[ 04/42] btree: fix tree corruption in btree_get_prev()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Roland Dreier <roland@purestorage.com>,
	Joern Engel <joern@logfs.org>
Subject: [ 04/42] btree: fix tree corruption in btree_get_prev()
Date: Thu, 14 Jun 2012 16:56:27 -0700	[thread overview]
Message-ID: <20120614235624.253607282@linuxfoundation.org> (raw)
In-Reply-To: <20120614235636.GA5275@kroah.com>

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roland Dreier <roland@purestorage.com>

commit cbf8ae32f66a9ceb8907ad9e16663c2a29e48990 upstream.

The memory the parameter __key points to is used as an iterator in
btree_get_prev(), so if we save off a bkey() pointer in retry_key and
then assign that to __key, we'll end up corrupting the btree internals
when we do eg

	longcpy(__key, bkey(geo, node, i), geo->keylen);

to return the key value.  What we should do instead is use longcpy() to
copy the key value that retry_key points to __key.

This can cause a btree to get corrupted by seemingly read-only
operations such as btree_for_each_safe.

[akpm@linux-foundation.org: avoid the double longcpy()]
Signed-off-by: Roland Dreier <roland@purestorage.com>
Acked-by: Joern Engel <joern@logfs.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/btree.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/lib/btree.c
+++ b/lib/btree.c
@@ -319,8 +319,8 @@ void *btree_get_prev(struct btree_head *
 
 	if (head->height == 0)
 		return NULL;
-retry:
 	longcpy(key, __key, geo->keylen);
+retry:
 	dec_key(geo, key);
 
 	node = head->node;
@@ -351,7 +351,7 @@ retry:
 	}
 miss:
 	if (retry_key) {
-		__key = retry_key;
+		longcpy(key, retry_key, geo->keylen);
 		retry_key = NULL;
 		goto retry;
 	}

next prev parent reply	other threads:[~2012-06-14 23:56 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-14 23:56 [ 00/42] 3.4.3-stable review Greg KH
2012-06-14 23:56 ` [ 01/42] drm/nouveau/disp: fix dithering not being enabled on some eDP macbooks Greg KH
2012-06-14 23:56 ` [ 02/42] drm/i915: Reset last_retired_head when resetting ring Greg KH
2012-06-14 23:56 ` [ 03/42] char/agp: add another Ironlake host bridge Greg KH
2012-06-14 23:56 ` Greg KH [this message]
2012-06-14 23:56 ` [ 05/42] powerpc/time: Sanity check of decrementer expiration is necessary Greg KH
2012-06-14 23:56 ` [ 06/42] powerpc: Fix kernel panic during kernel module load Greg KH
2012-06-14 23:56 ` [ 07/42] module_param: stop double-calling parameters Greg KH
2012-06-14 23:56 ` [ 08/42] timekeeping: Fix CLOCK_MONOTONIC inconsistency during leapsecond Greg KH
2012-06-14 23:56 ` [ 09/42] ext4: fix the free blocks calculation for ext3 file systems w/ uninit_bg Greg KH
2012-06-14 23:56 ` [ 10/42] x86/uv: Fix UV2 BAU legacy mode Greg KH
2012-06-14 23:56 ` [ 11/42] x86, MCE, AMD: Make APIC LVT thresholding interrupt optional Greg KH
2012-06-14 23:56 ` [ 12/42] hwrng: atmel-rng - fix race condition leading to repeated bits Greg KH
2012-06-14 23:56 ` [ 13/42] crypto: aesni-intel - fix unaligned cbc decrypt for x86-32 Greg KH
2012-06-14 23:56 ` [ 14/42] drm/ttm: Fix buffer object metadata accounting regression v2 Greg KH
2012-06-14 23:56 ` [ 15/42] Btrfs: fall back to non-inline if we dont have enough space Greg KH
2012-06-14 23:56 ` [ 16/42] iwlwifi: disable WoWLAN if !CONFIG_PM_SLEEP Greg KH
2012-06-14 23:56 ` [ 17/42] iwlwifi: unregister LEDs if mac80211 registration fails Greg KH
2012-06-14 23:56 ` [ 18/42] iwlwifi: dont mess up the SCD when removing a key Greg KH
2012-06-14 23:56 ` [ 19/42] iwlwifi: disable the buggy chain extension feature in HW Greg KH
2012-06-14 23:56 ` [ 20/42] mac80211: fix error in station state transitions during reconfig Greg KH
2012-06-14 23:56 ` [ 21/42] mac80211: clean up remain-on-channel on interface stop Greg KH
2012-06-14 23:56 ` [ 22/42] mac80211: fix non RCU-safe sta_list manipulation Greg KH
2012-06-14 23:56 ` [ 23/42] ASoC: wm8994: Ensure all AIFnCLK events are run from the _late variants Greg KH
2012-06-14 23:56 ` [ 24/42] ASoC: wm8994: Apply volume updates with clocks enabled Greg KH
2012-06-14 23:56 ` [ 25/42] bcma: add ext PA workaround for BCM4331 and BCM43431 Greg KH
2012-06-14 23:56 ` [ 26/42] ALSA: HDA: Pin fixup for Zotac Z68 motherboard Greg KH
2012-06-14 23:56 ` [ 27/42] cfg80211: fix interface combinations check Greg KH
2012-06-14 23:56 ` [ 28/42] rt2x00: use atomic variable for seqno Greg KH
2012-06-14 23:56 ` [ 29/42] wireless: rt2x00: rt2800usb add more devices ids Greg KH
2012-06-14 23:56 ` [ 30/42] wireless: rt2x00: rt2800usb more devices were identified Greg KH
2012-06-14 23:56 ` [ 31/42] net: sierra_net: device IDs for Aircard 320U++ Greg KH
2012-06-14 23:56 ` [ 32/42] can: c_can: fix "BUG! echo_skb is occupied!" during transmit Greg KH
2012-06-14 23:56 ` [ 33/42] can: c_can: fix an interrupt thrash issue with c_can driver Greg KH
2012-06-14 23:56 ` [ 34/42] can: c_can: fix race condition in c_can_open() Greg KH
2012-06-14 23:56 ` [ 35/42] gma500: dont register the ACPI video bus Greg KH
2012-06-14 23:56 ` [ 36/42] acpi_video: fix leaking PCI references Greg KH
2012-06-14 23:57 ` [ 37/42] sched: Fix the relax_domain_level boot parameter Greg KH
2012-06-14 23:57 ` [ 38/42] drm/radeon: fix tiling and command stream checking on evergreen v3 Greg KH
2012-06-14 23:57 ` [ 39/42] drm/i915: Mark the ringbuffers as being in the GTT domain Greg KH
2012-06-14 23:57 ` [ 40/42] fuse: fix stat call on 32 bit platforms Greg KH
2012-06-14 23:57 ` [ 41/42] libata: add a host flag to ignore detected ATA devices Greg KH
2012-06-14 23:57 ` [ 42/42] ata_piix: defer disks to the Hyper-V drivers by default Greg KH
2012-06-15 11:16   ` From all Hyper-V admins: Big thanks! Re: [ 41/42] libata + [ 42/42] ata_piix: defer disks to the Hyper-V drivers by default has been added to the 3.4-stable tree Victor Miasnikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120614235624.253607282@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=joern@logfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=roland@purestorage.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).