mirror of
https://github.com/Fishwaldo/Star64_linux.git
synced 2025-06-27 00:51:35 +00:00
ida: Free correct IDA bitmap
There's a relatively rare race where we look at the per-cpu preallocated IDA bitmap, see it's NULL, allocate a new one, and atomically update it. If the kmalloc() happened to sleep and we were rescheduled to a different CPU, or an interrupt came in at the exact right time, another task might have successfully allocated a bitmap and already deposited it. I forgot what the semantics of cmpxchg() were and ended up freeing the wrong bitmap leading to KASAN reporting a use-after-free. Dmitry found the bug with syzkaller & wrote the patch. I wrote the test case that will reproduce the bug without his patch being applied. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
This commit is contained in:
Matthew Wilcox
parent
3f1b6f9d49
commit
4ecd9542db
4 changed files with 35 additions and 5 deletions
|
|
@ -2129,8 +2129,8 @@ int ida_pre_get(struct ida *ida, gfp_t gfp)
|
|||
struct ida_bitmap *bitmap = kmalloc(sizeof(*bitmap), gfp);
|
||||
if (!bitmap)
|
||||
return 0;
|
||||
bitmap = this_cpu_cmpxchg(ida_bitmap, NULL, bitmap);
|
||||
kfree(bitmap);
|
||||
if (this_cpu_cmpxchg(ida_bitmap, NULL, bitmap))
|
||||
kfree(bitmap);
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue