From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============3603642216390923635=="
MIME-Version: 1.0
From: Al Viro <viro@ZenIV.linux.org.uk>
To: lkp@lists.01.org
Subject: Re: [memdup_user_nul] kernel BUG at mm/slab.c:2735!
Date: Tue, 29 Dec 2015 14:57:09 +0000
Message-ID: <20151229145709.GB9938@ZenIV.linux.org.uk>
In-Reply-To: <20151229143946.GA9938@ZenIV.linux.org.uk>
List-Id: <oe-lkp.lists.linux.dev>

--===============3603642216390923635==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 29, 2015 at 02:39:47PM +0000, Al Viro wrote:
> On Tue, Dec 29, 2015 at 08:38:43PM +0800, Fengguang Wu wrote:
> > Hi Al,
> > =

> > It looks this patch has various impacts. Here are some more bug message=
s.
> > =

> > https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.misc
> > =

> > commit c7af9d5728bed29ef614324e67e066896d087c8f
> =

> The version in vfs.git has been ad8e00e50cbda2ce3831a4badc239ad014eec69 f=
or
> a couple of days already...

FWIW, the difference (and the source of those bugs) is that the earlier
variant had missed the fact that value of kbuf gets modified between the
allocation and freeing, so it ended up doing kfree() on the tail of kmalloc=
ed
buffer.

--===============3603642216390923635==--


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753524AbbL2O5P (ORCPT <rfc822;w@1wt.eu>);
	Tue, 29 Dec 2015 09:57:15 -0500
Received: from zeniv.linux.org.uk ([195.92.253.2]:45847 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753207AbbL2O5N (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 29 Dec 2015 09:57:13 -0500
Date: Tue, 29 Dec 2015 14:57:09 +0000
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Fengguang Wu <fengguang.wu@intel.com>
Cc: LKP <lkp@01.org>, Huang Ying <ying.huang@intel.com>,
        LKML <linux-kernel@vger.kernel.org>
Subject: Re: [memdup_user_nul] kernel BUG at mm/slab.c:2735!
Message-ID: <20151229145709.GB9938@ZenIV.linux.org.uk>
References: <87ege74bom.fsf@yhuang-dev.intel.com>
 <20151229123843.GA4678@wfg-t540p.sh.intel.com>
 <20151229143946.GA9938@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20151229143946.GA9938@ZenIV.linux.org.uk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 29, 2015 at 02:39:47PM +0000, Al Viro wrote:
> On Tue, Dec 29, 2015 at 08:38:43PM +0800, Fengguang Wu wrote:
> > Hi Al,
> > 
> > It looks this patch has various impacts. Here are some more bug messages.
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.misc
> > 
> > commit c7af9d5728bed29ef614324e67e066896d087c8f
> 
> The version in vfs.git has been ad8e00e50cbda2ce3831a4badc239ad014eec69 for
> a couple of days already...

FWIW, the difference (and the source of those bugs) is that the earlier
variant had missed the fact that value of kbuf gets modified between the
allocation and freeing, so it ended up doing kfree() on the tail of kmalloced
buffer.