diff options
author | David Rientjes <rientjes@google.com> | 2009-01-27 21:59:46 -0500 |
---|---|---|
committer | Pekka Enberg <penberg@cs.helsinki.fi> | 2009-01-28 03:43:42 -0500 |
commit | 3718909448116bf4411445468c58acc946379f92 (patch) | |
tree | 77d34de16274c12fb2bdcc946379a1c667f5671c | |
parent | a6525042bfdfcab128bd91fad264de10fd24a55e (diff) |
slub: fix per cpu kmem_cache_cpu array memory leak
The per cpu array of kmem_cache_cpu structures accomodates
NR_KMEM_CACHE_CPU such structs.
When this array overflows and a struct is allocated by kmalloc(), it may
have an address at the upper bound of this array. If this happens, it
does not get freed and the per cpu kmem_cache_cpu_free pointer will be out
of bounds after kmem_cache_destroy() or cpu offlining.
Cc: Christoph Lameter <cl@linux-foundation.org>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
-rw-r--r-- | mm/slub.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -1996,7 +1996,7 @@ static struct kmem_cache_cpu *alloc_kmem_cache_cpu(struct kmem_cache *s, | |||
1996 | static void free_kmem_cache_cpu(struct kmem_cache_cpu *c, int cpu) | 1996 | static void free_kmem_cache_cpu(struct kmem_cache_cpu *c, int cpu) |
1997 | { | 1997 | { |
1998 | if (c < per_cpu(kmem_cache_cpu, cpu) || | 1998 | if (c < per_cpu(kmem_cache_cpu, cpu) || |
1999 | c > per_cpu(kmem_cache_cpu, cpu) + NR_KMEM_CACHE_CPU) { | 1999 | c >= per_cpu(kmem_cache_cpu, cpu) + NR_KMEM_CACHE_CPU) { |
2000 | kfree(c); | 2000 | kfree(c); |
2001 | return; | 2001 | return; |
2002 | } | 2002 | } |