lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20070601131950.0f3a507b.pj@sgi.com>
Date:	Fri, 1 Jun 2007 13:19:50 -0700
From:	Paul Jackson <pj@....com>
To:	Christoph Lameter <clameter@....com>
Cc:	srinivasa@...ibm.com, linux-kernel@...r.kernel.org,
	akpm@...ux-foundation.org, torvalds@...ux-foundation.org,
	vatsa@...ibm.com, dino@...ibm.com, simon.derr@...l.net,
	clameter@...ulhu.engr.sgi.com, rientjes@...gle.com
Subject: Re: [RFC] [PATCH] cpuset operations causes Badness at mm/slab.c:777
 warning

> There are no checks necessary. Your function worked fine so far for 
> the case of zero objects with the pointer returned by kmalloc. If the 
> code is correct then it will not dereference the pointer to the zero 
> sized array. If not then we may find a bug and fix it.

I suspect you got lucky.  The check for a full pidarray[] in the routine
pid_array_load() occurs -after- a pid is put in the array.  If a task
showed up in this cpuset at the wrong time, we would fall over and die
in the code:

static int pid_array_load(pid_t *pidarray, int npids, struct cpuset *cs)
{
        int n = 0;
        struct task_struct *g, *p;

        read_lock(&tasklist_lock);

        do_each_thread(g, p) {
                if (p->cpuset == cs) {
                        pidarray[n++] = p->pid;		/* Death if pidarray == NULL */
                        if (unlikely(n == npids))
                                goto array_full;
                }

        } while_each_thread(g, p);

Perhaps if you moved the "if (unlikely(n == npids))" test before the
"pidarray[n++] = p->pid" assignment, it would be safe.

And does the next line of code, the call to sort() after the call of
pid_array_load(), work with pidarray == NULL and npids == 0:

        npids = pid_array_load(pidarray, npids, cs);
        sort(pidarray, npids, sizeof(pid_t), cmppid, NULL);	/* <== ?? */

Off hand, I didn't know.  I guess it must, or you would have already
tripped over it.

-- 
                  I won't rest till it's the best ...
                  Programmer, Linux Scalability
                  Paul Jackson <pj@....com> 1.925.600.0401
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ