[PATCH] relay: fix for possible loss/corruption of produced subbufs

[Aravind Srinivasan]

from: Aravind Srinivasan <raa.aars@xxxxxxxxx>

This patch fixes possible loss/corruption of produced subbufs in
relay_subbufs_consumed().

When buf->subbufs_produced wraps around after UINT_MAX and
buf->subbufs_consumed is still < UINT_MAX, the condition
	if (buf->subbufs_consumed > buf->subbufs_produced)
will be true even for certain valid values of subbufs_consumed. This may lead
to loss or corruption of produced subbufs.

	Signed-off-by: Aravind Srinivasan <raa.aars@xxxxxxxxx>
--------------------------------------------------------------------------------
--- linux-2.6.28/kernel/relay.c.orig	2009-02-17 07:53:55.000000000 +0530
+++ linux-2.6.28/kernel/relay.c	2009-02-17 07:54:14.000000000 +0530
@@ -795,13 +795,15 @@ void relay_subbufs_consumed(struct rchan
 	if (!chan)
 		return;

-	if (cpu >= NR_CPUS || !chan->buf[cpu])
+	if (cpu >= NR_CPUS || !chan->buf[cpu] ||
+					subbufs_consumed > chan->n_subbufs)
 		return;

 	buf = chan->buf[cpu];
-	buf->subbufs_consumed += subbufs_consumed;
-	if (buf->subbufs_consumed > buf->subbufs_produced)
+	if (subbufs_consumed > buf->subbufs_produced - buf->subbufs_consumed)
 		buf->subbufs_consumed = buf->subbufs_produced;
+	else
+		buf->subbufs_consumed += subbufs_consumed;
 }
 EXPORT_SYMBOL_GPL(relay_subbufs_consumed);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/