Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: kernel: Unused iocbs in a batch should not be accounted as active
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Jan 2012 22:34:52 -0700

On 01/17/2012 10:30 PM, Eugene Teo wrote:
commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b
Author: Gleb Natapov <gleb () redhat com>
Date:   Sun Jan 8 17:07:28 2012 +0200

    Unused iocbs in a batch should not be accounted as active.

    Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs
are allocated in a batch during processing of first iocbs.  All iocbs in
a batch are automatically added to ctx->active_reqs list and accounted
in ctx->reqs_active.

    If one (not the last one) of iocbs submitted by an user fails,
further iocbs are not processed, but they are still present in
ctx->active_reqs and accounted in ctx->reqs_active.  This causes process
to stuck in a D state in wait_for_all_aios() on exit since
ctx->reqs_active will never go down to zero.  Furthermore since
kiocb_batch_free() frees iocb without removing it from active_reqs list
the list become corrupted which may cause oops.

    Fix this by removing iocb from ctx->active_reqs and updating
ctx->reqs_active in kiocb_batch_free().

    Signed-off-by: Gleb Natapov <gleb () redhat com>
    Reviewed-by: Jeff Moyer <jmoyer () redhat com>
    Cc: stable () kernel org   # 3.2
    Signed-off-by: Linus Torvalds <torvalds () linux-foundation org>

Issue introduced in v3.2-rc1 via commit 080d676d.

Thanks, Eugene
Please use CVE-2012-0058 for this issue


-- Kurt Seifried / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]