From: Paul Jackson Date: Fri, 19 Oct 2007 06:39:28 +0000 (-0700) Subject: cpuset: zero malloc - revert the old cpuset fix X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=55a230aae650157720becc09cadb7d10efbf5013;p=openwrt%2Fstaging%2Fblogic.git cpuset: zero malloc - revert the old cpuset fix The cpuset code to present a list of tasks using a cpuset to user space could write to an array that it had kmalloc'd, after a kmalloc request of zero size. The problem was that the code didn't check for writes past the allocated end of the array until -after- the first write. This is a race condition that is likely rare -- it would only show up if a cpuset went from being empty to having a task in it, during the brief time between the allocation and the first write. Prior to roughly 2.6.22 kernels, this was also a benign problem, because a zero kmalloc returned a few usable bytes anyway, and no harm was done with the bogus write. With the 2.6.22 kernel changes to make issue a warning if code tries to write to the location returned from a zero size allocation, this problem is no longer benign. This cpuset code would occassionally trigger that warning. The fix is trivial -- check before storing into the array, not after, whether the array is big enough to hold the store. Cc: "Eric W. Biederman" Cc: "Serge E. Hallyn" Cc: Balbir Singh Cc: Dave Hansen Cc: Herbert Poetzl Cc: Kirill Korotaev Cc: Paul Menage Cc: Srivatsa Vaddagiri Cc: Christoph Lameter Signed-off-by: Paul Jackson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/kernel/cpuset.c b/kernel/cpuset.c index 64950fa5d321..a40a2c4384b3 100644 --- a/kernel/cpuset.c +++ b/kernel/cpuset.c @@ -1638,9 +1638,9 @@ static int pid_array_load(pid_t *pidarray, int npids, struct cpuset *cs) do_each_thread(g, p) { if (p->cpuset == cs) { + pidarray[n++] = p->pid; if (unlikely(n == npids)) goto array_full; - pidarray[n++] = p->pid; } } while_each_thread(g, p);