lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4CC32CE3.2090202@fusionio.com>
Date:	Sat, 23 Oct 2010 20:43:47 +0200
From:	Jens Axboe <jaxboe@...ionio.com>
To:	Ingo Molnar <mingo@...e.hu>
CC:	Tejun Heo <tj@...nel.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Vivek Goyal <vgoyal@...hat.com>
Subject: [GIT PULL] Throtl bug (was Re: [origin tree boot failure] Re: [GIT
 PULL] core block bits for  2.6.37-rc1)

On 2010-10-23 20:21, Ingo Molnar wrote:
> 
> * Jens Axboe <jaxboe@...ionio.com> wrote:
> 
>>> Looks like a fairly straight forward case of uninitialized memory and 
>>> blk_sync_queue() -> throtl_shutdown_timer() -> cancel_delayed_work_sync().
>>>
>>> Will get that fixed up.
>>
>> It frees q->td in blk_cleanup_queue(), but doesn't clear q->td. When the final put 
>> happens, blk_sync_queue() is called and then ends up doing the 
>> cancel_delayed_work_sync() on freed memory.
>>
>> Two possible fixes:
>>
>> - Clear ->td when the queue is goin dead. May require other ->td == NULL
>>   checks in the code, so I opted for:
>>
>> - Move the free to when the queue is really going away, post doing the
>>   blk_sync_queue() call.
>>
>> The below should fix it.
>>
>> Signed-off-by: Jens Axboe <jaxboe@...ionio.com>
> 
> This did the trick, thanks Jens!

Great, thanks for testing/reporting! I added your reported/tested-by.

Linus, please pull this single fix, better get this out the door since
I'll be travelling very shortly.


  git://git.kernel.dk/linux-2.6-block.git for-2.6.37/core

Jens Axboe (1):
      block: fix use-after-free bug in blk throttle code

 block/blk-core.c  |    2 --
 block/blk-sysfs.c |    2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

-- 
Jens Axboe

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ