[tip: sched/urgent] sched/debug: Fix memory corruption caused by multiple small reads of flags

Wed, 11 Nov 2020 00:23:58 -0800 

The following commit has been merged into the sched/urgent branch of tip:

Commit-ID:     8d4d9c7b4333abccb3bf310d76ef7ea2edb9828f
Gitweb:        
https://git.kernel.org/tip/8d4d9c7b4333abccb3bf310d76ef7ea2edb9828f
Author:        Colin Ian King <colin.k...@canonical.com>
AuthorDate:    Thu, 29 Oct 2020 15:11:03 
Committer:     Peter Zijlstra <pet...@infradead.org>
CommitterDate: Tue, 10 Nov 2020 18:38:49 +01:00

sched/debug: Fix memory corruption caused by multiple small reads of flags

Reading /proc/sys/kernel/sched_domain/cpu*/domain0/flags mutliple times
with small reads causes oopses with slub corruption issues because the kfree is
free'ing an offset from a previous allocation. Fix this by adding in a new
pointer 'buf' for the allocation and kfree and use the temporary pointer tmp
to handle memory copies of the buf offsets.

Fixes: 5b9f8ff7b320 ("sched/debug: Output SD flag names rather than their 
values")
Reported-by: Jeff Bastian <jbast...@redhat.com>
Signed-off-by: Colin Ian King <colin.k...@canonical.com>
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Reviewed-by: Valentin Schneider <valentin.schnei...@arm.com>
Link: https://lkml.kernel.org/r/20201029151103.373410-1-colin.k...@canonical.com
---
 kernel/sched/debug.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c
index 0655524..2357921 100644
--- a/kernel/sched/debug.c
+++ b/kernel/sched/debug.c
@@ -251,7 +251,7 @@ static int sd_ctl_doflags(struct ctl_table *table, int 
write,
        unsigned long flags = *(unsigned long *)table->data;
        size_t data_size = 0;
        size_t len = 0;
-       char *tmp;
+       char *tmp, *buf;
        int idx;
 
        if (write)
@@ -269,17 +269,17 @@ static int sd_ctl_doflags(struct ctl_table *table, int 
write,
                return 0;
        }
 
-       tmp = kcalloc(data_size + 1, sizeof(*tmp), GFP_KERNEL);
-       if (!tmp)
+       buf = kcalloc(data_size + 1, sizeof(*buf), GFP_KERNEL);
+       if (!buf)
                return -ENOMEM;
 
        for_each_set_bit(idx, &flags, __SD_FLAG_CNT) {
                char *name = sd_flag_debug[idx].name;
 
-               len += snprintf(tmp + len, strlen(name) + 2, "%s ", name);
+               len += snprintf(buf + len, strlen(name) + 2, "%s ", name);
        }
 
-       tmp += *ppos;
+       tmp = buf + *ppos;
        len -= *ppos;
 
        if (len > *lenp)
@@ -294,7 +294,7 @@ static int sd_ctl_doflags(struct ctl_table *table, int 
write,
        *lenp = len;
        *ppos += len;
 
-       kfree(tmp);
+       kfree(buf);
 
        return 0;
 }

Reply via email to