Make sure strsep() in statistic_release_def() finds a terminanal '\0' and doesn't attempt to access bytes outside the given buffer. (Patch fixes statistics-infrastructure-simplify-statistics-debugfs-write-function.patch) Patch is against 2.6.21-rc6-mm1. Signed-off-by: Martin Peschke <mp3@xxxxxxxxxx> --- statistic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: linux/lib/statistic.c =================================================================== --- linux.orig/lib/statistic.c +++ linux/lib/statistic.c @@ -627,9 +627,10 @@ static ssize_t statistic_write_def(struc return -EPIPE; if (*offset + len > 16 * PAGE_SIZE) return -ENOMEM; - larger = kmalloc(*offset + len, GFP_KERNEL); + larger = kmalloc(*offset + len + 1, GFP_KERNEL); if (!larger) return -ENOMEM; + larger[*offset + len] = '\0'; memcpy(larger, seq_priv->w_buf, *offset); if (copy_from_user(larger + *offset, buf, len)) return -EFAULT; - To unsubscribe from this list: send the line "unsubscribe linux-s390" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
