All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Roman Kagan" <rkagan@virtuozzo.com>,
	"Matthew Wilcox" <mawilcox@microsoft.com>,
	syzbot <syzbot+35666cba7f0a337e2e79@syzkaller.appspotmail.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"KVM list" <kvm@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Radim Krčmář" <rkrcmar@redhat.com>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"the arch/x86 maintainers" <x86@kernel.org>,
	"Cathy Avery" <cavery@redhat.com>,
	stable <stable@vger.kernel.org>
Subject: Re: [PATCH] idr: fix invalid ptr dereference on item delete
Date: Fri, 11 May 2018 07:40:26 +0200	[thread overview]
Message-ID: <CACT4Y+bZaW6NN-RdVd+EL1pXQs42Nb-dWUn733=eEORT_3NjUA@mail.gmail.com> (raw)
In-Reply-To: <52bd5b0b-a4bb-5426-3c92-edd7085faea3@redhat.com>

On Fri, May 11, 2018 at 1:54 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> On 10/05/2018 21:16, Roman Kagan wrote:
>> If an IDR contains a single entry at index==0, the underlying radix tree
>> has a single item in its root node, in which case
>> __radix_tree_lookup(index!=0) doesn't set its *@nodep argument (in
>> addition to returning NULL).
>>
>> However, the tree itself is not empty, i.e. the tree root doesn't have
>> IDR_FREE tag.
>>
>> As a result, on an attempt to remove an index!=0 entry from such an IDR,
>> radix_tree_delete_item doesn't return early and calls
>> __radix_tree_delete with invalid parameters which are then dereferenced.
>>
>> Reported-by: syzbot+35666cba7f0a337e2e79@syzkaller.appspotmail.com
>> Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
>> ---
>>  lib/radix-tree.c | 5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/lib/radix-tree.c b/lib/radix-tree.c
>> index da9e10c827df..10ff1bfae952 100644
>> --- a/lib/radix-tree.c
>> +++ b/lib/radix-tree.c
>> @@ -2040,8 +2040,9 @@ void *radix_tree_delete_item(struct radix_tree_root *root,
>>       void *entry;
>>
>>       entry = __radix_tree_lookup(root, index, &node, &slot);
>> -     if (!entry && (!is_idr(root) || node_tag_get(root, node, IDR_FREE,
>> -                                             get_slot_offset(node, slot))))
>> +     if (!entry && (!is_idr(root) || !node ||
>> +                    node_tag_get(root, node, IDR_FREE,
>> +                                 get_slot_offset(node, slot))))
>>               return NULL;
>>
>>       if (item && entry != item)
>>
>
> I cannot really vouch for the patch, but if it is correct it's
> definitely stuff for stable.  The KVM testcase is only for 4.17-rc but
> this is a really nasty bug in a core data structure.
>
> Cc: stable@vger.kernel.org
>
> Should radix-tree be compilable in userspace, so that we can add unit
> tests for it?...

Good point.

For my education, what/where are the tests that run as user-space code?

  reply	other threads:[~2018-05-11  5:40 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-10 19:16 [PATCH] idr: fix invalid ptr dereference on item delete Roman Kagan
2018-05-10 23:54 ` Paolo Bonzini
2018-05-11  5:40   ` Dmitry Vyukov [this message]
2018-05-11  5:57     ` Roman Kagan
2018-05-11  9:12       ` Paolo Bonzini
2018-05-18 20:29 ` Roman Kagan
2018-05-18 17:50 Matthew Wilcox
2018-05-18 20:23 ` Roman Kagan
2018-05-19  0:31   ` Matthew Wilcox
2018-05-18 22:31 ` Andrew Morton
2018-05-19  0:28   ` Matthew Wilcox
2018-05-19  6:26   ` Roman Kagan
2018-05-19 14:14     ` Matthew Wilcox
2018-05-21 19:13       ` Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+bZaW6NN-RdVd+EL1pXQs42Nb-dWUn733=eEORT_3NjUA@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=cavery@redhat.com \
    --cc=hpa@zytor.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mawilcox@microsoft.com \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=rkagan@virtuozzo.com \
    --cc=rkrcmar@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+35666cba7f0a337e2e79@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.