From: Tejun Heo <tj@kernel.org>
To: David Teigland <teigland@redhat.com>
Cc: akpm@linux-foundation.org, rusty@rustcorp.com.au,
linux-kernel@vger.kernel.org,
Christine Caulfield <ccaulfie@redhat.com>,
cluster-devel@redhat.com,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Subject: [PATCH] idr: fix a subtle bug in idr_get_next()
Date: Sat, 2 Feb 2013 15:10:48 -0800 [thread overview]
Message-ID: <20130202231048.GA3940@mtj.dyndns.org> (raw)
In-Reply-To: <20130201180028.GC31863@mtj.dyndns.org>
The iteration logic of idr_get_next() is borrowed mostly verbatim from
idr_for_each(). It walks down the tree looking for the slot matching
the current ID. If the matching slot is not found, the ID is
incremented by the distance of single slot at the given level and
repeats.
The implementation assumes that during the whole iteration id is
aligned to the layer boundaries of the level closest to the leaf,
which is true for all iterations starting from zero or an existing
element and thus is fine for idr_for_each().
However, idr_get_next() may be given any point and if the starting id
hits in the middle of a non-existent layer, increment to the next
layer will end up skipping the same offset into it. For example, an
IDR with IDs filled between [64, 127] would look like the following.
[ 0 64 ... ]
/----/ |
| |
NULL [ 64 ... 127 ]
If idr_get_next() is called with 63 as the starting point, it will try
to follow down the pointer from 0. As it is NULL, it will then try to
proceed to the next slot in the same level by adding the slot distance
at that level which is 64 - making the next try 127. It goes around
the loop and finds and returns 127 skipping [64, 126].
Note that this bug also triggers in idr_for_each_entry() loop which
deletes during iteration as deletions can make layers go away leaving
the iteration with unaligned ID into missing layers.
Fix it by ensuring proceeding to the next slot doesn't carry over the
unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
id += slot_distance.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: David Teigland <teigland@redhat.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
---
lib/idr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/idr.c b/lib/idr.c
index 6482390..ca5aa00 100644
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -625,7 +625,14 @@ void *idr_get_next(struct idr *idp, int *nextidp)
return p;
}
- id += 1 << n;
+ /*
+ * Proceed to the next layer at the current level. Unlike
+ * idr_for_each(), @id isn't guaranteed to be aligned to
+ * layer boundary at this point and adding 1 << n may
+ * incorrectly skip IDs. Make sure we jump to the
+ * beginning of the next layer using round_up().
+ */
+ id = round_up(id + 1, 1 << n);
while (n < fls(id)) {
n += IDR_BITS;
p = *--paa;
next prev parent reply other threads:[~2013-02-02 23:10 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-26 1:30 [PATCHSET] idr: deprecate idr_remove_all() Tejun Heo
2013-01-26 1:30 ` [PATCH 01/14] idr: make idr_destroy() imply idr_remove_all() Tejun Heo
2013-01-26 1:31 ` [PATCH 02/14] atm/nicstar: don't use idr_remove_all() Tejun Heo
2013-01-27 6:43 ` David Miller
2013-02-04 17:52 ` [PATCH v2 " Tejun Heo
2013-02-04 18:10 ` chas williams - CONTRACTOR
2013-02-04 18:35 ` Tejun Heo
2013-01-26 1:31 ` [PATCH 03/14] block/loop: " Tejun Heo
2013-01-26 1:31 ` [PATCH 04/14] firewire: " Tejun Heo
2013-01-26 9:07 ` Stefan Richter
2013-01-26 1:31 ` [PATCH 05/14] drm: " Tejun Heo
2013-01-26 1:31 ` [PATCH 06/14] dm: " Tejun Heo
2013-01-26 1:31 ` [PATCH 07/14] remoteproc: " Tejun Heo
2013-01-26 1:31 ` [PATCH 08/14] rpmsg: " Tejun Heo
2013-01-26 1:31 ` [PATCH 09/14] dlm: use idr_for_each_entry() in recover_idr_clear() error path Tejun Heo
2013-01-28 15:55 ` David Teigland
2013-01-26 1:31 ` [PATCH 10/14] dlm: don't use idr_remove_all() Tejun Heo
2013-01-28 15:57 ` David Teigland
2013-01-29 15:13 ` David Teigland
2013-01-30 21:24 ` David Teigland
2013-01-31 23:53 ` Tejun Heo
2013-02-01 0:18 ` Tejun Heo
2013-02-01 17:44 ` David Teigland
2013-02-01 18:00 ` Tejun Heo
2013-02-02 23:10 ` Tejun Heo [this message]
2013-02-02 23:11 ` [PATCH] idr: fix a subtle bug in idr_get_next() Tejun Heo
2013-02-03 2:15 ` Randy Dunlap
2013-02-03 17:53 ` Hugh Dickins
2013-02-05 15:36 ` David Teigland
2013-02-04 3:39 ` Li Zefan
2013-02-04 17:44 ` Tejun Heo
2013-01-26 1:31 ` [PATCH 11/14] nfs: idr_destroy() no longer needs idr_remove_all() Tejun Heo
2013-01-29 22:58 ` J. Bruce Fields
2013-01-30 2:18 ` Myklebust, Trond
2013-02-01 0:08 ` Tejun Heo
2013-01-26 1:31 ` [PATCH 12/14] inotify: don't use idr_remove_all() Tejun Heo
2013-01-26 1:31 ` [PATCH 13/14] cgroup: " Tejun Heo
2013-01-26 1:31 ` [PATCH 14/14] idr: deprecate idr_remove_all() Tejun Heo
2013-01-26 13:48 ` Arnd Bergmann
2013-01-26 14:24 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130202231048.GA3940@mtj.dyndns.org \
--to=tj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ccaulfie@redhat.com \
--cc=cluster-devel@redhat.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=teigland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).