On Sat, 22 Aug 2020 17:53:28 +0800 Muchun Song <songmuchun@xxxxxxxxxxxxx> wrote: > There is a race between the assignment of `table->data` and write value > to the pointer of `table->data` in the __do_proc_doulongvec_minmax(). Where does __do_proc_doulongvec_minmax() write to table->data? I think you're saying that there is a race between the assignment of ctl_table->table in hugetlb_sysctl_handler_common() and the assignment of the same ctl_table->table in hugetlb_overcommit_handler()? Or not, maybe I'm being thick. Can you please describe the race more carefully and completely? > Fix this by duplicating the `table`, and only update the duplicate of > it. And introduce a helper of proc_hugetlb_doulongvec_minmax() to > simplify the code. >
