[lucid, lucid/fsl-imx51 CVE 1/2] block: Fix io_context leak after clone with CLONE_IO

Andy Whitcroft apw at canonical.com
Thu Mar 1 14:45:42 UTC 2012


From: Louis Rilling <louis.rilling at kerlabs.com>

With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks.
However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks
reaches 0.

Always call put_io_context() in exit_io_context().

Signed-off-by: Louis Rilling <louis.rilling at kerlabs.com>
Signed-off-by: Jens Axboe <jens.axboe at oracle.com>

(cherry picked from commit 61cc74fbb87af6aa551a06a370590c9bc07e29d9)
CVE-2012-0879
BugLink: http://bugs.launchpad.net/bugs/940743
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 block/blk-ioc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index d4ed600..dcd0412 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c
@@ -80,8 +80,8 @@ void exit_io_context(void)
 			ioc->aic->exit(ioc->aic);
 		cfq_exit(ioc);
 
-		put_io_context(ioc);
 	}
+	put_io_context(ioc);
 }
 
 struct io_context *alloc_io_context(gfp_t gfp_flags, int node)
-- 
1.7.9





More information about the kernel-team mailing list