Fix memory corruption caused by bug in bridge code.

2011-02-12 21:00:46 -05:00 · 2011-02-12 21:00:46 -05:00 · 822aa68f4f
commit 822aa68f4f
parent c60c9d544f
2 changed files with 47 additions and 0 deletions
--- a/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
+++ b/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
@ -0,0 +1,42 @@
+bridge: Fix mglist corruption that leads to memory corruption
+
+The list mp->mglist is used to indicate whether a multicast group
+is active on the bridge interface itself as opposed to one of the
+constituent interfaces in the bridge.
+
+Unfortunately the operation that adds the mp->mglist node to the
+list neglected to check whether it has already been added.  This
+leads to list corruption in the form of nodes pointing to itself.
+
+Normally this would be quite obvious as it would cause an infinite
+loop when walking the list.  However, as this list is never actually
+walked (which means that we don't really need it, I'll get rid of
+it in a subsequent patch), this instead is hidden until we perform
+a delete operation on the affected nodes.
+
+As the same node may now be pointed to by more than one node, the
+delete operations can then cause modification of freed memory.
+
+This was observed in practice to cause corruption in 512-byte slabs,
+most commonly leading to crashes in jbd2.
+
+Thanks to Josef Bacik for pointing me in the right direction.
+
+Reported-by: Ian Page Hands <ihands@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index f701a21..802d3f8 100644
+--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
+@@ -719,7 +719,8 @@ static int br_multicast_add_group(struct net_bridge *br,
+ 		goto err;
+ 
+ 	if (!port) {
+-		hlist_add_head(&mp->mglist, &br->mglist);
+		if (hlist_unhashed(&mp->mglist))
+			hlist_add_head(&mp->mglist, &br->mglist);
+ 		mod_timer(&mp->timer, now + br->multicast_membership_interval);
+ 		goto out;
+ 	}
+
--- a/kernel.spec
+++ b/kernel.spec
@ -733,6 +733,8 @@ Patch12421: fs-call-security_d_instantiate-in-d_obtain_alias.patch

 Patch12438: ath5k-fix-fast-channel-change.patch

+Patch12440: bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
+
 %endif

 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1348,6 +1350,8 @@ ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch
 # rhbz#672778
 ApplyPatch ath5k-fix-fast-channel-change.patch

+ApplyPatch bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -1953,6 +1957,7 @@ fi
 %changelog
 * Sat Feb 12 2011 Chuck Ebbert <cebbert@redhat.com>  2.6.38-0.rc4.git6.1
 - Linux 2.6.38-rc4-git6
+- Fix memory corruption caused by bug in bridge code.

 * Thu Feb 10 2011 Chuck Ebbert <cebbert@redhat.com>  2.6.38-0.rc4.git3.1
 - Linux 2.6.38-rc4-git3