[PATCH] - Fix memory corruption in slbq

From: Jack Steiner
Date: Thu Apr 30 2009 - 20:41:21 EST

Next message: David Howells: "Re: Q: selinux_bprm_committed_creds() && signals/do_wait"
Previous message: Marc Pignat: "Re: [BUG] 2.6.30-rc4 hid bluetooth not working"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix memory corruption caused by slqb overrunning the end
of the page allocated in kmem_cache_dyn_array_alloc() for
initial caches.

Signed-off-by: Jack Steiner <steiner@xxxxxxx>

---
mm/slqb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

Index: linux/mm/slqb.c
===================================================================
--- linux.orig/mm/slqb.c 2009-04-30 15:47:16.000000000 -0500
+++ linux/mm/slqb.c 2009-04-30 19:08:33.000000000 -0500
@@ -2194,15 +2194,14 @@ static void *kmem_cache_dyn_array_alloc(
* never get freed by definition so we can do it rather
* simply.
*/
- if (!nextmem) {
+ if (!nextmem || offset_in_page(nextmem) + size > PAGE_SIZE) {
nextmem = alloc_pages_exact(size, GFP_KERNEL);
if (!nextmem)
return NULL;
}
ret = nextmem;
nextmem = (void *)((unsigned long)ret + size);
- if ((unsigned long)ret >> PAGE_SHIFT !=
- (unsigned long)nextmem >> PAGE_SHIFT)
+ if (offset_in_page(ret) + size >= PAGE_SIZE)
nextmem = NULL;
memset(ret, 0, size);
return ret;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "Re: Q: selinux_bprm_committed_creds() && signals/do_wait"
Previous message: Marc Pignat: "Re: [BUG] 2.6.30-rc4 hid bluetooth not working"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]