[kernel] r18971 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue May 1 05:51:40 UTC 2012
Author: dannf
Date: Tue May 1 05:51:39 2012
New Revision: 18971
Log:
* CVE-2012-0879:
- block: Fix io_context leak after clone with CLONE_IO
- block: Fix io_context leak after failure of clone with CLONE_IO
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Tue May 1 01:45:51 2012 (r18970)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue May 1 05:51:39 2012 (r18971)
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.32-41squeeze3) UNRELEASED; urgency=low
+
+ * CVE-2012-0879:
+ - block: Fix io_context leak after clone with CLONE_IO
+ - block: Fix io_context leak after failure of clone with CLONE_IO
+
+ -- dann frazier <dannf at debian.org> Thu, 26 Apr 2012 23:29:43 -0600
+
linux-2.6 (2.6.32-41squeeze2) stable-security; urgency=low
* Ignore symbol version changes in s390/kvm
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch Tue May 1 05:51:39 2012 (r18971)
@@ -0,0 +1,29 @@
+commit 61cc74fbb87af6aa551a06a370590c9bc07e29d9
+Author: Louis Rilling <louis.rilling at kerlabs.com>
+Date: Fri Dec 4 14:52:41 2009 +0100
+
+ block: Fix io_context leak after clone with CLONE_IO
+
+ With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks.
+ However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks
+ reaches 0.
+
+ Always call put_io_context() in exit_io_context().
+
+ Signed-off-by: Louis Rilling <louis.rilling at kerlabs.com>
+ Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+diff --git a/block/blk-ioc.c b/block/blk-ioc.c
+index d4ed600..dcd0412 100644
+--- a/block/blk-ioc.c
++++ b/block/blk-ioc.c
+@@ -80,8 +80,8 @@ void exit_io_context(void)
+ ioc->aic->exit(ioc->aic);
+ cfq_exit(ioc);
+
+- put_io_context(ioc);
+ }
++ put_io_context(ioc);
+ }
+
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch Tue May 1 05:51:39 2012 (r18971)
@@ -0,0 +1,89 @@
+commit b69f2292063d2caf37ca9aec7d63ded203701bf3
+Author: Louis Rilling <louis.rilling at kerlabs.com>
+Date: Fri Dec 4 14:52:42 2009 +0100
+
+ block: Fix io_context leak after failure of clone with CLONE_IO
+
+ With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
+ decremented whenever copy_process() fails afterwards, which prevents
+ exit_io_context() from calling IO schedulers exit functions.
+
+ Give a task_struct to exit_io_context(), and call exit_io_context() instead of
+ put_io_context() in copy_process() cleanup path.
+
+ Signed-off-by: Louis Rilling <louis.rilling at kerlabs.com>
+ Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+diff --git a/block/blk-ioc.c b/block/blk-ioc.c
+index dcd0412..cbdabb0 100644
+--- a/block/blk-ioc.c
++++ b/block/blk-ioc.c
+@@ -66,14 +66,14 @@ static void cfq_exit(struct io_context *ioc)
+ }
+
+ /* Called by the exitting task */
+-void exit_io_context(void)
++void exit_io_context(struct task_struct *task)
+ {
+ struct io_context *ioc;
+
+- task_lock(current);
+- ioc = current->io_context;
+- current->io_context = NULL;
+- task_unlock(current);
++ task_lock(task);
++ ioc = task->io_context;
++ task->io_context = NULL;
++ task_unlock(task);
+
+ if (atomic_dec_and_test(&ioc->nr_tasks)) {
+ if (ioc->aic && ioc->aic->exit)
+diff --git a/include/linux/iocontext.h b/include/linux/iocontext.h
+index d61b0b8..a632359 100644
+--- a/include/linux/iocontext.h
++++ b/include/linux/iocontext.h
+@@ -98,14 +98,15 @@ static inline struct io_context *ioc_task_link(struct io_context *ioc)
+ return NULL;
+ }
+
++struct task_struct;
+ #ifdef CONFIG_BLOCK
+ int put_io_context(struct io_context *ioc);
+-void exit_io_context(void);
++void exit_io_context(struct task_struct *task);
+ struct io_context *get_io_context(gfp_t gfp_flags, int node);
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node);
+ void copy_io_context(struct io_context **pdst, struct io_context **psrc);
+ #else
+-static inline void exit_io_context(void)
++static inline void exit_io_context(struct task_struct *task)
+ {
+ }
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index f7864ac..2544000 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1004,7 +1004,7 @@ NORET_TYPE void do_exit(long code)
+ tsk->flags |= PF_EXITPIDONE;
+
+ if (tsk->io_context)
+- exit_io_context();
++ exit_io_context(tsk);
+
+ if (tsk->splice_pipe)
+ __free_pipe_info(tsk->splice_pipe);
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 166b8c4..6073534 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1310,7 +1310,8 @@ bad_fork_free_pid:
+ if (pid != &init_struct_pid)
+ free_pid(pid);
+ bad_fork_cleanup_io:
+- put_io_context(p->io_context);
++ if (p->io_context)
++ exit_io_context(p);
+ bad_fork_cleanup_namespaces:
+ exit_task_namespaces(p);
+ bad_fork_cleanup_mm:
Added: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3 Tue May 1 05:51:39 2012 (r18971)
@@ -0,0 +1,2 @@
++ bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
++ bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
More information about the Kernel-svn-changes
mailing list