Commit 7384b2e4 authored Nov 01, 2024 by Kent Overstreet Committed by Zhang Zekun Nov 01, 2024

lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

stable inclusion
from stable-v5.10.226
commit 99418ec776a39609f50934720419e0b464ca2283
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAVU82
CVE: CVE-2024-47668

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=99418ec776a39609f50934720419e0b464ca2283



-----------------------------------------------------------

[ Upstream commit b2f11c6f3e1fc60742673b8675c95b78447f3dae ]

If we need to increase the tree depth, allocate a new node, and then
race with another thread that increased the tree depth before us, we'll
still have a preallocated node that might be used later.

If we then use that node for a new non-root node, it'll still have a
pointer to the old root instead of being zeroed - fix this by zeroing it
in the cmpxchg failure path.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>

parent 8c742fc5

lib/generic-radix-tree.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -131,6 +131,8 @@ void __genradix_ptr_alloc(struct __genradix radix, size_t offset,
		if ((v = cmpxchg_release(&radix->root, r, new_root)) == r) {
		v = new_root;
		new_node = NULL;
		} else {
		new_node->children[0] = NULL;
		}
		}