Ack: Re: [CVE-2012-0879] CLONE_IO reference counting error

Herton Ronaldo Krzesinski herton.krzesinski at
Thu Mar 1 15:13:27 UTC 2012

On Thu, Mar 01, 2012 at 02:45:41PM +0000, Andy Whitcroft wrote:
> CVE-2012-0879
> 	With CLONE_IO, copy_io() increments both ioc->refcount and
> 	ioc->nr_tasks.	However exit_io_context() only decrements
> 	ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> 	io_context->nr_tasks is incremented, but never decremented whenever
> 	copy_process() fails afterwards, which prevents exit_io_context()
> 	from calling IO schedulers exit functions. An unprivileged local
> 	user could use these flaws cause denial of service.
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable.  Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
> Proposing for lucid and lucid/fsl-imx51.
> -apw
> -- 
> kernel-team mailing list
> kernel-team at

More information about the kernel-team mailing list