Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Jan 2012 13:30:44 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: Unused iocbs in a batch should not be accounted
 as active

commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b
Author: Gleb Natapov <gleb@...hat.com>
Date:   Sun Jan 8 17:07:28 2012 +0200

    Unused iocbs in a batch should not be accounted as active.

    Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs
are allocated in a batch during processing of first iocbs.  All iocbs in
a batch are automatically added to ctx->active_reqs list and accounted
in ctx->reqs_active.

    If one (not the last one) of iocbs submitted by an user fails,
further iocbs are not processed, but they are still present in
ctx->active_reqs and accounted in ctx->reqs_active.  This causes process
to stuck in a D state in wait_for_all_aios() on exit since
ctx->reqs_active will never go down to zero.  Furthermore since
kiocb_batch_free() frees iocb without removing it from active_reqs list
the list become corrupted which may cause oops.

    Fix this by removing iocb from ctx->active_reqs and updating
ctx->reqs_active in kiocb_batch_free().

    Signed-off-by: Gleb Natapov <gleb@...hat.com>
    Reviewed-by: Jeff Moyer <jmoyer@...hat.com>
    Cc: stable@...nel.org   # 3.2
    Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>

Issue introduced in v3.2-rc1 via commit 080d676d.

Thanks, Eugene

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ