FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree
The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference") 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()") fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 955a923d2809803980ff574270f81510112be9cf Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" Liam.Howlett@oracle.com Date: Mon, 22 Apr 2024 16:33:49 -0400 Subject: [PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference
Currently the code calls mas_start() followed by mas_data_end() if the maple state is MA_START, but mas_start() may return with the maple state node == NULL. This will lead to a null pointer dereference when checking information in the NULL node, which is done in mas_data_end().
Avoid setting the offset if there is no node by waiting until after the maple state is checked for an empty or single entry state.
A user could trigger the events to cause a kernel oops by unmapping all vmas to produce an empty maple tree, then mapping a vma that would cause the scenario described above.
Link: https://lkml.kernel.org/r/20240422203349.2418465-1-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett Liam.Howlett@oracle.com Reported-by: Marius Fleischer fleischermarius@gmail.com Closes: https://lore.kernel.org/lkml/CAJg=8jyuSxDL6XvqEXY_66M20psRK2J53oBTP+fjV5xpW2... Link: https://lore.kernel.org/lkml/CAJg=8jyuSxDL6XvqEXY_66M20psRK2J53oBTP+fjV5xpW2... Tested-by: Marius Fleischer fleischermarius@gmail.com Tested-by: Sidhartha Kumar sidhartha.kumar@oracle.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org
diff --git a/lib/maple_tree.c b/lib/maple_tree.c index 55e1b35bf877..2d7d27e6ae3c 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -5109,18 +5109,18 @@ int mas_empty_area_rev(struct ma_state *mas, unsigned long min, if (size == 0 || max - min < size - 1) return -EINVAL;
- if (mas_is_start(mas)) { + if (mas_is_start(mas)) mas_start(mas); - mas->offset = mas_data_end(mas); - } else if (mas->offset >= 2) { - mas->offset -= 2; - } else if (!mas_rewind_node(mas)) { + else if ((mas->offset < 2) && (!mas_rewind_node(mas))) return -EBUSY; - }
- /* Empty set. */ - if (mas_is_none(mas) || mas_is_ptr(mas)) + if (unlikely(mas_is_none(mas) || mas_is_ptr(mas))) return mas_sparse_area(mas, min, max, size, false); + else if (mas->offset >= 2) + mas->offset -= 2; + else + mas->offset = mas_data_end(mas); +
/* The start of the window can only be within these values. */ mas->index = min;
* gregkh@linuxfoundation.org gregkh@linuxfoundation.org [240513 09:30]:
The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference") 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
^- This patch is needed, and has a fixes tag. I'm not entirely sure why it wasn't included in 6.1 already, but it applies cleanly and fixes the issue with 955a923d2809.
fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
Thanks, Liam
On Thu, May 23, 2024 at 03:45:22PM -0400, Liam R. Howlett wrote:
- gregkh@linuxfoundation.org gregkh@linuxfoundation.org [240513 09:30]:
The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference") 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
^- This patch is needed, and has a fixes tag. I'm not entirely sure why it wasn't included in 6.1 already, but it applies cleanly and fixes the issue with 955a923d2809.
"Fixes:" tags does not mean "will always end up in stable". Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
So you want us to take all of these? Or just the one?
thanks,
greg k-h
* Greg KH gregkh@linuxfoundation.org [240524 00:10]:
On Thu, May 23, 2024 at 03:45:22PM -0400, Liam R. Howlett wrote:
- gregkh@linuxfoundation.org gregkh@linuxfoundation.org [240513 09:30]:
The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference") 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
^- This patch is needed, and has a fixes tag. I'm not entirely sure why it wasn't included in 6.1 already, but it applies cleanly and fixes the issue with 955a923d2809.
"Fixes:" tags does not mean "will always end up in stable". Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
Thank you. The Cc of stable was missing but wasn't required at the time, so this patch was not taken and wasn't necessary. It's better to take it now.
fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
So you want us to take all of these? Or just the one?
Apologies for not being clear.
The last patch in the list (fad8e4291da5) is reported to be an empty cherry-pick and stable was Cc'ed on that fix.
Please apply: 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()") then 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
Regards, Liam
On Fri, May 24, 2024 at 09:03:15AM -0400, Liam R. Howlett wrote:
- Greg KH gregkh@linuxfoundation.org [240524 00:10]:
On Thu, May 23, 2024 at 03:45:22PM -0400, Liam R. Howlett wrote:
- gregkh@linuxfoundation.org gregkh@linuxfoundation.org [240513 09:30]:
The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference") 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
^- This patch is needed, and has a fixes tag. I'm not entirely sure why it wasn't included in 6.1 already, but it applies cleanly and fixes the issue with 955a923d2809.
"Fixes:" tags does not mean "will always end up in stable". Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
Thank you. The Cc of stable was missing but wasn't required at the time, so this patch was not taken and wasn't necessary. It's better to take it now.
fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
So you want us to take all of these? Or just the one?
Apologies for not being clear.
The last patch in the list (fad8e4291da5) is reported to be an empty cherry-pick and stable was Cc'ed on that fix.
Please apply: 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()") then 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
Now done, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
gregkh@linuxfoundation.org
-
Liam R. Howlett