[kernel] r18971 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue May 1 05:51:40 UTC 2012 

Author: dannf
Date: Tue May  1 05:51:39 2012
New Revision: 18971

Log:
* CVE-2012-0879:
  - block: Fix io_context leak after clone with CLONE_IO
  - block: Fix io_context leak after failure of clone with CLONE_IO

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
   dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Tue May  1 01:45:51 2012	(r18970)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue May  1 05:51:39 2012	(r18971)
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.32-41squeeze3) UNRELEASED; urgency=low
+
+  * CVE-2012-0879:
+    - block: Fix io_context leak after clone with CLONE_IO
+    - block: Fix io_context leak after failure of clone with CLONE_IO
+
+ -- dann frazier <dannf at debian.org>  Thu, 26 Apr 2012 23:29:43 -0600
+
 linux-2.6 (2.6.32-41squeeze2) stable-security; urgency=low
 
   * Ignore symbol version changes in s390/kvm

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch	Tue May  1 05:51:39 2012	(r18971)
@@ -0,0 +1,29 @@
+commit 61cc74fbb87af6aa551a06a370590c9bc07e29d9
+Author: Louis Rilling <louis.rilling at kerlabs.com>
+Date:   Fri Dec 4 14:52:41 2009 +0100
+
+    block: Fix io_context leak after clone with CLONE_IO
+    
+    With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks.
+    However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks
+    reaches 0.
+    
+    Always call put_io_context() in exit_io_context().
+    
+    Signed-off-by: Louis Rilling <louis.rilling at kerlabs.com>
+    Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+diff --git a/block/blk-ioc.c b/block/blk-ioc.c
+index d4ed600..dcd0412 100644
+--- a/block/blk-ioc.c
++++ b/block/blk-ioc.c
+@@ -80,8 +80,8 @@ void exit_io_context(void)
+ 			ioc->aic->exit(ioc->aic);
+ 		cfq_exit(ioc);
+ 
+-		put_io_context(ioc);
+ 	}
++	put_io_context(ioc);
+ }
+ 
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch	Tue May  1 05:51:39 2012	(r18971)
@@ -0,0 +1,89 @@
+commit b69f2292063d2caf37ca9aec7d63ded203701bf3
+Author: Louis Rilling <louis.rilling at kerlabs.com>
+Date:   Fri Dec 4 14:52:42 2009 +0100
+
+    block: Fix io_context leak after failure of clone with CLONE_IO
+    
+    With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
+    decremented whenever copy_process() fails afterwards, which prevents
+    exit_io_context() from calling IO schedulers exit functions.
+    
+    Give a task_struct to exit_io_context(), and call exit_io_context() instead of
+    put_io_context() in copy_process() cleanup path.
+    
+    Signed-off-by: Louis Rilling <louis.rilling at kerlabs.com>
+    Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+diff --git a/block/blk-ioc.c b/block/blk-ioc.c
+index dcd0412..cbdabb0 100644
+--- a/block/blk-ioc.c
++++ b/block/blk-ioc.c
+@@ -66,14 +66,14 @@ static void cfq_exit(struct io_context *ioc)
+ }
+ 
+ /* Called by the exitting task */
+-void exit_io_context(void)
++void exit_io_context(struct task_struct *task)
+ {
+ 	struct io_context *ioc;
+ 
+-	task_lock(current);
+-	ioc = current->io_context;
+-	current->io_context = NULL;
+-	task_unlock(current);
++	task_lock(task);
++	ioc = task->io_context;
++	task->io_context = NULL;
++	task_unlock(task);
+ 
+ 	if (atomic_dec_and_test(&ioc->nr_tasks)) {
+ 		if (ioc->aic && ioc->aic->exit)
+diff --git a/include/linux/iocontext.h b/include/linux/iocontext.h
+index d61b0b8..a632359 100644
+--- a/include/linux/iocontext.h
++++ b/include/linux/iocontext.h
+@@ -98,14 +98,15 @@ static inline struct io_context *ioc_task_link(struct io_context *ioc)
+ 	return NULL;
+ }
+ 
++struct task_struct;
+ #ifdef CONFIG_BLOCK
+ int put_io_context(struct io_context *ioc);
+-void exit_io_context(void);
++void exit_io_context(struct task_struct *task);
+ struct io_context *get_io_context(gfp_t gfp_flags, int node);
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node);
+ void copy_io_context(struct io_context **pdst, struct io_context **psrc);
+ #else
+-static inline void exit_io_context(void)
++static inline void exit_io_context(struct task_struct *task)
+ {
+ }
+ 
+diff --git a/kernel/exit.c b/kernel/exit.c
+index f7864ac..2544000 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1004,7 +1004,7 @@ NORET_TYPE void do_exit(long code)
+ 	tsk->flags |= PF_EXITPIDONE;
+ 
+ 	if (tsk->io_context)
+-		exit_io_context();
++		exit_io_context(tsk);
+ 
+ 	if (tsk->splice_pipe)
+ 		__free_pipe_info(tsk->splice_pipe);
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 166b8c4..6073534 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1310,7 +1310,8 @@ bad_fork_free_pid:
+ 	if (pid != &init_struct_pid)
+ 		free_pid(pid);
+ bad_fork_cleanup_io:
+-	put_io_context(p->io_context);
++	if (p->io_context)
++		exit_io_context(p);
+ bad_fork_cleanup_namespaces:
+ 	exit_task_namespaces(p);
+ bad_fork_cleanup_mm:

Added: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3	Tue May  1 05:51:39 2012	(r18971)
@@ -0,0 +1,2 @@
++ bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
++ bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch

More information about the Kernel-svn-changes mailing list