Patchwork [3.5.y.z,extended,stable] Patch "posix-timer: Don't call idr_find() with out-of-range ID" has been added to staging queue

mail settings
Submitter Luis Henriques
Date Feb. 28, 2013, 11:58 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/223932/
State New
Headers show


Luis Henriques - Feb. 28, 2013, 11:58 a.m.
This is a note to let you know that I have just added a patch titled

    posix-timer: Don't call idr_find() with out-of-range ID

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 9f37dcaead09b19c31b133f5090e32f440f15225 Mon Sep 17 00:00:00 2001
From: Tejun Heo <>
Date: Wed, 20 Feb 2013 15:24:12 -0800
Subject: [PATCH] posix-timer: Don't call idr_find() with out-of-range ID

commit e182bb38d7db7494fa5dcd82da17fe0dedf60ecf upstream.

When idr_find() was fed a negative ID, it used to look up the ID
ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers

__lock_timer() feeds timer_id from userland directly to idr_find()
without sanitizing it which can trigger the above malfunctions.  Add a
range check on @timer_id before invoking idr_find() in __lock_timer().

While timer_t is defined as int by all archs at the moment, Andrew
worries that it may be defined as a larger type later on.  Make the
test cover larger integers too so that it at least is guaranteed to
not return the wrong timer.

Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional
precaution while moving away from ignoring MSB.  Once it's gone we can
remove the guard as long as timer_t isn't larger than int.

Signed-off-by: Tejun Heo <>nnn
Reported-by: Sasha Levin <>
Cc: Andrew Morton <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Luis Henriques <>
 kernel/posix-timers.c | 7 +++++++
 1 file changed, 7 insertions(+)



diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index 69185ae..e885be1 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -639,6 +639,13 @@  static struct k_itimer *__lock_timer(timer_t timer_id, unsigned long *flags)
 	struct k_itimer *timr;

+	/*
+	 * timer_t could be any type >= int and we want to make sure any
+	 * @timer_id outside positive int range fails lookup.
+	 */
+	if ((unsigned long long)timer_id > INT_MAX)
+		return NULL;
 	timr = idr_find(&posix_timers_id, (int)timer_id);
 	if (timr) {