On Mon, 22 Jan 2018 12:32:58 +0530 Balasubramani Vivekanandan <balasubramani_vivekanandan@xxxxxxxxxx> wrote: > From: Balasubramani Vivekanandan <balasubramani_vivekanandan@xxxxxxxxxx> > > Start address calculated for slab padding restoration was wrong. > Wrong address would point to some section before padding and > could cause corruption > > ... > > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -838,6 +838,7 @@ static int slab_pad_check(struct kmem_cache *s, struct page *page) > u8 *start; > u8 *fault; > u8 *end; > + u8 *pad; > int length; > int remainder; > > @@ -851,8 +852,9 @@ static int slab_pad_check(struct kmem_cache *s, struct page *page) > if (!remainder) > return 1; > > + pad = end - remainder; > metadata_access_enable(); > - fault = memchr_inv(end - remainder, POISON_INUSE, remainder); > + fault = memchr_inv(pad, POISON_INUSE, remainder); > metadata_access_disable(); > if (!fault) > return 1; > @@ -860,9 +862,9 @@ static int slab_pad_check(struct kmem_cache *s, struct page *page) > end--; > > slab_err(s, page, "Padding overwritten. 0x%p-0x%p", fault, end - 1); > - print_section(KERN_ERR, "Padding ", end - remainder, remainder); > + print_section(KERN_ERR, "Padding ", pad, remainder); > > - restore_bytes(s, "slab padding", POISON_INUSE, end - remainder, end); > + restore_bytes(s, "slab padding", POISON_INUSE, fault, end); > return 0; > } I don't see why it matters? The current code will overwrite POISON_INUSE bytes with POISON_INUSE, won't it? That's a bit strange but not incorrect? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
