diff options
author | Imre Deak <imre.deak@nokia.com> | 2010-05-26 17:43:38 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-27 12:12:48 -0400 |
commit | 2dcb22b346be7b7b7e630a8970d69cf3f1111ec1 (patch) | |
tree | 971c295dc21e37d92d7cf62335edd046ab5e9a83 | |
parent | 79a6cdeb7eb54e3d2d4bb9fc5f0231b057882a87 (diff) |
idr: fix backtrack logic in idr_remove_all
Currently idr_remove_all will fail with a use after free error if
idr::layers is bigger than 2, which on 32 bit systems corresponds to items
more than 1024. This is due to stepping back too many levels during
backtracking. For simplicity let's assume that IDR_BITS=1 -> we have 2
nodes at each level below the root node and each leaf node stores two IDs.
(In reality for 32 bit systems IDR_BITS=5, with 32 nodes at each sub-root
level and 32 IDs in each leaf node). The sequence of freeing the nodes at
the moment is as follows:
layer
1 -> a(7)
2 -> b(3) c(5)
3 -> d(1) e(2) f(4) g(6)
Until step 4 things go fine, but then node c is freed, whereas node g
should be freed first. Since node c contains the pointer to node g we'll
have a use after free error at step 6.
How many levels we step back after visiting the leaf nodes is currently
determined by the msb of the id we are currently visiting:
Step
1. node d with IDs 0,1 is freed, current ID is advanced to 2.
msb of the current ID bit 1. This means we need to step back
1 level to node b and take the next sibling, node e.
2-3. node e with IDs 2,3 is freed, current ID is 4, msb is bit 2.
This means we need to step back 2 levels to node a, freeing
node b on the way.
4-5. node f with IDs 4,5 is freed, current ID is 6, msb is still
bit 2. This means we again need to step back 2 levels to node
a and free c on the way.
6. We should visit node g, but its pointer is not available as
node c was freed.
The fix changes how we determine the number of levels to step back.
Instead of deducting this merely from the msb of the current ID, we should
really check if advancing the ID causes an overflow to a bit position
corresponding to a given layer. In the above example overflow from bit 0
to bit 1 should mean stepping back 1 level. Overflow from bit 1 to bit 2
should mean stepping back 2 levels and so on.
The fix was tested with IDs up to 1 << 20, which corresponds to 4 layers
on 32 bit systems.
Signed-off-by: Imre Deak <imre.deak@nokia.com>
Reviewed-by: Tejun Heo <tj@kernel.org>
Cc: Eric Paris <eparis@redhat.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: <stable@kernel.org> [2.6.34.1]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | lib/idr.c | 5 |
1 files changed, 4 insertions, 1 deletions
@@ -445,6 +445,7 @@ EXPORT_SYMBOL(idr_remove); | |||
445 | void idr_remove_all(struct idr *idp) | 445 | void idr_remove_all(struct idr *idp) |
446 | { | 446 | { |
447 | int n, id, max; | 447 | int n, id, max; |
448 | int bt_mask; | ||
448 | struct idr_layer *p; | 449 | struct idr_layer *p; |
449 | struct idr_layer *pa[MAX_LEVEL]; | 450 | struct idr_layer *pa[MAX_LEVEL]; |
450 | struct idr_layer **paa = &pa[0]; | 451 | struct idr_layer **paa = &pa[0]; |
@@ -462,8 +463,10 @@ void idr_remove_all(struct idr *idp) | |||
462 | p = p->ary[(id >> n) & IDR_MASK]; | 463 | p = p->ary[(id >> n) & IDR_MASK]; |
463 | } | 464 | } |
464 | 465 | ||
466 | bt_mask = id; | ||
465 | id += 1 << n; | 467 | id += 1 << n; |
466 | while (n < fls(id)) { | 468 | /* Get the highest bit that the above add changed from 0->1. */ |
469 | while (n < fls(id ^ bt_mask)) { | ||
467 | if (p) | 470 | if (p) |
468 | free_layer(p); | 471 | free_layer(p); |
469 | n += IDR_BITS; | 472 | n += IDR_BITS; |