From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Bjorn Helgaas <bhelgaas@google.com>,
Kees Cook <keescook@chromium.org>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 12/36] XArray: Fix xa_find_next for large multi-index entries
Date: Tue, 7 Apr 2020 12:21:45 +0200 [thread overview]
Message-ID: <20200407101455.909577389@linuxfoundation.org> (raw)
In-Reply-To: <20200407101454.281052964@linuxfoundation.org>
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit bd40b17ca49d7d110adf456e647701ce74de2241 ]
Coverity pointed out that xas_sibling() was shifting xa_offset without
promoting it to an unsigned long first, so the shift could cause an
overflow and we'd get the wrong answer. The fix is obvious, and the
new test-case provokes UBSAN to report an error:
runtime error: shift exponent 60 is too large for 32-bit type 'int'
Fixes: 19c30f4dd092 ("XArray: Fix xa_find_after with multi-index entries")
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/test_xarray.c | 18 ++++++++++++++++++
lib/xarray.c | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/lib/test_xarray.c b/lib/test_xarray.c
index 55c14e8c88591..8c7d7a8468b88 100644
--- a/lib/test_xarray.c
+++ b/lib/test_xarray.c
@@ -12,6 +12,9 @@
static unsigned int tests_run;
static unsigned int tests_passed;
+static const unsigned int order_limit =
+ IS_ENABLED(CONFIG_XARRAY_MULTI) ? BITS_PER_LONG : 1;
+
#ifndef XA_DEBUG
# ifdef __KERNEL__
void xa_dump(const struct xarray *xa) { }
@@ -959,6 +962,20 @@ static noinline void check_multi_find_2(struct xarray *xa)
}
}
+static noinline void check_multi_find_3(struct xarray *xa)
+{
+ unsigned int order;
+
+ for (order = 5; order < order_limit; order++) {
+ unsigned long index = 1UL << (order - 5);
+
+ XA_BUG_ON(xa, !xa_empty(xa));
+ xa_store_order(xa, 0, order - 4, xa_mk_index(0), GFP_KERNEL);
+ XA_BUG_ON(xa, xa_find_after(xa, &index, ULONG_MAX, XA_PRESENT));
+ xa_erase_index(xa, 0);
+ }
+}
+
static noinline void check_find_1(struct xarray *xa)
{
unsigned long i, j, k;
@@ -1081,6 +1098,7 @@ static noinline void check_find(struct xarray *xa)
for (i = 2; i < 10; i++)
check_multi_find_1(xa, i);
check_multi_find_2(xa);
+ check_multi_find_3(xa);
}
/* See find_swap_entry() in mm/shmem.c */
diff --git a/lib/xarray.c b/lib/xarray.c
index 1d9fab7db8dad..acd1fad2e862a 100644
--- a/lib/xarray.c
+++ b/lib/xarray.c
@@ -1839,7 +1839,8 @@ static bool xas_sibling(struct xa_state *xas)
if (!node)
return false;
mask = (XA_CHUNK_SIZE << node->shift) - 1;
- return (xas->xa_index & mask) > (xas->xa_offset << node->shift);
+ return (xas->xa_index & mask) >
+ ((unsigned long)xas->xa_offset << node->shift);
}
/**
--
2.20.1
next prev parent reply other threads:[~2020-04-07 10:23 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 10:21 [PATCH 5.4 00/36] 5.4.31-rc1 review Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 01/36] nvme-rdma: Avoid double freeing of async event data Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 02/36] kconfig: introduce m32-flag and m64-flag Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 03/36] drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 04/36] drm/bochs: downgrade pci_request_region failure from error to warning Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 05/36] initramfs: restore default compression behavior Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 06/36] drm/amdgpu: fix typo for vcn1 idle check Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 07/36] tools/power turbostat: Fix gcc build warnings Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 08/36] tools/power turbostat: Fix missing SYS_LPI counter on some Chromebooks Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 09/36] tools/power turbostat: Fix 32-bit capabilities warning Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 10/36] bpf: Fix tnum constraints for 32-bit comparisons Greg Kroah-Hartman
2020-04-07 10:45 ` Daniel Borkmann
2020-04-07 14:42 ` Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 11/36] net/mlx5e: kTLS, Fix TCP seq off-by-1 issue in TX resync flow Greg Kroah-Hartman
2020-04-07 10:21 ` Greg Kroah-Hartman [this message]
2020-04-07 10:21 ` [PATCH 5.4 13/36] padata: fix uninitialized return value in padata_replace() Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 14/36] brcmfmac: abort and release host after error Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 15/36] misc: rtsx: set correct pcr_ops for rts522A Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 16/36] misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 17/36] misc: pci_endpoint_test: Avoid using module parameter to determine irqtype Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 18/36] PCI: sysfs: Revert "rescan" file renames Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 19/36] coresight: do not use the BIT() macro in the UAPI header Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 20/36] mei: me: add cedar fork device ids Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 21/36] nvmem: check for NULL reg_read and reg_write before dereferencing Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 22/36] extcon: axp288: Add wakeup support Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 23/36] power: supply: axp288_charger: Add special handling for HP Pavilion x2 10 Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 24/36] Revert "dm: always call blk_queue_split() in dm_process_bio()" Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 25/36] ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.4 26/36] soc: mediatek: knows_txdone needs to be set in Mediatek CMDQ helper Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 27/36] net/mlx5e: kTLS, Fix wrong value in record tracker enum Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 28/36] iwlwifi: consider HE capability when setting LDPC Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 29/36] iwlwifi: yoyo: dont add TLV offset when reading FIFOs Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 30/36] iwlwifi: dbg: dont abort if sending DBGC_SUSPEND_RESUME fails Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 31/36] rxrpc: Fix sendmsg(MSG_WAITALL) handling Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 32/36] IB/hfi1: Ensure pq is not left on waitlist Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 33/36] tcp: fix TFO SYNACK undo to avoid double-timestamp-undo Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 34/36] i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 35/36] net: Fix Tx hash bound checking Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.4 36/36] padata: always acquire cpu_hotplug_lock before pinst->lock Greg Kroah-Hartman
2020-04-07 12:37 ` [PATCH 5.4 00/36] 5.4.31-rc1 review Jon Hunter
2020-04-07 12:37 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200407101455.909577389@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bhelgaas@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.