Patchwork [lucid,lucid/fsl-imx51,CVE,1/2] block: Fix io_context leak after clone with CLONE_IO

login
register
mail settings
Submitter Andy Whitcroft
Date March 1, 2012, 2:45 p.m.
Message ID <1330613143-10318-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/144057/
State New
Headers show

Comments

Andy Whitcroft - March 1, 2012, 2:45 p.m.
From: Louis Rilling <louis.rilling@kerlabs.com>

With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks.
However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks
reaches 0.

Always call put_io_context() in exit_io_context().

Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

(cherry picked from commit 61cc74fbb87af6aa551a06a370590c9bc07e29d9)
CVE-2012-0879
BugLink: http://bugs.launchpad.net/bugs/940743
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 block/blk-ioc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Patch

diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index d4ed600..dcd0412 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c
@@ -80,8 +80,8 @@  void exit_io_context(void)
 			ioc->aic->exit(ioc->aic);
 		cfq_exit(ioc);
 
-		put_io_context(ioc);
 	}
+	put_io_context(ioc);
 }
 
 struct io_context *alloc_io_context(gfp_t gfp_flags, int node)