Date: Tue, 17 Jan 2012 22:34:52 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Eugene Teo <eugene@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: kernel: Unused iocbs in a batch should not be accounted as active On 01/17/2012 10:30 PM, Eugene Teo wrote: > commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b > Author: Gleb Natapov <gleb@...hat.com> > Date: Sun Jan 8 17:07:28 2012 +0200 > > Unused iocbs in a batch should not be accounted as active. > > Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs > are allocated in a batch during processing of first iocbs. All iocbs in > a batch are automatically added to ctx->active_reqs list and accounted > in ctx->reqs_active. > > If one (not the last one) of iocbs submitted by an user fails, > further iocbs are not processed, but they are still present in > ctx->active_reqs and accounted in ctx->reqs_active. This causes process > to stuck in a D state in wait_for_all_aios() on exit since > ctx->reqs_active will never go down to zero. Furthermore since > kiocb_batch_free() frees iocb without removing it from active_reqs list > the list become corrupted which may cause oops. > > Fix this by removing iocb from ctx->active_reqs and updating > ctx->reqs_active in kiocb_batch_free(). > > Signed-off-by: Gleb Natapov <gleb@...hat.com> > Reviewed-by: Jeff Moyer <jmoyer@...hat.com> > Cc: stable@...nel.org # 3.2 > Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> > > Issue introduced in v3.2-rc1 via commit 080d676d. > > Thanks, Eugene Please use CVE-2012-0058 for this issue -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ