linux/lib
Tejun Heo 859ddf0974 idr: fix a critical misallocation bug
Eric Paris located a bug in idr.  With IDR_BITS of 6, it grows to three
layers when id 4096 is first allocated.  When that happens, idr wraps
incorrectly and searches the idr array ignoring the high bits.  The
following test code from Eric demonstrates the bug nicely.

#include <linux/idr.h>
#include <linux/kernel.h>
#include <linux/module.h>

static DEFINE_IDR(test_idr);

int init_module(void)
{
	int ret, forty95, forty96;
	void *addr;

	/* add 2 entries both with 4095 as the start address */
again1:
	if (!idr_pre_get(&test_idr, GFP_KERNEL))
		return -ENOMEM;
	ret = idr_get_new_above(&test_idr, (void *)4095, 4095, &forty95);
	if (ret) {
		if (ret == -EAGAIN)
			goto again1;
		return ret;
	}
	if (forty95 != 4095)
		printk(KERN_ERR "hmmm, forty95=%d\n", forty95);

again2:
	if (!idr_pre_get(&test_idr, GFP_KERNEL))
		return -ENOMEM;
	ret = idr_get_new_above(&test_idr, (void *)4096, 4095, &forty96);
	if (ret) {
		if (ret == -EAGAIN)
			goto again2;
		return ret;
	}
	if (forty96 != 4096)
		printk(KERN_ERR "hmmm, forty96=%d\n", forty96);

	/* try to find the 2 entries, noticing that 4096 broke */
	addr = idr_find(&test_idr, forty95);
	if ((int)addr != forty95)
		printk(KERN_ERR "hmmm, after find forty95=%d addr=%d\n", forty95, (int)addr);
	addr = idr_find(&test_idr, forty96);
	if ((int)addr != forty96)
		printk(KERN_ERR "hmmm, after find forty96=%d addr=%d\n", forty96, (int)addr);
	/* really weird, the entry which should be at 4096 is actually at 0!! */
	addr = idr_find(&test_idr, 0);
	if ((int)addr)
		printk(KERN_ERR "found an entry at id=0 for addr=%d\n", (int)addr);

	idr_remove(&test_idr, forty95);
	idr_remove(&test_idr, forty96);

	return 0;
}

void cleanup_module(void)
{
}

MODULE_AUTHOR("Eric Paris <eparis@redhat.com>");
MODULE_DESCRIPTION("Simple idr test");
MODULE_LICENSE("GPL");

This happens because when sub_alloc() back tracks it doesn't always do it
step-by-step while the over-the-limit detection assumes step-by-step
backtracking.  The logic in sub_alloc() looks like the following.

  restart:
    clear pa[top level + 1] for end cond detection
    l = top level
    while (true) {
	search for empty slot at this level
	if (not found) {
	    push id to the next possible value
	    l++
A:	    if (pa[l] is clear)
	        failed, return asking caller to grow the tree
	    if (going up 1 level gives more slots to search)
	        continue the while loop above with the incremented l
	    else
C:	        goto restart
	}
	adjust id accordingly to the found slot
	if (l == 0)
	    return found id;
	create lower level if not there yet
	record pa[l] and l--
    }

Test A is the fail exit condition but this assumes that failure is
propagated upwared one level at a time but the B optimization path breaks
the assumption and restarts the whole thing with a start value which is
above the possible limit with the current layers.  sub_alloc() assumes the
start id value is inside the limit when called and test A is the only exit
condition check, so it ends up searching for empty slot while ignoring
high set bit.

So, for 4095->4096 test, level0 search fails but pa[1] contains a valid
pointer.  However, going up 1 level wouldn't give any more empty slot so
it takes C and when the whole thing restarts nobody notices the high bit
set beyond the top level.

This patch fixes the bug by changing the fail exit condition check to full
id limit check.

Based-on-patch-from: Eric Paris <eparis@redhat.com>
Reported-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-02-02 18:11:21 -08:00
..
lzo lib: add support for LZO-compressed kernels 2010-01-11 09:34:04 -08:00
reed_solomon
zlib_deflate
zlib_inflate zlib: Fix build of powerpc boot wrapper 2010-01-13 16:13:39 -08:00
.gitignore
argv_split.c tree-wide: convert open calls to remove spaces to skip_spaces() lib function 2009-12-15 08:53:32 -08:00
atomic64.c
audit.c
bcd.c
bitmap.c bitmap: introduce bitmap_set, bitmap_clear, bitmap_find_next_zero_area 2009-12-16 07:20:18 -08:00
bitrev.c
bug.c
bust_spinlocks.c
check_signature.c
checksum.c lib/checksum: fix one more thinko 2009-11-03 16:06:53 +01:00
cmdline.c
cpumask.c
crc7.c
crc16.c
crc32.c crc32: minor optimizations and cleanup 2009-12-15 08:53:35 -08:00
crc32defs.h
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
ctype.c ctype: constify read-only _ctype string 2009-12-15 08:53:32 -08:00
debug_locks.c
debugobjects.c debugobjects: Convert to raw_spinlocks 2009-12-14 23:55:34 +01:00
dec_and_lock.c
decompress_bunzip2.c bzip2: Add missing checks for malloc returning NULL 2009-12-15 14:04:19 -08:00
decompress_inflate.c
decompress_unlzma.c
decompress_unlzo.c lib: add support for LZO-compressed kernels 2010-01-11 09:34:04 -08:00
decompress.c Add LZO compression support for initramfs and old-style initrd 2010-01-11 09:34:05 -08:00
devres.c
div64.c
dma-debug.c Merge branches 'amd-iommu/fixes' and 'dma-debug/fixes' into iommu/fixes 2010-01-22 18:00:41 +01:00
dump_stack.c
dynamic_debug.c tree-wide: convert open calls to remove spaces to skip_spaces() lib function 2009-12-15 08:53:32 -08:00
extable.c
fault-inject.c
find_last_bit.c
find_next_bit.c
flex_array.c
gcd.c
gen_crc32table.c
genalloc.c genalloc: use bitmap_find_next_zero_area 2009-12-16 07:20:21 -08:00
halfmd4.c
hexdump.c
hweight.c
idr.c idr: fix a critical misallocation bug 2010-02-02 18:11:21 -08:00
inflate.c
int_sqrt.c
iomap_copy.c
iomap.c
iommu-helper.c iommu-helper: use bitmap library 2009-12-16 07:20:18 -08:00
ioremap.c
irq_regs.c
is_single_threaded.c
kasprintf.c
Kconfig Add LZO compression support for initramfs and old-style initrd 2010-01-11 09:34:05 -08:00
Kconfig.debug Merge branch 'kmemleak' of git://linux-arm.org/linux-2.6 2009-12-17 16:00:19 -08:00
Kconfig.kgdb
Kconfig.kmemcheck
kernel_lock.c bkl: Fixup core_lock fallout 2009-12-14 23:55:33 +01:00
klist.c
kobject_uevent.c
kobject.c
kref.c
libcrc32c.c
list_debug.c
list_sort.c lib: Introduce generic list_sort function 2010-01-12 21:02:00 -08:00
lmb.c powerpc: allow ioremap within reserved memory regions 2009-12-12 22:24:32 -07:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lru_cache.c
Makefile lib: Introduce generic list_sort function 2010-01-12 21:02:00 -08:00
nlattr.c
parser.c parser: remove unnecessary strlen() 2009-12-15 08:53:33 -08:00
percpu_counter.c
plist.c plist: Make plist debugging raw_spinlock aware 2009-12-14 23:55:33 +01:00
prio_heap.c
prio_tree.c
proportions.c
radix-tree.c FS-Cache: Don't delete pending pages from the page-store tracking tree 2009-11-19 18:11:29 +00:00
random32.c
ratelimit.c ratelimit: Make suppressed output messages more useful 2009-10-23 17:26:37 +02:00
rational.c lib/rational.c needs module.h 2010-01-11 09:34:05 -08:00
rbtree.c
reciprocal_div.c
rwsem-spinlock.c rwsem: fix rwsem_is_locked() bugs 2009-12-15 08:53:26 -08:00
rwsem.c
scatterlist.c
sha1.c
show_mem.c
smp_processor_id.c
sort.c
spinlock_debug.c locking: Further name space cleanups 2009-12-14 23:55:33 +01:00
string_helpers.c
string.c lib: Introduce strnstr() 2010-01-14 22:38:09 -05:00
swiotlb.c dma-mapping: fix off-by-one error in dma_capable() 2009-12-16 07:20:12 -08:00
syscall.c
textsearch.c
ts_bm.c
ts_fsm.c
ts_kmp.c
vsprintf.c vsnprintf: fix reference for compressed ipv6 addresses 2010-01-11 09:34:06 -08:00