tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

lib/radix-tree.c: fix overflow in radix_tree_range_tag_if_tagged()

When radix_tree_maxindex() is ~0UL, it can happen that scanning overflows
index and tree traversal code goes astray reading memory until it hits
unreadable memory. Check for overflow and exit in that case.

Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Jan Kara and committed by
Linus Torvalds d5ed3a4a f2e41e91

+6 -2
+4 -1
lib/radix-tree.c
··· 625 625 * 626 626 * The function returns number of leaves where the tag was set and sets 627 627 * *first_indexp to the first unscanned index. 628 + * WARNING! *first_indexp can wrap if last_index is ULONG_MAX. Caller must 629 + * be prepared to handle that. 628 630 */ 629 631 unsigned long radix_tree_range_tag_if_tagged(struct radix_tree_root *root, 630 632 unsigned long *first_indexp, unsigned long last_index, ··· 677 675 next: 678 676 /* Go to next item at level determined by 'shift' */ 679 677 index = ((index >> shift) + 1) << shift; 680 - if (index > last_index) 678 + /* Overflow can happen when last_index is ~0UL... */ 679 + if (index > last_index || !index) 681 680 break; 682 681 if (tagged >= nr_to_tag) 683 682 break;
+2 -1
mm/page-writeback.c
··· 836 836 spin_unlock_irq(&mapping->tree_lock); 837 837 WARN_ON_ONCE(tagged > WRITEBACK_TAG_BATCH); 838 838 cond_resched(); 839 - } while (tagged >= WRITEBACK_TAG_BATCH); 839 + /* We check 'start' to handle wrapping when end == ~0UL */ 840 + } while (tagged >= WRITEBACK_TAG_BATCH && start); 840 841 } 841 842 EXPORT_SYMBOL(tag_pages_for_writeback); 842 843