sgi-xp: fix writing past the end of kzalloc()'d space A missing type cast results in writing way beyond the end of a kzalloc()'d memory segment resulting in slab corruption. But it seems like the better solution is to define ->recv_msg_slots as a 'void *' rather than a 'struct xpc_notify_mq_msg_uv *' and add the type cast. Signed-off-by: Dean Nelson <dcn@sgi.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 361916a943cd9dbda1c0b00879d0225cc919d868 [log] [tgz]
author: Dean Nelson <dcn@sgi.com> Wed Feb 04 15:12:24 2009 -0800
committer: Linus Torvalds <torvalds@linux-foundation.org> Thu Feb 05 12:56:49 2009 -0800
tree: e9b30d230248baa4dd3e9718b683e4aa74830f43
parent: fb9a68001175cc04bbbe711e6e29e1c6c353107b [diff] [blame]
diff --git a/drivers/misc/sgi-xp/xpc.h b/drivers/misc/sgi-xp/xpc.h
index a5bd658..275b788 100644
--- a/drivers/misc/sgi-xp/xpc.h
+++ b/drivers/misc/sgi-xp/xpc.h

@@ -3,7 +3,7 @@
  * License.  See the file "COPYING" in the main directory of this archive
  * for more details.
  *
- * Copyright (c) 2004-2008 Silicon Graphics, Inc.  All Rights Reserved.
+ * Copyright (c) 2004-2009 Silicon Graphics, Inc.  All Rights Reserved.
  */
 
 /*
@@ -514,7 +514,8 @@
 						/* partition's notify mq */
 
 	struct xpc_send_msg_slot_uv *send_msg_slots;
-	struct xpc_notify_mq_msg_uv *recv_msg_slots;
+	void *recv_msg_slots;	/* each slot will hold a xpc_notify_mq_msg_uv */
+				/* structure plus the user's payload */
 
 	struct xpc_fifo_head_uv msg_slot_free_list;
 	struct xpc_fifo_head_uv recv_msg_list;	/* deliverable payloads */
commit	361916a943cd9dbda1c0b00879d0225cc919d868	[log] [tgz]
author	Dean Nelson <dcn@sgi.com>	Wed Feb 04 15:12:24 2009 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	Thu Feb 05 12:56:49 2009 -0800
tree	e9b30d230248baa4dd3e9718b683e4aa74830f43
parent	fb9a68001175cc04bbbe711e6e29e1c6c353107b [diff] [blame]