[PATCH] - Fix slab corruption caused by alloc_cpumask_var

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node()
@ 2009-04-02 21:27 Jack Steiner
  2009-04-02 21:39 ` Andrew Morton
  2009-04-02 21:42 ` [PATCH] - " Ingo Molnar
  0 siblings, 2 replies; 6+ messages in thread
From: Jack Steiner @ 2009-04-02 21:27 UTC (permalink / raw)
  To: akpm, mingo, rusty, sfr; +Cc: linux-kernel

Fix for slab corruption caused by alloc_cpumask_var_node() overwriting
the tail end of an off-stack cpumask.

Signed-off-by: Jack Steiner <steiner@sgi.com>
Acked-by: Mike Travis <travis.sgi.com>


---

Corrruption was found in latest linux-next (4/1)
	v2.6.29-12081-g421a9f3



 lib/cpumask.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: linux/lib/cpumask.c
===================================================================
--- linux.orig/lib/cpumask.c	2009-04-02 15:30:05.000000000 -0500
+++ linux/lib/cpumask.c	2009-04-02 15:57:44.000000000 -0500
@@ -109,10 +109,10 @@ bool alloc_cpumask_var_node(cpumask_var_
 #endif
 	/* FIXME: Bandaid to save us from old primitives which go to NR_CPUS. */
 	if (*mask) {
+		unsigned char *ptr = (unsigned char *)cpumask_bits(*mask);
 		unsigned int tail;
 		tail = BITS_TO_LONGS(NR_CPUS - nr_cpumask_bits) * sizeof(long);
-		memset(cpumask_bits(*mask) + cpumask_size() - tail,
-		       0, tail);
+		memset(ptr + cpumask_size() - tail, 0, tail);
 	}
 
 	return *mask != NULL;

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node()
  2009-04-02 21:27 [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node() Jack Steiner
@ 2009-04-02 21:39 ` Andrew Morton
  2009-04-02 22:09   ` [PATCH] - Updated: " Jack Steiner
  2009-04-02 21:42 ` [PATCH] - " Ingo Molnar
  1 sibling, 1 reply; 6+ messages in thread
From: Andrew Morton @ 2009-04-02 21:39 UTC (permalink / raw)
  To: Jack Steiner; +Cc: mingo, rusty, sfr, linux-kernel

On Thu, 2 Apr 2009 16:27:51 -0500
Jack Steiner <steiner@sgi.com> wrote:

> Fix for slab corruption caused by alloc_cpumask_var_node() overwriting
> the tail end of an off-stack cpumask.

changelog is crappy.

> --- linux.orig/lib/cpumask.c	2009-04-02 15:30:05.000000000 -0500
> +++ linux/lib/cpumask.c	2009-04-02 15:57:44.000000000 -0500
> @@ -109,10 +109,10 @@ bool alloc_cpumask_var_node(cpumask_var_
>  #endif
>  	/* FIXME: Bandaid to save us from old primitives which go to NR_CPUS. */
>  	if (*mask) {
> +		unsigned char *ptr = (unsigned char *)cpumask_bits(*mask);
>  		unsigned int tail;
>  		tail = BITS_TO_LONGS(NR_CPUS - nr_cpumask_bits) * sizeof(long);
> -		memset(cpumask_bits(*mask) + cpumask_size() - tail,
> -		       0, tail);
> +		memset(ptr + cpumask_size() - tail, 0, tail);
>  	}
>  

It appears that the bug is that cpumask_bits() returns an `unsigned
long *', except the pointer arithmetic in there is designed to operate
on char*/void*/etc, correct?

This fix is needed in 2.6.29 as well, correct?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] - Updated: Fix slab corruption caused by alloc_cpumask_var_node()
  2009-04-02 21:39 ` Andrew Morton
@ 2009-04-02 22:09   ` Jack Steiner
  2009-04-02 22:23     ` Ingo Molnar
  0 siblings, 1 reply; 6+ messages in thread
From: Jack Steiner @ 2009-04-02 22:09 UTC (permalink / raw)
  To: Andrew Morton, mingo, rusty, sfr; +Cc: linux-kernel, stable

Fix slab corruption caused by alloc_cpumask_var_node() overwriting
the tail end of an off-stack cpumask.

The function zeros out cpumask bits beyond the last possible cpu.
The starting point for zeroing should be the beginning
of the mask offset by a byte count derived from the number
of possible cpus. The offset was calculated in bits instead of bytes.
This resulted in overwriting the end of the cpumask.


v2.6.29 is also affected by this bug.


Signed-off-by: Jack Steiner <steiner@sgi.com>
Acked-by: Mike Travis <travis.sgi.com>
Acked-by: Ingo Molnar <mingo@elte.hu>


---

Corrruption was found in latest linux-next (4/1)
	v2.6.29-12081-g421a9f3



 lib/cpumask.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: linux/lib/cpumask.c
===================================================================
--- linux.orig/lib/cpumask.c	2009-04-02 15:30:05.000000000 -0500
+++ linux/lib/cpumask.c	2009-04-02 15:57:44.000000000 -0500
@@ -109,10 +109,10 @@ bool alloc_cpumask_var_node(cpumask_var_
 #endif
 	/* FIXME: Bandaid to save us from old primitives which go to NR_CPUS. */
 	if (*mask) {
+		unsigned char *ptr = (unsigned char *)cpumask_bits(*mask);
 		unsigned int tail;
 		tail = BITS_TO_LONGS(NR_CPUS - nr_cpumask_bits) * sizeof(long);
-		memset(cpumask_bits(*mask) + cpumask_size() - tail,
-		       0, tail);
+		memset(ptr + cpumask_size() - tail, 0, tail);
 	}
 
 	return *mask != NULL;

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] - Updated: Fix slab corruption caused by alloc_cpumask_var_node()
  2009-04-02 22:09   ` [PATCH] - Updated: " Jack Steiner
@ 2009-04-02 22:23     ` Ingo Molnar
  0 siblings, 0 replies; 6+ messages in thread
From: Ingo Molnar @ 2009-04-02 22:23 UTC (permalink / raw)
  To: Jack Steiner; +Cc: Andrew Morton, rusty, sfr, linux-kernel, stable


* Jack Steiner <steiner@sgi.com> wrote:

> Fix slab corruption caused by alloc_cpumask_var_node() overwriting
> the tail end of an off-stack cpumask.
> 
> The function zeros out cpumask bits beyond the last possible cpu.
> The starting point for zeroing should be the beginning
> of the mask offset by a byte count derived from the number
> of possible cpus. The offset was calculated in bits instead of bytes.
> This resulted in overwriting the end of the cpumask.
> 
> 
> v2.6.29 is also affected by this bug.
> 
> 
> Signed-off-by: Jack Steiner <steiner@sgi.com>
> Acked-by: Mike Travis <travis.sgi.com>
> Acked-by: Ingo Molnar <mingo@elte.hu>

In the future you can add:

  Cc: <stable@kernel.org>

to the signoff/ack section of the changlog in such cases - then the 
-stable folks will notice the commit automatically.

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node()
  2009-04-02 21:27 [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node() Jack Steiner
  2009-04-02 21:39 ` Andrew Morton
@ 2009-04-02 21:42 ` Ingo Molnar
  2009-04-05  5:31   ` Rusty Russell
  1 sibling, 1 reply; 6+ messages in thread
From: Ingo Molnar @ 2009-04-02 21:42 UTC (permalink / raw)
  To: Jack Steiner; +Cc: akpm, rusty, sfr, linux-kernel


* Jack Steiner <steiner@sgi.com> wrote:

> Fix for slab corruption caused by alloc_cpumask_var_node() overwriting
> the tail end of an off-stack cpumask.
> 
> Signed-off-by: Jack Steiner <steiner@sgi.com>
> Acked-by: Mike Travis <travis.sgi.com>
> 
> 
> ---
> 
> Corrruption was found in latest linux-next (4/1)
> 	v2.6.29-12081-g421a9f3
> 
> 
> 
>  lib/cpumask.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> Index: linux/lib/cpumask.c
> ===================================================================
> --- linux.orig/lib/cpumask.c	2009-04-02 15:30:05.000000000 -0500
> +++ linux/lib/cpumask.c	2009-04-02 15:57:44.000000000 -0500
> @@ -109,10 +109,10 @@ bool alloc_cpumask_var_node(cpumask_var_
>  #endif
>  	/* FIXME: Bandaid to save us from old primitives which go to NR_CPUS. */
>  	if (*mask) {
> +		unsigned char *ptr = (unsigned char *)cpumask_bits(*mask);
>  		unsigned int tail;
>  		tail = BITS_TO_LONGS(NR_CPUS - nr_cpumask_bits) * sizeof(long);
> -		memset(cpumask_bits(*mask) + cpumask_size() - tail,
> -		       0, tail);
> +		memset(ptr + cpumask_size() - tail, 0, tail);

Nice,

Acked-by: Ingo Molnar <mingo@elte.hu>

Note: it also needs a Cc: <stable@kernel.org> tag as v2.6.29 is 
affected by this bug too.

	Ingo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node()
  2009-04-02 21:42 ` [PATCH] - " Ingo Molnar
@ 2009-04-05  5:31   ` Rusty Russell
  0 siblings, 0 replies; 6+ messages in thread
From: Rusty Russell @ 2009-04-05  5:31 UTC (permalink / raw)
  To: Ingo Molnar; +Cc: Jack Steiner, akpm, sfr, linux-kernel

On Friday 03 April 2009 08:12:19 Ingo Molnar wrote:
> 
> * Jack Steiner <steiner@sgi.com> wrote:
> 
> > Fix for slab corruption caused by alloc_cpumask_var_node() overwriting
> > the tail end of an off-stack cpumask.

Ouch.  Thanks for this!

And I see it's already in Linus' tree while I was away, thanks all!
Rusty.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2009-04-05  5:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-02 21:27 [PATCH] - Fix slab corruption caused by alloc_cpumask_var_node() Jack Steiner
2009-04-02 21:39 ` Andrew Morton
2009-04-02 22:09   ` [PATCH] - Updated: " Jack Steiner
2009-04-02 22:23     ` Ingo Molnar
2009-04-02 21:42 ` [PATCH] - " Ingo Molnar
2009-04-05  5:31   ` Rusty Russell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox