|
Message-ID: <4F1659FC.9040608@redhat.com> Date: Tue, 17 Jan 2012 22:34:52 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Eugene Teo <eugene@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: kernel: Unused iocbs in a batch should not be accounted as active On 01/17/2012 10:30 PM, Eugene Teo wrote: > commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b > Author: Gleb Natapov <gleb@...hat.com> > Date: Sun Jan 8 17:07:28 2012 +0200 > > Unused iocbs in a batch should not be accounted as active. > > Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs > are allocated in a batch during processing of first iocbs. All iocbs in > a batch are automatically added to ctx->active_reqs list and accounted > in ctx->reqs_active. > > If one (not the last one) of iocbs submitted by an user fails, > further iocbs are not processed, but they are still present in > ctx->active_reqs and accounted in ctx->reqs_active. This causes process > to stuck in a D state in wait_for_all_aios() on exit since > ctx->reqs_active will never go down to zero. Furthermore since > kiocb_batch_free() frees iocb without removing it from active_reqs list > the list become corrupted which may cause oops. > > Fix this by removing iocb from ctx->active_reqs and updating > ctx->reqs_active in kiocb_batch_free(). > > Signed-off-by: Gleb Natapov <gleb@...hat.com> > Reviewed-by: Jeff Moyer <jmoyer@...hat.com> > Cc: stable@...nel.org # 3.2 > Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> > > Issue introduced in v3.2-rc1 via commit 080d676d. > > Thanks, Eugene Please use CVE-2012-0058 for this issue -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.