From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Bjorn Helgaas <bhelgaas@google.com>,
Kees Cook <keescook@chromium.org>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.6 12/29] XArray: Fix xa_find_next for large multi-index entries
Date: Tue, 7 Apr 2020 12:22:09 +0200 [thread overview]
Message-ID: <20200407101453.485392545@linuxfoundation.org> (raw)
In-Reply-To: <20200407101452.046058399@linuxfoundation.org>
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit bd40b17ca49d7d110adf456e647701ce74de2241 ]
Coverity pointed out that xas_sibling() was shifting xa_offset without
promoting it to an unsigned long first, so the shift could cause an
overflow and we'd get the wrong answer. The fix is obvious, and the
new test-case provokes UBSAN to report an error:
runtime error: shift exponent 60 is too large for 32-bit type 'int'
Fixes: 19c30f4dd092 ("XArray: Fix xa_find_after with multi-index entries")
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/test_xarray.c | 18 ++++++++++++++++++
lib/xarray.c | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/lib/test_xarray.c b/lib/test_xarray.c
index 55c14e8c88591..8c7d7a8468b88 100644
--- a/lib/test_xarray.c
+++ b/lib/test_xarray.c
@@ -12,6 +12,9 @@
static unsigned int tests_run;
static unsigned int tests_passed;
+static const unsigned int order_limit =
+ IS_ENABLED(CONFIG_XARRAY_MULTI) ? BITS_PER_LONG : 1;
+
#ifndef XA_DEBUG
# ifdef __KERNEL__
void xa_dump(const struct xarray *xa) { }
@@ -959,6 +962,20 @@ static noinline void check_multi_find_2(struct xarray *xa)
}
}
+static noinline void check_multi_find_3(struct xarray *xa)
+{
+ unsigned int order;
+
+ for (order = 5; order < order_limit; order++) {
+ unsigned long index = 1UL << (order - 5);
+
+ XA_BUG_ON(xa, !xa_empty(xa));
+ xa_store_order(xa, 0, order - 4, xa_mk_index(0), GFP_KERNEL);
+ XA_BUG_ON(xa, xa_find_after(xa, &index, ULONG_MAX, XA_PRESENT));
+ xa_erase_index(xa, 0);
+ }
+}
+
static noinline void check_find_1(struct xarray *xa)
{
unsigned long i, j, k;
@@ -1081,6 +1098,7 @@ static noinline void check_find(struct xarray *xa)
for (i = 2; i < 10; i++)
check_multi_find_1(xa, i);
check_multi_find_2(xa);
+ check_multi_find_3(xa);
}
/* See find_swap_entry() in mm/shmem.c */
diff --git a/lib/xarray.c b/lib/xarray.c
index 1d9fab7db8dad..acd1fad2e862a 100644
--- a/lib/xarray.c
+++ b/lib/xarray.c
@@ -1839,7 +1839,8 @@ static bool xas_sibling(struct xa_state *xas)
if (!node)
return false;
mask = (XA_CHUNK_SIZE << node->shift) - 1;
- return (xas->xa_index & mask) > (xas->xa_offset << node->shift);
+ return (xas->xa_index & mask) >
+ ((unsigned long)xas->xa_offset << node->shift);
}
/**
--
2.20.1
next prev parent reply other threads:[~2020-04-07 10:28 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 10:21 [PATCH 5.6 00/29] 5.6.3-rc1 review Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.6 01/29] ipv4: fix a RCU-list lock in fib_triestat_seq_show Greg Kroah-Hartman
2020-04-07 10:21 ` [PATCH 5.6 02/29] net: dsa: ksz: Select KSZ protocol tag Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 03/29] net, ip_tunnel: fix interface lookup with no key Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 04/29] sctp: fix possibly using a bad saddr with a given dst Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 05/29] sctp: fix refcount bug in sctp_wfree Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 06/29] net: macb: Fix handling of fixed-link node Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 07/29] net: fix fraglist segmentation reference count leak Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 08/29] udp: initialize is_flist with 0 in udp_gro_receive Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 09/29] padata: fix uninitialized return value in padata_replace() Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 10/29] brcmfmac: abort and release host after error Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 11/29] bpf: Fix tnum constraints for 32-bit comparisons Greg Kroah-Hartman
2020-04-07 10:22 ` Greg Kroah-Hartman [this message]
2020-04-07 10:22 ` [PATCH 5.6 13/29] drm/bridge: analogix-anx6345: Avoid duplicate -supply suffix Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 14/29] drm/i915/display: Fix mode private_flags comparison at atomic_check Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 15/29] misc: rtsx: set correct pcr_ops for rts522A Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 16/29] misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 17/29] misc: pci_endpoint_test: Avoid using module parameter to determine irqtype Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 18/29] PCI: sysfs: Revert "rescan" file renames Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 19/29] coresight: do not use the BIT() macro in the UAPI header Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 20/29] mei: me: add cedar fork device ids Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 21/29] nvmem: release the write-protect pin Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 22/29] nvmem: check for NULL reg_read and reg_write before dereferencing Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 23/29] nvmem: sprd: Fix the block lock operation Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 24/29] extcon: axp288: Add wakeup support Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 25/29] power: supply: axp288_charger: Add special handling for HP Pavilion x2 10 Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 26/29] Revert "ALSA: uapi: Drop asound.h inclusion from asoc.h" Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 27/29] Revert "dm: always call blk_queue_split() in dm_process_bio()" Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 28/29] ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard Greg Kroah-Hartman
2020-04-07 10:22 ` [PATCH 5.6 29/29] soc: mediatek: knows_txdone needs to be set in Mediatek CMDQ helper Greg Kroah-Hartman
2020-04-07 12:37 ` [PATCH 5.6 00/29] 5.6.3-rc1 review Jon Hunter
2020-04-07 14:49 ` Greg Kroah-Hartman
2020-04-07 13:51 ` Daniel Díaz
2020-04-07 14:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200407101453.485392545@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bhelgaas@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).