summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChen Gang <gang.chen@asianux.com>2013-09-11 14:22:44 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2013-09-11 15:58:03 -0700
commit4c3bffc272755c98728c2b58b1a8148cf9e9fd1f (patch)
tree9d9583af840199d75e8e8eac61159372a74a38ba
parent1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (diff)
mm/backing-dev.c: check user buffer length before copying data to the related user buffer
'*lenp' may be less than "sizeof(kbuf)" so we must check this before the next copy_to_user(). pdflush_proc_obsolete() is called by sysctl which 'procname' is "nr_pdflush_threads", if the user passes buffer length less than "sizeof(kbuf)", it will cause issue. Signed-off-by: Chen Gang <gang.chen@asianux.com> Reviewed-by: Jan Kara <jack@suse.cz> Cc: Tejun Heo <tj@kernel.org> Cc: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--mm/backing-dev.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index 37d9edcd14cf..ce682f7a4f29 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -652,7 +652,7 @@ int pdflush_proc_obsolete(struct ctl_table *table, int write,
{
char kbuf[] = "0\n";
- if (*ppos) {
+ if (*ppos || *lenp < sizeof(kbuf)) {
*lenp = 0;
return 0;
}