[PATCH] sgi-xp: add type cast to kzalloc()'d space to avoid slab corruption

[Dean Nelson]

A missing type cast results in writing way beyond the end of a kzalloc()'d
memory segment resulting in slab corruption.

Signed-off-by: Dean Nelson <dcn@xxxxxxx>
Cc: stable <stable@xxxxxxxxxx>

---

 drivers/misc/sgi-xp/xpc_uv.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Index: linux/drivers/misc/sgi-xp/xpc_uv.c
===================================================================
--- linux.orig/drivers/misc/sgi-xp/xpc_uv.c	2009-01-27 10:53:26.000000000 -0600
+++ linux/drivers/misc/sgi-xp/xpc_uv.c	2009-01-28 08:51:57.000000000 -0600
@@ -3,7 +3,7 @@
  * License.  See the file "COPYING" in the main directory of this archive
  * for more details.
  *
- * Copyright (c) 2008 Silicon Graphics, Inc.  All Rights Reserved.
+ * Copyright (c) 2008-2009 Silicon Graphics, Inc.  All Rights Reserved.
  */
 
 /*
@@ -1129,8 +1129,8 @@ xpc_allocate_recv_msg_slot_uv(struct xpc
 			continue;
 
 		for (entry = 0; entry < nentries; entry++) {
-			msg_slot = ch_uv->recv_msg_slots + entry *
-			    ch->entry_size;
+			msg_slot = (struct xpc_notify_mq_msg_uv *)((u8 *)
+			    ch_uv->recv_msg_slots + entry * ch->entry_size);
 
 			msg_slot->hdr.msg_slot_number = entry;
 		}
@@ -1438,7 +1438,7 @@ xpc_handle_notify_mq_msg_uv(struct xpc_p
 	/* we're dealing with a normal message sent via the notify_mq */
 	ch_uv = &ch->sn.uv;
 
-	msg_slot = (struct xpc_notify_mq_msg_uv *)((u64)ch_uv->recv_msg_slots +
+	msg_slot = (struct xpc_notify_mq_msg_uv *)((u8 *)ch_uv->recv_msg_slots +
 		    (msg->hdr.msg_slot_number % ch->remote_nentries) *
 		    ch->entry_size);
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/