Commit 835cc0c8477fdbc59e0217891d6f11061b1ac4e2 introduced the bug
that if the list to be sorted is a power-of-two in length, cmp() may
be passed pointers to the list header rather than to a list element.
This typically causes the caller's cmp() to read from invalid memory
locations off one end or the other of the list_head struct.
Signed-off-by: Don Mullis <[email protected]>
Tested-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Artem Bityutskiy <[email protected]>
To: Alex Elder <[email protected]>
To: David Airlie <[email protected]>
Cc: [email protected]
---
Examination of client code in xfs_buf.c and drm_modes.c showed no
obvious vulnerability to crashing: memory at offsets reachable by
cmp() appeared to always be readable, and the cmp() functions do not
dereference any pointers in the struct that they assume they have been
passed.
lib/list_sort.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-next/lib/list_sort.c
===================================================================
--- linux-next.orig/lib/list_sort.c 2010-08-23 22:59:59.899177219 -0700
+++ linux-next/lib/list_sort.c 2010-08-23 23:01:48.007177492 -0700
@@ -70,7 +70,7 @@ static void merge_and_restore_back_links
* element comparison is needed, so the client's cmp()
* routine can invoke cond_resched() periodically.
*/
- (*cmp)(priv, tail, tail);
+ (*cmp)(priv, tail->next, tail->next);
tail->next->prev = tail;
tail = tail->next;