mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-24 20:54:10 +08:00
slub: fix per cpu kmem_cache_cpu array memory leak
The per cpu array of kmem_cache_cpu structures accomodates NR_KMEM_CACHE_CPU such structs. When this array overflows and a struct is allocated by kmalloc(), it may have an address at the upper bound of this array. If this happens, it does not get freed and the per cpu kmem_cache_cpu_free pointer will be out of bounds after kmem_cache_destroy() or cpu offlining. Cc: Christoph Lameter <cl@linux-foundation.org> Signed-off-by: David Rientjes <rientjes@google.com> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
This commit is contained in:
parent
a6525042bf
commit
3718909448
@ -1996,7 +1996,7 @@ static struct kmem_cache_cpu *alloc_kmem_cache_cpu(struct kmem_cache *s,
|
|||||||
static void free_kmem_cache_cpu(struct kmem_cache_cpu *c, int cpu)
|
static void free_kmem_cache_cpu(struct kmem_cache_cpu *c, int cpu)
|
||||||
{
|
{
|
||||||
if (c < per_cpu(kmem_cache_cpu, cpu) ||
|
if (c < per_cpu(kmem_cache_cpu, cpu) ||
|
||||||
c > per_cpu(kmem_cache_cpu, cpu) + NR_KMEM_CACHE_CPU) {
|
c >= per_cpu(kmem_cache_cpu, cpu) + NR_KMEM_CACHE_CPU) {
|
||||||
kfree(c);
|
kfree(c);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user