linux/lib
Matthew Wilcox (Oracle) 63b1898fff XArray: Disallow sibling entries of nodes
There is a race between xas_split() and xas_load() which can result in
the wrong page being returned, and thus data corruption.  Fortunately,
it's hard to hit (syzbot took three months to find it) and often guarded
with VM_BUG_ON().

The anatomy of this race is:

thread A			thread B
order-9 page is stored at index 0x200
				lookup of page at index 0x274
page split starts
				load of sibling entry at offset 9
stores nodes at offsets 8-15
				load of entry at offset 8

The entry at offset 8 turns out to be a node, and so we descend into it,
and load the page at index 0x234 instead of 0x274.  This is hard to fix
on the split side; we could replace the entire node that contains the
order-9 page instead of replacing the eight entries.  Fixing it on
the lookup side is easier; just disallow sibling entries that point
to nodes.  This cannot ever be a useful thing as the descent would not
know the correct offset to use within the new node.

The test suite continues to pass, but I have not added a new test for
this bug.

Reported-by: syzbot+cf4cf13056f85dec2c40@syzkaller.appspotmail.com
Tested-by: syzbot+cf4cf13056f85dec2c40@syzkaller.appspotmail.com
Fixes: 6b24ca4a1a ("mm: Use multi-index entries in the page cache")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
2022-04-22 15:35:40 -04:00
..
842 kbuild: trace functions in subdirectories of lib/ 2020-08-10 01:32:59 +09:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2022-03-21 16:02:36 -07:00
dim Revert "lib: Revert use of fallthrough pseudo-keyword in lib/" 2020-11-18 14:15:17 -06:00
fonts lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
kunit linux-kselftest-kunit-5.18-rc1 2022-03-23 12:56:39 -07:00
livepatch Kbuild updates for v5.9 2020-08-09 14:10:26 -07:00
lz4 lz4: fix LZ4_decompress_safe_partial read out of bound 2022-04-08 14:20:36 -10:00
lzo lib/lzo/lzo1x_compress.c: make lzogeneric1x_1_compress() static 2020-12-15 22:46:19 -08:00
math math: make RATIONAL tristate 2021-09-08 11:50:26 -07:00
mpi lib/mpi: export mpi_rshift 2022-03-03 10:47:52 +12:00
pldmfw lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
raid6 lib/raid6: Include <asm/ppc-opcode.h> for VPERMXOR 2022-03-08 15:20:21 -08:00
reed_solomon lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
test_fortify fortify: Detect struct member overflows in memset() at compile-time 2022-02-13 16:50:06 -08:00
vdso lib/vdso: Add vdso_data pointer as input to __arch_get_timens_vdso_data() 2021-04-14 23:04:44 +10:00
xz lib/xz, lib/decompress_unxz.c: Fix spelling in comments 2021-10-19 23:44:30 +08:00
zlib_deflate kbuild: trace functions in subdirectories of lib/ 2020-08-10 01:32:59 +09:00
zlib_dfltcc zlib: move EXPORT_SYMBOL() and MODULE_LICENSE() out of dfltcc_syms.c 2020-12-29 15:36:49 -08:00
zlib_inflate lib/zlib_inflate/inffast: check config in C to avoid unused function warning 2021-09-24 16:13:35 -07:00
zstd lib: zstd: Don't add -O3 to cflags 2021-11-18 13:16:22 -08:00
.gitignore fortify: Add compile-time FORTIFY_SOURCE tests 2021-10-18 12:28:52 -07:00
argv_split.c
ashldi3.c
ashrdi3.c
asn1_decoder.c Revert "lib: Revert use of fallthrough pseudo-keyword in lib/" 2020-11-18 14:15:17 -06:00
asn1_encoder.c lib: remove redundant assignment to variable ret 2022-01-20 08:52:55 +02:00
assoc_array.c assoc_array: Avoid open coded arithmetic in allocator arguments 2021-10-13 14:54:13 -05:00
atomic64_test.c
atomic64.c locking/atomic: atomic64: Remove unusable atomic ops 2021-12-13 10:56:09 +01:00
audit.c audit: add support for the openat2 syscall 2021-10-01 16:52:48 -04:00
bcd.c
bch.c lib/bch.c: fix a typo in the file bch.c 2021-05-06 19:24:12 -07:00
bitfield_kunit.c lib: kunit: Fix compilation test when using TEST_BIT_FIELD_COMPILE 2020-10-16 13:25:14 -06:00
bitmap.c lib: bitmap: fix many kernel-doc warnings 2022-03-23 19:00:33 -07:00
bitrev.c
bootconfig.c Merge branch 'akpm' (patches from Andrew) 2021-11-06 14:08:17 -07:00
bsearch.c lib/bsearch: Provide __always_inline variant 2020-06-11 15:14:53 +02:00
btree.c
bucket_locks.c
bug.c bug: Assign values once in bug_get_file_line() 2021-04-01 09:54:37 +01:00
build_OID_registry
buildid.c kdump: use vmlinux_build_id to simplify 2021-07-08 11:48:22 -07:00
bust_spinlocks.c
check_signature.c
checksum.c unify generic instances of csum_partial_copy_nocheck() 2020-08-20 15:45:14 -04:00
clz_ctz.c
clz_tab.c
cmdline_kunit.c lib/cmdline_kunit: Remove a cast which are no-longer required 2021-06-23 16:41:41 -06:00
cmdline.c lib/cmdline: Export next_arg() for being used in modules 2021-05-05 16:07:40 +02:00
cmpdi2.c
compat_audit.c audit: add support for the openat2 syscall 2021-10-01 16:52:48 -04:00
cpu_rmap.c
cpumask.c memblock: use memblock_free for freeing virtual pointers 2021-11-06 13:30:41 -07:00
crc4.c
crc7.c lib/crc7: fix a kernel-doc markup 2021-01-21 14:06:00 -07:00
crc8.c lib: crc8: pointer to data block should be const 2021-05-06 19:24:12 -07:00
crc16.c
crc32.c lib/crc32: Make crc32_be weak for arch override 2022-01-31 11:21:43 +11:00
crc32defs.h
crc32test.c lib/crc32test: correct printed bytes count 2022-01-31 11:21:43 +11:00
crc64-rocksoft.c crypto: add rocksoft 64b crc guard tag framework 2022-03-07 12:48:35 -07:00
crc64.c lib: add rocksoft model crc64 2022-03-07 12:48:35 -07:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c crc-t10dif: clean up some more things 2020-06-18 17:26:43 +10:00
ctype.c
debug_info.c isystem: ship and use stdarg.h 2021-08-19 09:02:55 +09:00
debug_locks.c locking/lockdep: Improve noinstr vs errors 2021-06-22 13:56:43 +02:00
debugobjects.c debugobjects: Make them PREEMPT_RT aware 2021-08-13 10:07:44 +02:00
dec_and_lock.c
decompress_bunzip2.c lib/decompressors: fix spelling mistakes 2021-07-01 11:06:05 -07:00
decompress_inflate.c
decompress_unlz4.c lib/decompress_unlz4.c: correctly handle zero-padding around initrds. 2021-07-01 11:06:06 -07:00
decompress_unlzma.c lib: fix inconsistent indenting in process_bit1() 2021-05-06 19:24:12 -07:00
decompress_unlzo.c lib/decompressors: remove set but not used variabled 'level' 2021-07-01 11:06:06 -07:00
decompress_unxz.c lib/xz, lib/decompress_unxz.c: Fix spelling in comments 2021-10-19 23:44:30 +08:00
decompress_unzstd.c lib: zstd: Add decompress_sources.h for decompress_unzstd 2021-11-08 16:55:26 -08:00
decompress.c lib: Add zstd support to decompress 2020-07-31 11:49:08 +02:00
devmem_is_allowed.c lib: use PFN_PHYS() in devmem_is_allowed() 2021-08-13 14:09:32 -10:00
devres.c lib: devres: Add managed arch_io_reserve_memtype_wc() 2021-09-23 09:25:59 +02:00
digsig.c crypto: sha - split sha.h into sha1.h and sha2.h 2020-11-20 14:45:33 +11:00
dump_stack.c lib/dump_stack: correct kernel-doc notation 2021-09-08 11:50:26 -07:00
dynamic_debug.c dyndbg: refine verbosity 1-4 summary-detail 2021-10-21 13:01:25 +02:00
dynamic_queue_limits.c lib: dynamic_queue_limits: delete duplicated words + fix typo 2020-10-16 11:11:20 -07:00
earlycpio.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
errname.c kernel.h: split out mathematical helpers 2020-12-15 22:46:15 -08:00
error-inject.c kprobes: treewide: Replace arch_deref_entry_point() with dereference_symbol_descriptor() 2021-09-30 21:24:06 -04:00
errseq.c kernel.h: split out mathematical helpers 2020-12-15 22:46:15 -08:00
extable.c sparc32: switch to generic extables 2021-01-03 20:05:18 -05:00
fault-inject-usercopy.c lib, include/linux: add usercopy failure capability 2020-10-16 11:11:22 -07:00
fault-inject.c
fdt_addresses.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
fdt.c
find_bit_benchmark.c lib: add find_first_and_bit() 2022-01-15 08:47:31 -08:00
find_bit.c lib: add find_first_and_bit() 2022-01-15 08:47:31 -08:00
flex_proportions.c flex_proportions: Allow N events instead of 1 2021-10-18 07:49:39 -04:00
gen_crc32table.c
gen_crc64table.c lib: add rocksoft model crc64 2022-03-07 12:48:35 -07:00
genalloc.c all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate 2022-01-15 08:47:31 -08:00
generic-radix-tree.c
glob.c Revert "lib: Revert use of fallthrough pseudo-keyword in lib/" 2020-11-18 14:15:17 -06:00
globtest.c
hexdump.c kernel.h: split out min()/max() et al. helpers 2020-10-16 11:11:19 -07:00
hweight.c
idr.c XArray updates for 5.9 2020-10-20 14:39:37 -07:00
inflate.c
interval_tree_test.c
interval_tree.c
iomap_copy.c
iomap.c iomap: constify ioreadX() iomem argument (as in generic implementation) 2020-08-14 19:56:57 -07:00
iommu-helper.c
iov_iter.c lib/iov_iter: initialize "flags" in new pipe_buffer 2022-02-21 10:16:39 -05:00
irq_poll.c
irq_regs.c
is_single_threaded.c
kasprintf.c isystem: ship and use stdarg.h 2021-08-19 09:02:55 +09:00
Kconfig crypto: add rocksoft 64b crc guard tag framework 2022-03-07 12:48:35 -07:00
Kconfig.debug cxl for 5.18 2022-03-24 18:07:03 -07:00
Kconfig.kasan kasan: allow enabling KASAN_VMALLOC and SW/HW_TAGS 2022-03-24 19:06:48 -07:00
Kconfig.kcsan Revert "ubsan, kcsan: Don't combine sanitizer with kcov on clang" 2022-03-23 19:00:35 -07:00
Kconfig.kfence kfence: allow use of a deferrable timer 2022-03-22 15:57:11 -07:00
Kconfig.kgdb kgdb: Honour the kprobe blocklist when setting breakpoints 2020-09-28 12:14:08 +01:00
Kconfig.ubsan Revert "ubsan, kcsan: Don't combine sanitizer with kcov on clang" 2022-03-23 19:00:35 -07:00
kfifo.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
klist.c
kobject_uevent.c kobject: remove kset from struct kset_uevent_ops callbacks 2021-12-28 11:26:18 +01:00
kobject.c kobject: kobj_type: remove default_attrs 2022-04-05 15:39:19 +02:00
kstrtox.c kstrtox: uninline everything 2022-01-20 08:52:53 +02:00
kstrtox.h lib: vsprintf: Fix handling of number field widths in vsscanf 2021-05-19 15:05:11 +02:00
libcrc32c.c lib: libcrc32c: delete duplicated words 2020-10-16 11:11:19 -07:00
linear_ranges.c lib: add linear range get selector within 2021-08-13 18:37:38 +02:00
list_debug.c lib/list_debug.c: print more list debugging context in __list_del_entry_valid() 2022-01-20 08:52:53 +02:00
list_sort.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
list-test.c list: test: Add a test for list_entry_is_head() 2022-02-25 08:39:01 -07:00
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c lockdep/selftests: Adapt ww-tests for PREEMPT_RT 2021-12-04 10:56:24 +01:00
lockref.c
logic_iomem.c lib/logic_iomem: correct fallback config references 2022-03-11 10:42:56 +01:00
logic_pio.c PCI: Fix pci_register_io_range() memory leak 2021-02-17 17:31:06 -06:00
lru_cache.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
lshrdi3.c
Makefile memcpy updates for v5.18-rc1 2022-03-26 12:19:04 -07:00
memcat_p.c
memcpy_kunit.c string.h: Introduce memset_startat() for wiping trailing members and padding 2021-10-18 12:28:52 -07:00
memory-notifier-error-inject.c
memregion.c lib/memregion.c: include memregion.h 2020-09-26 10:33:57 -07:00
memweight.c
muldi3.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
nmi_backtrace.c printk: restore flushing of NMI buffers on remote CPUs after NMI backtraces 2021-11-10 16:12:00 +01:00
nodemask.c
notifier-error-inject.c
notifier-error-inject.h
objagg.c lib: objagg: Use the bitmap API when applicable 2021-12-24 14:54:29 -08:00
of-reconfig-notifier-error-inject.c
oid_registry.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
once.c once: Fix panic when module unload 2021-08-08 13:00:20 +01:00
overflow_kunit.c lib: overflow: Convert to Kunit 2022-02-27 09:29:02 -08:00
packing.c net: update NXP copyright text 2021-09-17 13:52:17 +01:00
parman.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
parser.c kernel.h: split out kstrtox() and simple_strtox() to a separate header 2021-07-01 11:06:05 -07:00
pci_iomap.c pci_iounmap'2: Electric Boogaloo: try to make sense of it all 2021-09-19 17:13:35 -07:00
percpu_counter.c lib/percpu_counter: tame kernel-doc compile warning 2021-05-06 19:24:12 -07:00
percpu_test.c
percpu-refcount.c percpu_ref: Don't opencode percpu_ref_is_dying 2021-05-13 03:27:38 +00:00
plist.c
pm-notifier-error-inject.c
radix-tree.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
random32.c random: replace custom notifier chain with standard one 2022-03-12 18:00:56 -07:00
ratelimit.c
rbtree_test.c
rbtree.c lib/: replace HTTP links with HTTPS ones 2020-08-12 10:58:00 -07:00
ref_tracker.c ref_tracker: remove filter_irq_stacks() call 2022-02-06 11:05:28 +00:00
refcount.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
rhashtable.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
sbitmap.c lib/sbitmap: allocate sb->map via kvzalloc_node 2022-03-21 20:01:34 -06:00
scatterlist.c mm/scatterlist: replace the !preemptible warning in sg_miter_stop() 2021-11-09 10:02:50 -08:00
seq_buf.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
sg_pool.c lib/scatterlist: Fix wrong update of orig_nents 2021-08-24 19:52:40 -03:00
sg_split.c
sha1.c lib/crypto: sha1: re-roll loops to reduce code size 2022-01-18 13:03:55 +01:00
show_mem.c
siphash.c siphash: use _unaligned version by default 2021-11-29 19:50:50 -08:00
slub_kunit.c mm/slub, kunit: add a KUnit test for SLUB debugging functionality 2021-06-29 10:53:46 -07:00
smp_processor_id.c lib/smp_processor_id: Use is_percpu_thread() instead of nr_cpus_allowed 2021-05-19 10:51:40 +02:00
sort.c lib/sort: Add priv pointer to swap function 2022-03-17 20:17:18 -07:00
stackdepot.c lib/stackdepot: always do filter_irq_stacks() in stack_depot_save() 2022-01-22 08:33:38 +02:00
stackinit_kunit.c lib: stackinit: Convert to KUnit 2022-03-21 08:13:04 -07:00
stmp_device.c
string_helpers.c fortify: Detect struct member overflows in memcpy() at compile-time 2022-02-13 16:50:06 -08:00
string.c lib/string: Move helper functions out of string.c 2021-09-25 08:20:49 -07:00
strncpy_from_user.c uaccess: remove CONFIG_SET_FS 2022-02-25 09:36:06 +01:00
strnlen_user.c uaccess: remove CONFIG_SET_FS 2022-02-25 09:36:06 +01:00
syscall.c sched: Change task_struct::state 2021-06-18 11:43:09 +02:00
test_bitmap.c lib: bitmap: add performance test for bitmap_print_to_pagebuf 2022-01-15 08:47:31 -08:00
test_bitops.c lib/test: fix spelling mistakes 2021-07-08 11:48:20 -07:00
test_bits.c lib/test_bits.c: add tests of GENMASK 2020-08-12 10:58:00 -07:00
test_blackhole_dev.c
test_bpf.c bpf: Change value of MAX_TAIL_CALL_CNT from 32 to 33 2021-11-16 14:03:15 +01:00
test_debug_virtual.c
test_firmware.c firmware: replace HOTPLUG with UEVENT in FW_ACTION defines 2021-05-13 16:14:45 +02:00
test_fprobe.c fprobe: Add a selftest for fprobe 2022-03-17 20:17:14 -07:00
test_fpu.c selftests/fpu: Fix debugfs_simple_attr.cocci warning 2021-01-18 11:03:26 +01:00
test_free_pages.c lib/test_free_pages.c: add basic progress indicators 2020-12-15 22:46:16 -08:00
test_hash.c test_hash.c: refactor into kunit 2022-01-20 08:52:54 +02:00
test_hexdump.c
test_hmm_uapi.h mm: selftests for exclusive device memory 2021-07-01 11:06:03 -07:00
test_hmm.c mm: remove the extra ZONE_DEVICE struct page refcount 2022-03-03 12:47:33 -05:00
test_ida.c
test_kasan_module.c kasan: test: bypass __alloc_size checks 2021-11-06 13:30:33 -07:00
test_kasan.c kasan: update function name in comments 2022-03-24 19:06:48 -07:00
test_kmod.c lib/test: use after free in register_test_dev_kmod() 2022-03-29 15:13:36 -07:00
test_kprobes.c test_kprobes: Move it from kernel/ to lib/ 2021-10-26 17:23:46 -04:00
test_linear_ranges.c
test_list_sort.c lib/test: convert lib/test_list_sort.c to use KUnit 2021-06-25 11:31:03 -06:00
test_lockup.c lib/test_lockup: fix kernel pointer check for separate address spaces 2022-02-25 09:36:06 +01:00
test_memcat_p.c
test_meminit.c lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test 2022-01-20 08:52:54 +02:00
test_min_heap.c
test_module.c
test_objagg.c test_objagg: Fix potential memory leak in error handling 2020-06-15 13:32:11 -07:00
test_parman.c
test_printf.c vsprintf: Make %pGp print the hex value 2021-10-27 13:40:14 +02:00
test_ref_tracker.c lib: add tests for reference tracker 2021-12-06 16:04:44 -08:00
test_rhashtable.c rhashtable: avoid -Wrestrict warning on overlapping sprintf output 2021-03-24 15:16:09 -07:00
test_scanf.c lib/test_scanf: split up number parsing test routines 2021-09-06 11:04:03 -07:00
test_siphash.c
test_sort.c lib/test: convert test_sort.c to use KUnit 2021-09-08 11:50:26 -07:00
test_static_key_base.c
test_static_keys.c
test_string.c lib/test_string.c: allow module removal 2021-07-01 11:06:05 -07:00
test_strscpy.c
test_sysctl.c test_sysctl: simplify subdirectory registration with register_sysctl() 2022-01-22 08:33:35 +02:00
test_ubsan.c ubsan: remove CONFIG_UBSAN_OBJECT_SIZE 2022-01-20 08:52:55 +02:00
test_user_copy.c
test_uuid.c
test_vmalloc.c lib/test_vmalloc.c: use swap() to make code cleaner 2021-11-06 13:30:37 -07:00
test_xarray.c XArray: Fix xas_create_range() when multi-order entry present 2022-03-28 19:25:11 -04:00
test-kstrtox.c
test-string_helpers.c string_helpers: Escape double quotes in escape_special 2021-07-19 11:39:28 +02:00
textsearch.c
timerqueue.c rbtree, timerqueue: Use rb_add_cached() 2021-02-17 14:08:01 +01:00
ts_bm.c lib/: replace HTTP links with HTTPS ones 2020-08-12 10:58:00 -07:00
ts_fsm.c Revert "lib: Revert use of fallthrough pseudo-keyword in lib/" 2020-11-18 14:15:17 -06:00
ts_kmp.c
ubsan.c ubsan: no need to unset panic_on_warn in ubsan_epilogue() 2022-03-23 19:00:35 -07:00
ubsan.h ubsan: implement __ubsan_handle_alignment_assumption 2021-02-05 11:03:47 -08:00
ucmpdi2.c
ucs2_string.c
usercopy.c lib, uaccess: add failure injection to usercopy functions 2020-10-16 11:11:22 -07:00
uuid.c
vsprintf.c lib/vsprintf: avoid redundant work with 0 size 2022-03-24 19:06:44 -07:00
win_minmax.c
xarray.c XArray: Disallow sibling entries of nodes 2022-04-22 15:35:40 -04:00
xxhash.c lib/: replace HTTP links with HTTPS ones 2020-08-12 10:58:00 -07:00