg() were and ended up freeing the
wrong bitmap leading to KASAN reporting a use-after-free.
Dmitry found the bug with syzkaller & wrote the patch. I wrote the test
case that will reproduce the bug without his patch being applied.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Diffstat (limited to 'lib/radix-tree.c')
-rw-r--r-- | lib/radix-tree.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/radix-tree.c b/lib/radix-tree.c index 5ed506d648c4..691a9ad48497 100644 --- a/lib/radix-tree.c +++ b/lib/radix-tree.c @@ -2129,8 +2129,8 @@ int ida_pre_get(struct ida *ida, gfp_t gfp) struct ida_bitmap *bitmap = kmalloc(sizeof(*bitmap), gfp); if (!bitmap) return 0; - bitmap = this_cpu_cmpxchg(ida_bitmap, NULL, bitmap); - kfree(bitmap); + if (this_cpu_cmpxchg(ida_bitmap, NULL, bitmap)) + kfree(bitmap); } return 1; |