Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp2539238rdb; Mon, 25 Dec 2023 16:37:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IFtXSuxrU2vNLRGwuzAHZU1eDg8/RVmaujmxhSNE5VJg9Af08cYjsG6Paj2mnDrM9ooUQ9/ X-Received: by 2002:a05:620a:5615:b0:77f:91f:5174 with SMTP id vu21-20020a05620a561500b0077f091f5174mr6988335qkn.97.1703551043895; Mon, 25 Dec 2023 16:37:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703551043; cv=none; d=google.com; s=arc-20160816; b=NgYcZZBqS5qlzhYzJ8CoxWlJW5ttP3T6vlnWadE85Lp9YMSkStvlEV78hBhXcONxqP q4pO5PZIle8yLV+VJVu1K1OkxHr+NJmCr8uKLzqApTTspenFq3enVLxVA1mivUSWJ/As jIMdeamwu8q28vupjKFFuzstSTEWHBMap7nXYvAYA1UCwMBSujvI96LoDgGJFCi1hJSZ Emyq0Lxsg67hz8vrDmNorjwYMFdAShguoQi7itKKD9giKnSR7AfkF99cNzxZg9QizfGK bZqmG5tq1z7L2+GIJ3jQcx5FCpr8nNa2Kskqk59DDRiAQ6cV6SwQJrf2Sdr4jQV7KXj4 h78g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=6Sb+8ZX6QCfUg/5GR1iEn0w82VF7I74QYmrkFBPiR5s=; fh=aRew33X1Ft+44j1MjxyNLc5mSRrPUALCqpDgAtYFBGs=; b=NlGAF0+92yVuL1kpPcnn6UjUiB/2EI8/qbXXeRjIfRFwlnbq+frxTf1ejRO7zlqqmN KXJ4Ux4MgDMjWvYRBsus8K29C0P+ddf/G0OwrZthnfht8JlLwvl4BksQ277aE0rKJAeq 3/sQKJYtqjknMXvK3FKv/jL/JGc4uFO89jk/Fx4U/FSTRSeMtnleR3/OqluT4RD1bzvp v9rqun29hCgztk5wWmc6eX986QPKJHjH6wCA+9okQZc7afZFE9EYpTs2ZRON9b0eOKr0 NXSn/Uld0r8xXRx/bQugywNwhok9YLUDcu731qfZxwZCWinERtAAbAYtFkjMN0lWai/2 2cxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fHig+vZA; spf=pass (google.com: domain of linux-kernel+bounces-11256-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-11256-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id s9-20020a05620a254900b0077dc528f856si11850288qko.19.2023.12.25.16.37.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Dec 2023 16:37:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-11256-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fHig+vZA; spf=pass (google.com: domain of linux-kernel+bounces-11256-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-11256-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 927271C216B7 for ; Tue, 26 Dec 2023 00:37:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 758C159E23; Tue, 26 Dec 2023 00:24:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fHig+vZA" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A28AC59B68; Tue, 26 Dec 2023 00:23:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 517C7C433C7; Tue, 26 Dec 2023 00:23:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1703550239; bh=INCFmxnzVcno2G0uByDm+uObuNwYrETLxoR9bzDGLNo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fHig+vZAiZXxvGsiPfi8yZnPy99kFf1rqWd55ZHpCzgssbGJIJAVQ/EXahJT+aa6D bT/aUEJoZlibHx3YulTyxnQpgzL6YJRh4f7pKgpOtBb6357H8aXv3GtzVPMIChPavZ 8JVjpsYAkKzpANFDGKE99dEe9kdDZsbHWUqrKR7waCR6l+ILG2MQQbwgxT80uRcUnQ fxlmkDLIXaxBXsyGsQUCb4OEMZzAkmatApkPq9lhRIh0orVhjgmy1SGs1qr8cGTYLF qxobBUesJYxceUEKRclvpIE8I39sGLbRS8EV+CIe7WgpmtOwO2D6dfKK+j3rRbNnNw 0ByNO5N6FXA+Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Matthew Wilcox (Oracle)" , Zhenghan Wang , Linus Torvalds , Sasha Levin , linux-fsdevel@vger.kernel.org Subject: [PATCH AUTOSEL 6.1 24/24] ida: Fix crash in ida_free when the bitmap is empty Date: Mon, 25 Dec 2023 19:22:17 -0500 Message-ID: <20231226002255.5730-24-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231226002255.5730-1-sashal@kernel.org> References: <20231226002255.5730-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.1.69 Content-Transfer-Encoding: 8bit From: "Matthew Wilcox (Oracle)" [ Upstream commit af73483f4e8b6f5c68c9aa63257bdd929a9c194a ] The IDA usually detects double-frees, but that detection failed to consider the case when there are no nearby IDs allocated and so we have a NULL bitmap rather than simply having a clear bit. Add some tests to the test-suite to be sure we don't inadvertently reintroduce this problem. Unfortunately they're quite noisy so include a message to disregard the warnings. Reported-by: Zhenghan Wang Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- lib/idr.c | 2 +- lib/test_ida.c | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/lib/idr.c b/lib/idr.c index 13f2758c23773..da36054c3ca02 100644 --- a/lib/idr.c +++ b/lib/idr.c @@ -508,7 +508,7 @@ void ida_free(struct ida *ida, unsigned int id) goto delete; xas_store(&xas, xa_mk_value(v)); } else { - if (!test_bit(bit, bitmap->bitmap)) + if (!bitmap || !test_bit(bit, bitmap->bitmap)) goto err; __clear_bit(bit, bitmap->bitmap); xas_set_mark(&xas, XA_FREE_MARK); diff --git a/lib/test_ida.c b/lib/test_ida.c index b068806259615..55105baa19da9 100644 --- a/lib/test_ida.c +++ b/lib/test_ida.c @@ -150,6 +150,45 @@ static void ida_check_conv(struct ida *ida) IDA_BUG_ON(ida, !ida_is_empty(ida)); } +/* + * Check various situations where we attempt to free an ID we don't own. + */ +static void ida_check_bad_free(struct ida *ida) +{ + unsigned long i; + + printk("vvv Ignore \"not allocated\" warnings\n"); + /* IDA is empty; all of these will fail */ + ida_free(ida, 0); + for (i = 0; i < 31; i++) + ida_free(ida, 1 << i); + + /* IDA contains a single value entry */ + IDA_BUG_ON(ida, ida_alloc_min(ida, 3, GFP_KERNEL) != 3); + ida_free(ida, 0); + for (i = 0; i < 31; i++) + ida_free(ida, 1 << i); + + /* IDA contains a single bitmap */ + IDA_BUG_ON(ida, ida_alloc_min(ida, 1023, GFP_KERNEL) != 1023); + ida_free(ida, 0); + for (i = 0; i < 31; i++) + ida_free(ida, 1 << i); + + /* IDA contains a tree */ + IDA_BUG_ON(ida, ida_alloc_min(ida, (1 << 20) - 1, GFP_KERNEL) != (1 << 20) - 1); + ida_free(ida, 0); + for (i = 0; i < 31; i++) + ida_free(ida, 1 << i); + printk("^^^ \"not allocated\" warnings over\n"); + + ida_free(ida, 3); + ida_free(ida, 1023); + ida_free(ida, (1 << 20) - 1); + + IDA_BUG_ON(ida, !ida_is_empty(ida)); +} + static DEFINE_IDA(ida); static int ida_checks(void) @@ -162,6 +201,7 @@ static int ida_checks(void) ida_check_leaf(&ida, 1024 * 64); ida_check_max(&ida); ida_check_conv(&ida); + ida_check_bad_free(&ida); printk("IDA: %u of %u tests passed\n", tests_passed, tests_run); return (tests_run != tests_passed) ? 0 : -EINVAL; -- 2.43.0