• Matthew Wilcox's avatar
    ida: Free correct IDA bitmap · 4ecd9542
    Matthew Wilcox authored
    There's a relatively rare race where we look at the per-cpu preallocated
    IDA bitmap, see it's NULL, allocate a new one, and atomically update it.
    If the kmalloc() happened to sleep and we were rescheduled to a different
    CPU, or an interrupt came in at the exact right time, another task
    might have successfully allocated a bitmap and already deposited it.
    I forgot what the semantics of cmpxchg() were and ended up freeing the
    wrong bitmap leading to KASAN reporting a use-after-free.
    
    Dmitry found the bug with syzkaller & wrote the patch.  I wrote the test
    case that will reproduce the bug without his patch being applied.
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Signed-off-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
    4ecd9542
idr-test.c 11.3 KB