From: Li Zefan <lizf@cn.fujitsu.com>
To: Paul Menage <menage@google.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
"David Rientjes" <rientjes@google.com>,
"缪 勰" <miaox@cn.fujitsu.com>,
linux-mm@kvack.org
Subject: Re: [PATCH 1/4] cpuset: Remove unneeded NODEMASK_ALLOC() in cpuset_sprintf_memlist()
Date: Fri, 18 Feb 2011 10:22:49 +0800 [thread overview]
Message-ID: <4D5DD7F9.30202@cn.fujitsu.com> (raw)
In-Reply-To: <AANLkTinsj4OagOQhaPL=6-3awQo9ssh06NgwTg1kOsYh@mail.gmail.com>
Paul Menage wrote:
> On Wed, Feb 16, 2011 at 5:49 PM, Li Zefan <lizf@cn.fujitsu.com> wrote:
>> It's not necessary to copy cpuset->mems_allowed to a buffer
>> allocated by NODEMASK_ALLOC(). Just pass it to nodelist_scnprintf().
>>
>> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
>
> Acked-by: Paul Menage <menage@google.com>
>
> The only downside is that we're now doing more work (and more complex
> work) inside callback_mutex, but I guess that's OK compared to having
> to do a memory allocation. (I poked around in lib/vsprintf.c and I
> couldn't see any cases where it might allocate memory, but it would be
> particularly bad if there was any way to trigger an Oops.)
>
>> ---
>> kernel/cpuset.c | 10 +---------
>> 1 files changed, 1 insertions(+), 9 deletions(-)
>>
>> diff --git a/kernel/cpuset.c b/kernel/cpuset.c
>> index 10f1835..f13ff2e 100644
>> --- a/kernel/cpuset.c
>> +++ b/kernel/cpuset.c
>> @@ -1620,20 +1620,12 @@ static int cpuset_sprintf_cpulist(char *page, struct cpuset *cs)
>>
>> static int cpuset_sprintf_memlist(char *page, struct cpuset *cs)
>> {
>> - NODEMASK_ALLOC(nodemask_t, mask, GFP_KERNEL);
>> int retval;
>>
>> - if (mask == NULL)
>> - return -ENOMEM;
>> -
>
> And this was particularly broken since the only caller of
> cpuset_sprintf_memlist() doesn't handle a negative error response
> anyway and would then overwrite byte 4083 on the preceding page with a
> '\n'. And then since the (size_t)(s-page) that's passed to
> simple_read_from_buffer() would be a very large number, it would write
> arbitrary (user-controlled) amounts of kernel data to the userspace
> buffer.
>
> Maybe we could also rename 'retval' to 'count' in this function (and
> cpuset_sprintf_cpulist()) to make it clearer that callers don't expect
> negative error values?
>
Good spot!
WARNING: multiple messages have this Message-ID (diff)
From: Li Zefan <lizf@cn.fujitsu.com>
To: Paul Menage <menage@google.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
"David Rientjes" <rientjes@google.com>,
"缪 勰" <miaox@cn.fujitsu.com>,
linux-mm@kvack.org
Subject: Re: [PATCH 1/4] cpuset: Remove unneeded NODEMASK_ALLOC() in cpuset_sprintf_memlist()
Date: Fri, 18 Feb 2011 10:22:49 +0800 [thread overview]
Message-ID: <4D5DD7F9.30202@cn.fujitsu.com> (raw)
In-Reply-To: <AANLkTinsj4OagOQhaPL=6-3awQo9ssh06NgwTg1kOsYh@mail.gmail.com>
Paul Menage wrote:
> On Wed, Feb 16, 2011 at 5:49 PM, Li Zefan <lizf@cn.fujitsu.com> wrote:
>> It's not necessary to copy cpuset->mems_allowed to a buffer
>> allocated by NODEMASK_ALLOC(). Just pass it to nodelist_scnprintf().
>>
>> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
>
> Acked-by: Paul Menage <menage@google.com>
>
> The only downside is that we're now doing more work (and more complex
> work) inside callback_mutex, but I guess that's OK compared to having
> to do a memory allocation. (I poked around in lib/vsprintf.c and I
> couldn't see any cases where it might allocate memory, but it would be
> particularly bad if there was any way to trigger an Oops.)
>
>> ---
>> kernel/cpuset.c | 10 +---------
>> 1 files changed, 1 insertions(+), 9 deletions(-)
>>
>> diff --git a/kernel/cpuset.c b/kernel/cpuset.c
>> index 10f1835..f13ff2e 100644
>> --- a/kernel/cpuset.c
>> +++ b/kernel/cpuset.c
>> @@ -1620,20 +1620,12 @@ static int cpuset_sprintf_cpulist(char *page, struct cpuset *cs)
>>
>> static int cpuset_sprintf_memlist(char *page, struct cpuset *cs)
>> {
>> - NODEMASK_ALLOC(nodemask_t, mask, GFP_KERNEL);
>> int retval;
>>
>> - if (mask == NULL)
>> - return -ENOMEM;
>> -
>
> And this was particularly broken since the only caller of
> cpuset_sprintf_memlist() doesn't handle a negative error response
> anyway and would then overwrite byte 4083 on the preceding page with a
> '\n'. And then since the (size_t)(s-page) that's passed to
> simple_read_from_buffer() would be a very large number, it would write
> arbitrary (user-controlled) amounts of kernel data to the userspace
> buffer.
>
> Maybe we could also rename 'retval' to 'count' in this function (and
> cpuset_sprintf_cpulist()) to make it clearer that callers don't expect
> negative error values?
>
Good spot!
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-02-18 2:21 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-17 1:49 [PATCH 1/4] cpuset: Remove unneeded NODEMASK_ALLOC() in cpuset_sprintf_memlist() Li Zefan
2011-02-17 1:49 ` Li Zefan
2011-02-17 1:49 ` [PATCH 2/4] cpuset: Remove unneeded NODEMASK_ALLOC() in cpuset_attch() Li Zefan
2011-02-17 1:49 ` Li Zefan
2011-02-17 23:46 ` Paul Menage
2011-02-17 23:46 ` Paul Menage
2011-02-18 2:37 ` Li Zefan
2011-02-18 2:37 ` Li Zefan
2011-02-20 1:51 ` David Rientjes
2011-02-20 1:51 ` David Rientjes
2011-02-17 1:50 ` [PATCH 3/4] cpuset: Fix unchecked calls to NODEMASK_ALLOC() Li Zefan
2011-02-17 1:50 ` Li Zefan
2011-02-17 22:46 ` Andrew Morton
2011-02-17 22:46 ` Andrew Morton
2011-02-17 23:50 ` Paul Menage
2011-02-17 23:50 ` Paul Menage
2011-02-18 2:47 ` Li Zefan
2011-02-18 2:47 ` Li Zefan
2011-02-19 2:28 ` Paul Menage
2011-02-19 2:28 ` Paul Menage
2011-02-20 1:51 ` David Rientjes
2011-02-20 1:51 ` David Rientjes
2011-02-21 3:20 ` Li Zefan
2011-02-21 3:20 ` Li Zefan
2011-02-21 5:30 ` Li Zefan
2011-02-22 0:25 ` David Rientjes
2011-02-22 0:25 ` David Rientjes
2011-02-22 2:15 ` Li Zefan
2011-02-22 2:15 ` Li Zefan
2011-02-22 20:30 ` David Rientjes
2011-02-22 20:30 ` David Rientjes
2011-02-17 1:50 ` [PATCH 4/4] cpuset: Hold callback_mutex in cpuset_clone() Li Zefan
2011-02-17 1:50 ` Li Zefan
2011-02-17 23:51 ` Paul Menage
2011-02-17 23:51 ` Paul Menage
2011-02-20 1:51 ` David Rientjes
2011-02-20 1:51 ` David Rientjes
2011-02-17 23:35 ` [PATCH 1/4] cpuset: Remove unneeded NODEMASK_ALLOC() in cpuset_sprintf_memlist() Paul Menage
2011-02-17 23:35 ` Paul Menage
2011-02-18 2:22 ` Li Zefan [this message]
2011-02-18 2:22 ` Li Zefan
2011-02-20 1:51 ` David Rientjes
2011-02-20 1:51 ` David Rientjes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D5DD7F9.30202@cn.fujitsu.com \
--to=lizf@cn.fujitsu.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=menage@google.com \
--cc=miaox@cn.fujitsu.com \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.