lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

PlaidCat · PlaidCat · commit f996c417df6e · 2025-06-06T13:33:17.000-04:00
jira LE-3201 cve CVE-2024-47668 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10 commit-author Kent Overstreet <kent.overstreet@linux.dev> commit b2f11c6 If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> (cherry picked from commit b2f11c6) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c
@@ -131,6 +131,8 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset,
 		if ((v = cmpxchg_release(&radix->root, r, new_root)) == r) {
 			v = new_root;
 			new_node = NULL;
+		} else {
+			new_node->children[0] = NULL;
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,8 @@ void __genradix_ptr_alloc(struct __genradix radix, size_t offset,`
`131`	`131`	`if ((v = cmpxchg_release(&radix->root, r, new_root)) == r) {`
`132`	`132`	`v = new_root;`
`133`	`133`	`new_node = NULL;`
	`134`	`+ } else {`
	`135`	`+ new_node->children[0] = NULL;`
`134`	`136`	`}`
`135`	`137`	`}`
`136`	`138`