Commit:     3e903e7b1605aff88d7f89a96fab5e43081b914f
Parent:     d6f8bb1310d4745ff1d0c74eeacae31e2a3eeff1
Author:     Paul Jackson <[EMAIL PROTECTED]>
AuthorDate: Sat Jun 16 10:16:01 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Sat Jun 16 13:16:15 2007 -0700

    cpuset: zero malloc - fix for old cpusets
    The cpuset code to present a list of tasks using a cpuset to user space 
    write to an array that it had kmalloc'd, after a kmalloc request of zero 
    The problem was that the code didn't check for writes past the allocated end
    of the array until -after- the first write.
    This is a race condition that is likely rare -- it would only show up if a
    cpuset went from being empty to having a task in it, during the brief time
    between the allocation and the first write.
    Prior to roughly 2.6.22 kernels, this was also a benign problem, because a
    zero kmalloc returned a few usable bytes anyway, and no harm was done with 
    bogus write.
    With the 2.6.22 kernel changes to make issue a warning if code tries to 
    to the location returned from a zero size allocation, this problem is no
    longer benign.  This cpuset code would occassionally trigger that warning.
    The fix is trivial -- check before storing into the array, not after, 
    the array is big enough to hold the store.
    Cc: "Eric W. Biederman" <[EMAIL PROTECTED]>
    Cc: "Serge E. Hallyn" <[EMAIL PROTECTED]>
    Cc: Balbir Singh <[EMAIL PROTECTED]>
    Cc: Dave Hansen <[EMAIL PROTECTED]>
    Cc: Herbert Poetzl <[EMAIL PROTECTED]>
    Cc: Kirill Korotaev <[EMAIL PROTECTED]>
    Cc: Paul Menage <[EMAIL PROTECTED]>
    Cc: Srivatsa Vaddagiri <[EMAIL PROTECTED]>
    Cc: Christoph Lameter <[EMAIL PROTECTED]>
    Signed-off-by: Paul Jackson <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
 kernel/cpuset.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index f57854b..4c49188 100644
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1682,9 +1682,9 @@ static int pid_array_load(pid_t *pidarray, int npids, 
struct cpuset *cs)
        do_each_thread(g, p) {
                if (p->cpuset == cs) {
-                       pidarray[n++] = p->pid;
                        if (unlikely(n == npids))
                                goto array_full;
+                       pidarray[n++] = p->pid;
        } while_each_thread(g, p);
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to