| Summary: | kdbus: the slice size check in kdbus_pool_copy does not make sense | ||
|---|---|---|---|
| Product: | systemd | Reporter: | Hristo Venev <hristo> |
| Component: | general | Assignee: | systemd-bugs |
| Status: | RESOLVED FIXED | QA Contact: | systemd-bugs |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
Nice catch, thanks. The implementation in that function is a left-over. I've pushed a patch that cleans up the API, and removes that bogus assertion. Thanks! |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
It looks like the slice occupies pool[slice->off,slice->off+slice->size). Therefore: --- a/pool.c +++ b/pool.c @@ -644,7 +644,7 @@ static int kdbus_pool_copy(const struct kdbus_pool_slice *slice, unsigned long rem = len; int ret = 0; - BUG_ON(off_dst + len > slice->size); + BUG_ON(len > slice->size); BUG_ON(slice->free); mutex_lock(&i_dst->i_mutex); Confirmed, this makes my system less crash-prone (down to about 0% from 100% crash probability).