summaryrefslogtreecommitdiffstats
path: root/scripts/test_fortify.sh
diff options
context:
space:
mode:
authorMatthew Wilcox (Oracle) <willy@infradead.org>2022-04-22 19:23:12 +0200
committerMatthew Wilcox (Oracle) <willy@infradead.org>2022-04-22 21:35:40 +0200
commit63b1898fffcd8bd81905b95104ecc52b45a97e21 (patch)
tree0cfbd3c8d41a0c838b37aa6ee9c06017f22f65f5 /scripts/test_fortify.sh
parenttools: Add kmem_cache_alloc_lru() (diff)
downloadlinux-63b1898fffcd8bd81905b95104ecc52b45a97e21.tar.xz
linux-63b1898fffcd8bd81905b95104ecc52b45a97e21.zip
XArray: Disallow sibling entries of nodes
There is a race between xas_split() and xas_load() which can result in the wrong page being returned, and thus data corruption. Fortunately, it's hard to hit (syzbot took three months to find it) and often guarded with VM_BUG_ON(). The anatomy of this race is: thread A thread B order-9 page is stored at index 0x200 lookup of page at index 0x274 page split starts load of sibling entry at offset 9 stores nodes at offsets 8-15 load of entry at offset 8 The entry at offset 8 turns out to be a node, and so we descend into it, and load the page at index 0x234 instead of 0x274. This is hard to fix on the split side; we could replace the entire node that contains the order-9 page instead of replacing the eight entries. Fixing it on the lookup side is easier; just disallow sibling entries that point to nodes. This cannot ever be a useful thing as the descent would not know the correct offset to use within the new node. The test suite continues to pass, but I have not added a new test for this bug. Reported-by: syzbot+cf4cf13056f85dec2c40@syzkaller.appspotmail.com Tested-by: syzbot+cf4cf13056f85dec2c40@syzkaller.appspotmail.com Fixes: 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache") Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Diffstat (limited to 'scripts/test_fortify.sh')
0 files changed, 0 insertions, 0 deletions