From dda4c8ded1ca8c27fb4189e005e24c5ed5c17d16 Mon Sep 17 00:00:00 2001 From: Chuck Ebbert Date: Sat, 12 Feb 2011 11:06:04 -0500 Subject: [PATCH] bridge: Fix mglist corruption that leads to memory corruption (#650151) --- ...tion-that-leads-to-memory-corruption.patch | 42 +++++++++++++++++++ kernel.spec | 9 ++++ 2 files changed, 51 insertions(+) create mode 100644 bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch diff --git a/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch b/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch new file mode 100644 index 000000000..198a93b35 --- /dev/null +++ b/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch @@ -0,0 +1,42 @@ +bridge: Fix mglist corruption that leads to memory corruption + +The list mp->mglist is used to indicate whether a multicast group +is active on the bridge interface itself as opposed to one of the +constituent interfaces in the bridge. + +Unfortunately the operation that adds the mp->mglist node to the +list neglected to check whether it has already been added. This +leads to list corruption in the form of nodes pointing to itself. + +Normally this would be quite obvious as it would cause an infinite +loop when walking the list. However, as this list is never actually +walked (which means that we don't really need it, I'll get rid of +it in a subsequent patch), this instead is hidden until we perform +a delete operation on the affected nodes. + +As the same node may now be pointed to by more than one node, the +delete operations can then cause modification of freed memory. + +This was observed in practice to cause corruption in 512-byte slabs, +most commonly leading to crashes in jbd2. + +Thanks to Josef Bacik for pointing me in the right direction. + +Reported-by: Ian Page Hands +Signed-off-by: Herbert Xu + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index f701a21..802d3f8 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -719,7 +719,8 @@ static int br_multicast_add_group(struct net_bridge *br, + goto err; + + if (!port) { +- hlist_add_head(&mp->mglist, &br->mglist); ++ if (hlist_unhashed(&mp->mglist)) ++ hlist_add_head(&mp->mglist, &br->mglist); + mod_timer(&mp->timer, now + br->multicast_membership_interval); + goto out; + } + diff --git a/kernel.spec b/kernel.spec index e19739276..2b4e60b62 100644 --- a/kernel.spec +++ b/kernel.spec @@ -886,6 +886,9 @@ Patch13945: tcp-protect-sysctl_tcp_cookie_size-reads.patch # rhbz#673207 (f14) Patch13950: sunrpc-kernel-panic-when-mount-nfsv4.patch +# rhbz#650151 +Patch13951: bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1684,6 +1687,9 @@ ApplyPatch tcp-protect-sysctl_tcp_cookie_size-reads.patch # rhbz#673207 (f14) ApplyPatch sunrpc-kernel-panic-when-mount-nfsv4.patch +# rhbz#650151 +ApplyPatch bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch + # END OF PATCH APPLICATIONS %endif @@ -2304,6 +2310,9 @@ fi %kernel_variant_files %{with_pae_debug} PAEdebug %changelog +* Sat Feb 12 2011 Chuck Ebbert +- bridge: Fix mglist corruption that leads to memory corruption (#650151) + * Wed Feb 09 2011 Matthew Garrett - linux-2.6-acpi-fix-alias.patch: fix ACPI object aliasing (#608648)