Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=55a230aae650157720becc09cadb7d10efbf5013 Commit: 55a230aae650157720becc09cadb7d10efbf5013 Parent: 8f731f7d83d6c6a3eeb32cce79bfcddbf7fac8cc Author: Paul Jackson <[EMAIL PROTECTED]> AuthorDate: Thu Oct 18 23:39:28 2007 -0700 Committer: Linus Torvalds <[EMAIL PROTECTED]> CommitDate: Fri Oct 19 11:53:35 2007 -0700
cpuset: zero malloc - revert the old cpuset fix The cpuset code to present a list of tasks using a cpuset to user space could write to an array that it had kmalloc'd, after a kmalloc request of zero size. The problem was that the code didn't check for writes past the allocated end of the array until -after- the first write. This is a race condition that is likely rare -- it would only show up if a cpuset went from being empty to having a task in it, during the brief time between the allocation and the first write. Prior to roughly 2.6.22 kernels, this was also a benign problem, because a zero kmalloc returned a few usable bytes anyway, and no harm was done with the bogus write. With the 2.6.22 kernel changes to make issue a warning if code tries to write to the location returned from a zero size allocation, this problem is no longer benign. This cpuset code would occassionally trigger that warning. The fix is trivial -- check before storing into the array, not after, whether the array is big enough to hold the store. Cc: "Eric W. Biederman" <[EMAIL PROTECTED]> Cc: "Serge E. Hallyn" <[EMAIL PROTECTED]> Cc: Balbir Singh <[EMAIL PROTECTED]> Cc: Dave Hansen <[EMAIL PROTECTED]> Cc: Herbert Poetzl <[EMAIL PROTECTED]> Cc: Kirill Korotaev <[EMAIL PROTECTED]> Cc: Paul Menage <[EMAIL PROTECTED]> Cc: Srivatsa Vaddagiri <[EMAIL PROTECTED]> Cc: Christoph Lameter <[EMAIL PROTECTED]> Signed-off-by: Paul Jackson <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> --- kernel/cpuset.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/cpuset.c b/kernel/cpuset.c index 64950fa..a40a2c4 100644 --- a/kernel/cpuset.c +++ b/kernel/cpuset.c @@ -1638,9 +1638,9 @@ static int pid_array_load(pid_t *pidarray, int npids, struct cpuset *cs) do_each_thread(g, p) { if (p->cpuset == cs) { + pidarray[n++] = p->pid; if (unlikely(n == npids)) goto array_full; - pidarray[n++] = p->pid; } } while_each_thread(g, p); - To unsubscribe from this list: send the line "unsubscribe git-commits-head" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html