Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp993356imu;
        Fri, 11 Jan 2019 12:54:37 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7dA3z6TzT3eBVywD2A98dE9xvzL50lthuNkU0PHBivTbQjgTRsMxyVrYnsLLqBxtvU+lpn
X-Received: by 2002:a62:7042:: with SMTP id l63mr16708314pfc.89.1547240077663;
        Fri, 11 Jan 2019 12:54:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547240077; cv=none;
        d=google.com; s=arc-20160816;
        b=rEbUrXYtpZevLpEBDLzKmxu9ucwzMe3s/0qXUiojo0kkj9rxehiBuP5n22aHOMoiY8
         srd/Qzf+Ga1yeE6RQu0TTSdCO4u0TuO0xnknqxHQYhez/852vnlK0aMmbWEdECLemTKk
         kZ54DHh7cm5Y4z3Utxlb2bMjiVcgr1O56Dt81rZKZf8JEgQR0aItlG3n8zgt6zt+dhyr
         TIZnjMJAOUxzX14F1LXt+95h8n+TFc2G4YGjbziSKo/PPI2f2wL56IBAvMudX+LffgoS
         d6tMlN6NEuU6oG42+Q0ncOBEcxuB9qPjgWOd4EzxaUqDCp0leSGA1wGew9MyUMNtvoPx
         x0gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=5c0IsZMMIxSQRMKEkH3v3tXYrnoS8N4XvTLcKo9Se1Y=;
        b=hpXT34j+qU6FNpkSw1cFAlyyVX8yHNTC5Q7En16gEz+q5qKqoiKkFL7Pd1zfdUuDNz
         bx6EBRXiqEZ2T4cMQYXBxA1RvVyCQ+yWbOBpD+TASkayyjKrdwf63ml9Twkn8HLhLZ5y
         wAidrQNx67J2/7vbFX/D2GZBrMNYRO4VLei3OWwpQHVFA74iHeMExi3GWNIhNpYoG9yQ
         uGP+/yoPMrJDyxaNoSr2bRXlY87w3cjUv0ZRn7t+tBS6eihLwzGdlImaAbCnsLqAcPpf
         J4NoQPsoKisDFz9DQ81qdi9tYV5UW3Sgqqap6yK8MbfTnvMgWvDqTzndNDVlWzmo14+D
         GRVA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=U8nAz1g3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h16si72303498pgj.203.2019.01.11.12.54.22;
        Fri, 11 Jan 2019 12:54:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=U8nAz1g3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388240AbfAKQwO (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Fri, 11 Jan 2019 11:52:14 -0500
Received: from mail-qt1-f193.google.com ([209.85.160.193]:36619 "EHLO
        mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728266AbfAKQwN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 11 Jan 2019 11:52:13 -0500
Received: by mail-qt1-f193.google.com with SMTP id t13so19535751qtn.3
        for <linux-kernel@vger.kernel.org>; Fri, 11 Jan 2019 08:52:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=5c0IsZMMIxSQRMKEkH3v3tXYrnoS8N4XvTLcKo9Se1Y=;
        b=U8nAz1g3ESsFYCPhG703DwbhJD3GHpUuQSi5LfSjD9Lu5AiTsJd8+LqwAjLvEiDNMT
         bzbAE8zFDRQT+kFKdMtXoPl1l5ugc2osfIGsWhL9Ed5rfVF81c7ltG9Djop6yr6ZrqLJ
         J5SpialTHWqLdXzDovGiTBwgUrGDApBvrqwbWVKcVPKJ4Wz2GpEAVz7iwzaNQrVkhxJN
         EOMObyAMW8uG9a2IlBmrpjTpUExPFSVvt29T7EfpfkZR7X3qyWKWiL3jeropPhNOA/3B
         CAARnAriqjPQFfm2d1Lft2SC7Iuy9OQNx7MmK2KTzL73uyrYQ24dcCrdqzYB1QdpetYE
         yl4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=5c0IsZMMIxSQRMKEkH3v3tXYrnoS8N4XvTLcKo9Se1Y=;
        b=j1HOM02prf7x0vu+ROkhrUsXFROKSqNAbZh57wHXffVSJpz7AfVVe/nZngiZlMakpz
         7ahd2MAgOWLtxlrsV2GXWQWEgx6EQ7NZ43KaVLu+BeqeN/bKsAKalvYmC9lJzYasLMEn
         P9Alp4B2Dkek9vl1JBgMjgI680w+XEIkzW6zEmu50P6DjBv3QE/6OYZTsfKrc+7fGaZM
         nVBWcADAGOWvyjWVLCVFxmXg5UjUF+VK/wTmxtNGRpBqotG1tDwf8soXEv5FpFeRQmN8
         WYEF9EvgYQa29kOQeAjUgsq20GXdScY8EPzBwEOf4J48U/e3YPif6kRpeKV4PeYqCJQV
         f/Xg==
X-Gm-Message-State: AJcUukfTPLPY7/yBt4TOUkj43Wxqy1I2dGNWKb5zufxe4IA9AnZ/MY9M
        sx4fggoqnKgGIrBD/BheTpBvwA==
X-Received: by 2002:a0c:8382:: with SMTP id k2mr15111726qva.0.1547225531638;
        Fri, 11 Jan 2019 08:52:11 -0800 (PST)
Received: from ovpn-120-55.rdu2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id n71sm21946926qkl.72.2019.01.11.08.52.10
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 11 Jan 2019 08:52:11 -0800 (PST)
From:   Qian Cai <cai@lca.pw>
To:     akpm@linux-foundation.org
Cc:     esploit@protonmail.ch, jejb@linux.ibm.com, dgilbert@interlog.com,
        martin.petersen@oracle.com, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, Qian Cai <cai@lca.pw>
Subject: [PATCH] rbtree: fix the red root
Date:   Fri, 11 Jan 2019 11:51:45 -0500
Message-Id: <20190111165145.23628-1-cai@lca.pw>
X-Mailer: git-send-email 2.17.2 (Apple Git-113)
In-Reply-To: <YrcPMrGmYbPe_xgNEV6Q0jqc5XuPYmL2AFSyeNmg1gW531bgZnBGfEUK5_ktqDBaNW37b-NP2VXvlliM7_PsBRhSfB649MaW1Ne7zT9lHc=@protonmail.ch>
References: <YrcPMrGmYbPe_xgNEV6Q0jqc5XuPYmL2AFSyeNmg1gW531bgZnBGfEUK5_ktqDBaNW37b-NP2VXvlliM7_PsBRhSfB649MaW1Ne7zT9lHc=@protonmail.ch>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

A GFP was reported,

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
        kasan_die_handler.cold.22+0x11/0x31
        notifier_call_chain+0x17b/0x390
        atomic_notifier_call_chain+0xa7/0x1b0
        notify_die+0x1be/0x2e0
        do_general_protection+0x13e/0x330
        general_protection+0x1e/0x30
        rb_insert_color+0x189/0x1480
        create_object+0x785/0xca0
        kmemleak_alloc+0x2f/0x50
        kmem_cache_alloc+0x1b9/0x3c0
        getname_flags+0xdb/0x5d0
        getname+0x1e/0x20
        do_sys_open+0x3a1/0x7d0
        __x64_sys_open+0x7e/0xc0
        do_syscall_64+0x1b3/0x820
        entry_SYSCALL_64_after_hwframe+0x49/0xbe

It turned out,

gparent = rb_red_parent(parent);
tmp = gparent->rb_right; <-- GFP triggered here.

Apparently, "gparent" is NULL which indicates "parent" is rbtree's root
which is red. Otherwise, it will be treated properly a few lines above.

/*
 * If there is a black parent, we are done.
 * Otherwise, take some corrective action as,
 * per 4), we don't want a red root or two
 * consecutive red nodes.
 */
if(rb_is_black(parent))
	break;

Hence, it violates the rule #1 and need a fix up.

Reported-by: Esme <esploit@protonmail.ch>
Signed-off-by: Qian Cai <cai@lca.pw>
---
 lib/rbtree.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/rbtree.c b/lib/rbtree.c
index d3ff682fd4b8..acc969ad8de9 100644
--- a/lib/rbtree.c
+++ b/lib/rbtree.c
@@ -127,6 +127,13 @@ __rb_insert(struct rb_node *node, struct rb_root *root,
 			break;
 
 		gparent = rb_red_parent(parent);
+		if (unlikely(!gparent)) {
+			/*
+			 * The root is red so correct it.
+			 */
+			rb_set_parent_color(parent, NULL, RB_BLACK);
+			break;
+		}
 
 		tmp = gparent->rb_right;
 		if (parent != tmp) {	/* parent == gparent->rb_left */
-- 
2.17.2 (Apple Git-113)