The patch titled
cpumask: fix slab corruption caused by alloc_cpumask_var_node()
has been added to the -mm tree. Its filename is
cpumask-fix-slab-corruption-caused-by-alloc_cpumask_var_node.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: cpumask: fix slab corruption caused by alloc_cpumask_var_node()
From: Jack Steiner <steiner@xxxxxxx>
Fix for slab corruption caused by alloc_cpumask_var_node() overwriting
the tail end of an off-stack cpumask.
The pointer arithmetic in the memset() is designed to operate on
byte-sized pointers, but cpumask_bits() returns `long *' type, so the
offset of 4x or 8x too large.
Signed-off-by: Jack Steiner <steiner@xxxxxxx>
Acked-by: Mike Travis <travis.sgi.com>
Cc: Ingo Molnar <mingo@xxxxxxx>
Cc: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
Cc: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxx> [2.6.29.x]
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
lib/cpumask.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN lib/cpumask.c~cpumask-fix-slab-corruption-caused-by-alloc_cpumask_var_node lib/cpumask.c
--- a/lib/cpumask.c~cpumask-fix-slab-corruption-caused-by-alloc_cpumask_var_node
+++ a/lib/cpumask.c
@@ -109,10 +109,10 @@ bool alloc_cpumask_var_node(cpumask_var_
#endif
/* FIXME: Bandaid to save us from old primitives which go to NR_CPUS. */
if (*mask) {
+ unsigned char *ptr = (unsigned char *)cpumask_bits(*mask);
unsigned int tail;
tail = BITS_TO_LONGS(NR_CPUS - nr_cpumask_bits) * sizeof(long);
- memset(cpumask_bits(*mask) + cpumask_size() - tail,
- 0, tail);
+ memset(ptr + cpumask_size() - tail, 0, tail);
}
return *mask != NULL;
_
Patches currently in -mm which might be from steiner@xxxxxxx are
origin.patch
sgi-gru-exclude-uv-definitions-on-32-bit-x86.patch
sgi-gru-add-definitions-of-x86_64-gru-mmrs.patch
sgi-gru-add-definitions-of-ia64-gru-mmrs.patch
sgi-gru-add-macros-for-using-the-uv-hub-to-send-interrupts.patch
sgi-gru-misc-gru-cleanup.patch
sgi-gru-improvements-to-gru-debug-messages-statistics.patch
sgi-gru-change-gru-cch-commands-from-inline-functions-to-outofline-functions.patch
sgi-gru-add-statistics-to-the-gru-context-management-functions.patch
sgi-gru-add-support-for-a-user-to-explicitly-unload-a-gru-context.patch
sgi-gru-asid-context-management-bug-fixes.patch
sgi-gru-restructure-the-gru-vtop-functions.patch
sgi-gru-add-support-to-the-gru-driver-for-message-queue-interrupts.patch
sgi-gru-macro-for-scanning-all-gru-chiplets.patch
sgi-gru-fix-bugs-related-to-module-unload-of-the-gru-driver.patch
sgi-gru-support-multiple-pagesizes-in-gru.patch
remove-sgi_gru-as-a-valid-config-option-for-ia64-configs-with-sgi_uv.patch
cpumask-fix-slab-corruption-caused-by-alloc_cpumask_var_node.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
