XArray: Disallow sibling entries of nodes
Matthew Wilcox (Oracle) authored
[ Upstream commit 63b1898f ]

There is a race between xas_split() and xas_load() which can result in
the wrong page being returned, and thus data corruption.  Fortunately,
it's hard to hit (syzbot took three months to find it) and often guarded
with VM_BUG_ON().

The anatomy of this race is:

thread A			thread B
order-9 page is stored at index 0x200
				lookup of page at index 0x274
page split starts
				load of sibling entry at offset 9
stores nodes at offsets 8-15
				load of entry at offset 8

The entry at offset 8 turns out to be a node, and so we descend into it,
and load the page at index 0x234 instead of 0x274.  This is hard to fix
on the split side; we could replace the entire node that contains the
order-9 page instead of replacing the eight entries.  Fixing it on
the lookup side is easier; just disallow sibling entries that point
to nodes.  This cannot ever be a useful thing as the descent would not
know the correct offset...
825b95bd
Name Last commit Last update
Documentation dt-bindings: net: snps: remove duplicate name
LICENSES LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers
arch arm64: mm: fix p?d_leaf()
block block/compat_ioctl: fix range check in BLKGETSIZE
certs certs: Fix build error when CONFIG_MODULE_SIG_KEY is empty
crypto crypto: xts - Add softdep on ecb
drivers dmaengine: idxd: skip clearing device context when device is read-only
fs gfs2: assign rgrp glock before compute_bitstructs
include ipv6: make ip6_rt_gc_expire an atomic_t
init init/main.c: return 1 from handled __setup() functions
ipc ipc/sem: do not sleep with a spin lock held
kernel cpu/hotplug: Remove the 'cpu' member of cpuhp_cpu_state
lib XArray: Disallow sibling entries of nodes
mm userfaultfd: mark uffd_wp regardless of VM_WRITE flag
net netlink: reset network and mac headers in netlink_dump()
samples samples/bpf, xdpsock: Fix race when running for fix duration of time
scripts gcc-plugins: latent_entropy: use /dev/urandom
security Fix incorrect type in assignment of ipv6 port for audit
sound ALSA: hda/hdmi: fix warning about PCM count when used with SOF
tools selftests: mlxsw: vxlan_flooding_ipv6: Prevent flooding of unwanted packets
usr kbuild: remove include/linux/cyclades.h from header file check
virt KVM: avoid NULL pointer dereference in kvm_dirty_ring_push
.clang-format genirq/msi: Make interrupt allocation less convoluted
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes .gitattributes: use 'dts' diff driver for dts files
.gitignore .gitignore: ignore only top-level modules.builtin
.mailmap MAINTAINERS: Update Jisheng's email address
COPYING COPYING: state that all contributions really are covered by this file
CREDITS MAINTAINERS: replace a Microchip AT91 maintainer
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y
Kconfig kbuild: ensure full rebuild when the compiler is updated
MAINTAINERS net: dsa: realtek-smi: move to subdirectory
Makefile Linux 5.17.4
README Drop all 00-INDEX files from Documentation/
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.