Re: [PATCH] posix-timer: don't call idr_find() w/ out-of-range ID

From: Thomas Gleixner
Date: Wed Feb 20 2013 - 18:01:17 EST

On Wed, 20 Feb 2013, Tejun Heo wrote:

> When idr_find() is fed a negative ID, it used to look up the ID
> ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
> move left MAX_IDR_* into idr.c") patch, and triggers WARN_ON_ONCE()
> after it.
> __lock_timer() feeds timer_id from userland directly to idr_find()
> without sanitizing it which can trigger the above malfunctions. Add a
> range check on @timer_id before invoking idr_find() in __lock_timer().
> While timer_t is defined as int by all archs at the moment, Andrew
> worries that it may be defined as a larger type later on. Make the
> test cover larger integers too so that it at least is guaranteed to
> not return the wrong timer.

Again. I totaly agree with that for stable, but I disagree that this
is the real fix.

idr_find() should simply return NULL, if "id < 0". Is it that hard?


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at