On Fri, Apr 18, 2014 at 08:49:50PM +0800, Lai Jiangshan wrote:
> If the ida has at least one existed_id, and when an special unallocated_id
existing id or allocated id
when an unallocated id which
meets a certain condition is passed
to...
> is passed to the ida_remove(), the system will crash because it hits NULL
> pointer dereference.
>
> This special unallocated_id is that it shares the same lowest idr layer with
The condition is that the ID shares the...
> an exsited_id, but the idr slot is different(if the unallocated_id is
> allocated).
the existing ID, would be different if the unallocated ID were
to be allocated.
> In this case the supposed idr slot of the unallocated_id is NULL,
matching for
> It means @bitmap == NULL, and when the code dereference it, it crash the
> kernel.
causing @bitmap to be NULL which the function dereferences without
checking crashing the kernel.
>
> See the test code:
>
> static void test3(void)
> {
> int id;
> DEFINE_IDA(test_ida);
>
> printk(KERN_INFO "Start test3\n");
> if (ida_pre_get(&test_ida, GFP_KERNEL) < 0) return;
> if (ida_get_new(&test_ida, &id) < 0) return;
> ida_remove(&test_ida, 4000); /* bug: null deference here */
> printk(KERN_INFO "End of test3\n");
> }
>
> It only happens when unallocated_id, it is caller's fault. It is not
It happens only when the caller tries to free an unallocated ID which
is the caller's fault.
> a bug. But it is better to add the proper check and complains instead
and complain rather than
crashing the kernel
> of crashing the kernel.
>
> Signed-off-by: Lai Jiangshan <la...@cn.fujitsu.com>
Acked-by: Tejun Heo <t...@kernel.org>
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
