mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-18 22:14:16 +00:00 
			
		
		
		
	sched/debug: Fix memory corruption caused by multiple small reads of flags
Reading /proc/sys/kernel/sched_domain/cpu*/domain0/flags mutliple times
with small reads causes oopses with slub corruption issues because the kfree is
free'ing an offset from a previous allocation. Fix this by adding in a new
pointer 'buf' for the allocation and kfree and use the temporary pointer tmp
to handle memory copies of the buf offsets.
Fixes: 5b9f8ff7b3 ("sched/debug: Output SD flag names rather than their values")
Reported-by: Jeff Bastian <jbastian@redhat.com>
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
Link: https://lkml.kernel.org/r/20201029151103.373410-1-colin.king@canonical.com
			
			
This commit is contained in:
		
							parent
							
								
									b4c9c9f156
								
							
						
					
					
						commit
						8d4d9c7b43
					
				
					 1 changed files with 6 additions and 6 deletions
				
			
		|  | @ -251,7 +251,7 @@ static int sd_ctl_doflags(struct ctl_table *table, int write, | |||
| 	unsigned long flags = *(unsigned long *)table->data; | ||||
| 	size_t data_size = 0; | ||||
| 	size_t len = 0; | ||||
| 	char *tmp; | ||||
| 	char *tmp, *buf; | ||||
| 	int idx; | ||||
| 
 | ||||
| 	if (write) | ||||
|  | @ -269,17 +269,17 @@ static int sd_ctl_doflags(struct ctl_table *table, int write, | |||
| 		return 0; | ||||
| 	} | ||||
| 
 | ||||
| 	tmp = kcalloc(data_size + 1, sizeof(*tmp), GFP_KERNEL); | ||||
| 	if (!tmp) | ||||
| 	buf = kcalloc(data_size + 1, sizeof(*buf), GFP_KERNEL); | ||||
| 	if (!buf) | ||||
| 		return -ENOMEM; | ||||
| 
 | ||||
| 	for_each_set_bit(idx, &flags, __SD_FLAG_CNT) { | ||||
| 		char *name = sd_flag_debug[idx].name; | ||||
| 
 | ||||
| 		len += snprintf(tmp + len, strlen(name) + 2, "%s ", name); | ||||
| 		len += snprintf(buf + len, strlen(name) + 2, "%s ", name); | ||||
| 	} | ||||
| 
 | ||||
| 	tmp += *ppos; | ||||
| 	tmp = buf + *ppos; | ||||
| 	len -= *ppos; | ||||
| 
 | ||||
| 	if (len > *lenp) | ||||
|  | @ -294,7 +294,7 @@ static int sd_ctl_doflags(struct ctl_table *table, int write, | |||
| 	*lenp = len; | ||||
| 	*ppos += len; | ||||
| 
 | ||||
| 	kfree(tmp); | ||||
| 	kfree(buf); | ||||
| 
 | ||||
| 	return 0; | ||||
| } | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue
	
	 Colin Ian King
						Colin Ian King