commit: cfad7fa18e7a38299e446e09aedf44360ddd829d Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Thu Jan 12 15:25:25 2023 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Thu Jan 12 15:25:25 2023 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=cfad7fa1
maple_tree: fix mas_empty_area_rev() lower bound validation Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 ++ ...ee-fix-mas-empty-area-rev-lower-bound-val.patch | 82 ++++++++++++++++++++++ 2 files changed, 86 insertions(+) diff --git a/0000_README b/0000_README index e8c453f1..f47a205a 100644 --- a/0000_README +++ b/0000_README @@ -75,6 +75,10 @@ Patch: 1700_sparc-address-warray-bound-warnings.patch From: https://github.com/KSPP/linux/issues/109 Desc: Address -Warray-bounds warnings +Patch: 1800_maple-tree-fix-mas-empty-area-rev-lower-bound-val.patch +From: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git +Desc: maple_tree: fix mas_empty_area_rev() lower bound validation + Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 diff --git a/1800_maple-tree-fix-mas-empty-area-rev-lower-bound-val.patch b/1800_maple-tree-fix-mas-empty-area-rev-lower-bound-val.patch new file mode 100644 index 00000000..53075739 --- /dev/null +++ b/1800_maple-tree-fix-mas-empty-area-rev-lower-bound-val.patch @@ -0,0 +1,82 @@ +From ebc4c1bcc2a513bb2292dc73aa247b046bc846ce Mon Sep 17 00:00:00 2001 +From: Liam Howlett <[email protected]> +Date: Wed, 11 Jan 2023 20:02:07 +0000 +Subject: maple_tree: fix mas_empty_area_rev() lower bound validation + +mas_empty_area_rev() was not correctly validating the start of a gap +against the lower limit. This could lead to the range starting lower than +the requested minimum. + +Fix the issue by better validating a gap once one is found. + +This commit also adds tests to the maple tree test suite for this issue +and tests the mas_empty_area() function for similar bound checking. + +Link: https://lkml.kernel.org/r/[email protected] +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216911 +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Liam R. Howlett <[email protected]> +Reported-by: <[email protected]> + Link: https://lore.kernel.org/linux-mm/[email protected]/ +Tested-by: Holger Hoffsttte <[email protected]> +Cc: <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +--- + lib/maple_tree.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +(limited to 'lib/maple_tree.c') + +diff --git a/lib/maple_tree.c b/lib/maple_tree.c +index 26e2045d3cda9..b990ccea454ec 100644 +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -4887,7 +4887,7 @@ static bool mas_rev_awalk(struct ma_state *mas, unsigned long size) + unsigned long *pivots, *gaps; + void __rcu **slots; + unsigned long gap = 0; +- unsigned long max, min, index; ++ unsigned long max, min; + unsigned char offset; + + if (unlikely(mas_is_err(mas))) +@@ -4909,8 +4909,7 @@ static bool mas_rev_awalk(struct ma_state *mas, unsigned long size) + min = mas_safe_min(mas, pivots, --offset); + + max = mas_safe_pivot(mas, pivots, offset, type); +- index = mas->index; +- while (index <= max) { ++ while (mas->index <= max) { + gap = 0; + if (gaps) + gap = gaps[offset]; +@@ -4941,10 +4940,8 @@ static bool mas_rev_awalk(struct ma_state *mas, unsigned long size) + min = mas_safe_min(mas, pivots, offset); + } + +- if (unlikely(index > max)) { +- mas_set_err(mas, -EBUSY); +- return false; +- } ++ if (unlikely((mas->index > max) || (size - 1 > max - mas->index))) ++ goto no_space; + + if (unlikely(ma_is_leaf(type))) { + mas->offset = offset; +@@ -4961,9 +4958,11 @@ static bool mas_rev_awalk(struct ma_state *mas, unsigned long size) + return false; + + ascend: +- if (mte_is_root(mas->node)) +- mas_set_err(mas, -EBUSY); ++ if (!mte_is_root(mas->node)) ++ return false; + ++no_space: ++ mas_set_err(mas, -EBUSY); + return false; + } + +-- +cgit +
