From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754146AbcBGPu2 (ORCPT <rfc822;w@1wt.eu>);
	Sun, 7 Feb 2016 10:50:28 -0500
Received: from mail-pa0-f51.google.com ([209.85.220.51]:35685 "EHLO
	mail-pa0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753354AbcBGPu1 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 7 Feb 2016 10:50:27 -0500
Date: Sun, 7 Feb 2016 07:50:24 -0800
From: Jeremiah Mahler <jmmahler@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, Matthew Wilcox <matthew.r.wilcox@intel.com>,
        Hugh Dickins <hughd@google.com>,
        Mel Gorman <mgorman@techsingularity.net>,
        Stephen Rothwell <sfr@canb.auug.org.au>,
        Konstantin Khlebnikov <koct9i@gmail.com>
Subject: Re: [REGRESSION] mm: filemap_map_pages NULL pointer dereference
Message-ID: <20160207155024.GB15990@hudson.localdomain>
Mail-Followup-To: Jeremiah Mahler <jmmahler@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org,
	Matthew Wilcox <matthew.r.wilcox@intel.com>,
	Hugh Dickins <hughd@google.com>,
	Mel Gorman <mgorman@techsingularity.net>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	Konstantin Khlebnikov <koct9i@gmail.com>
References: <20160205180502.GA5869@hudson.localdomain>
 <20160205141940.ecc0110b00347a264c868c43@linux-foundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160205141940.ecc0110b00347a264c868c43@linux-foundation.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Konstantin, Andrew,

On Fri, Feb 05, 2016 at 02:19:40PM -0800, Andrew Morton wrote:
> On Fri, 5 Feb 2016 10:05:02 -0800 Jeremiah Mahler <jmmahler@gmail.com> wrote:
> 
[...]
> 
> This should fix it up.
> 
> From: Konstantin Khlebnikov <koct9i@gmail.com>
> Subject: radix-tree: fix oops after radix_tree_iter_retry
> 
> Helper radix_tree_iter_retry() resets next_index to the current index.  In
> following radix_tree_next_slot current chunk size becomes zero.  This
> isn't checked and it tries to dereference null pointer in slot.
> 
> Tagged iterator is fine because retry happens only at slot 0 where tag
> bitmask in iter->tags is filled with single bit.
> 
> Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
> Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
> Cc: Matthew Wilcox <willy@linux.intel.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: Ohad Ben-Cohen <ohad@wizery.com>
> Cc: Jeremiah Mahler <jmmahler@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> 
>  include/linux/radix-tree.h |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff -puN include/linux/radix-tree.h~radix-tree-fix-oops-after-radix_tree_iter_retry include/linux/radix-tree.h
> --- a/include/linux/radix-tree.h~radix-tree-fix-oops-after-radix_tree_iter_retry
> +++ a/include/linux/radix-tree.h
> @@ -400,7 +400,7 @@ void **radix_tree_iter_retry(struct radi
>   * @iter:	pointer to radix tree iterator
>   * Returns:	current chunk size
>   */
> -static __always_inline unsigned
> +static __always_inline long
>  radix_tree_chunk_size(struct radix_tree_iter *iter)
>  {
>  	return iter->next_index - iter->index;
> @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct
>  			return slot + offset + 1;
>  		}
>  	} else {
> -		unsigned size = radix_tree_chunk_size(iter) - 1;
> +		long size = radix_tree_chunk_size(iter);
>  
> -		while (size--) {
> +		while (--size > 0) {
>  			slot++;
>  			iter->index++;
>  			if (likely(*slot))
> _
> 

Fix is still working great after a couple days.

Tested-by: Jeremiah Mahler <jmmahler@gmail.com>

-- 
- Jeremiah Mahler