[CVE-2012-0879] CLONE_IO reference counting error

Andy Whitcroft apw at canonical.com
Thu Mar 1 14:45:41 UTC 2012

	With CLONE_IO, copy_io() increments both ioc->refcount and
	ioc->nr_tasks.	However exit_io_context() only decrements
	ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
	io_context->nr_tasks is incremented, but never decremented whenever
	copy_process() fails afterwards, which prevents exit_io_context()
	from calling IO schedulers exit functions. An unprivileged local
	user could use these flaws cause denial of service.

This was not introduced until after hardy, and fixes for this have hit
maverick and later via mainline and stable.  Following this email is a 2
patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
from mainline.

Proposing for lucid and lucid/fsl-imx51.


More information about the kernel-team mailing list