Fix memory corruption caused by bug in bridge code.

This commit is contained in:
Chuck Ebbert 2011-02-12 21:00:46 -05:00
parent c60c9d544f
commit 822aa68f4f
2 changed files with 47 additions and 0 deletions

View File

@ -0,0 +1,42 @@
bridge: Fix mglist corruption that leads to memory corruption
The list mp->mglist is used to indicate whether a multicast group
is active on the bridge interface itself as opposed to one of the
constituent interfaces in the bridge.
Unfortunately the operation that adds the mp->mglist node to the
list neglected to check whether it has already been added. This
leads to list corruption in the form of nodes pointing to itself.
Normally this would be quite obvious as it would cause an infinite
loop when walking the list. However, as this list is never actually
walked (which means that we don't really need it, I'll get rid of
it in a subsequent patch), this instead is hidden until we perform
a delete operation on the affected nodes.
As the same node may now be pointed to by more than one node, the
delete operations can then cause modification of freed memory.
This was observed in practice to cause corruption in 512-byte slabs,
most commonly leading to crashes in jbd2.
Thanks to Josef Bacik for pointing me in the right direction.
Reported-by: Ian Page Hands <ihands@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index f701a21..802d3f8 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -719,7 +719,8 @@ static int br_multicast_add_group(struct net_bridge *br,
goto err;
if (!port) {
- hlist_add_head(&mp->mglist, &br->mglist);
+ if (hlist_unhashed(&mp->mglist))
+ hlist_add_head(&mp->mglist, &br->mglist);
mod_timer(&mp->timer, now + br->multicast_membership_interval);
goto out;
}

View File

@ -733,6 +733,8 @@ Patch12421: fs-call-security_d_instantiate-in-d_obtain_alias.patch
Patch12438: ath5k-fix-fast-channel-change.patch Patch12438: ath5k-fix-fast-channel-change.patch
Patch12440: bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
%endif %endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1348,6 +1350,8 @@ ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch
# rhbz#672778 # rhbz#672778
ApplyPatch ath5k-fix-fast-channel-change.patch ApplyPatch ath5k-fix-fast-channel-change.patch
ApplyPatch bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
%endif %endif
@ -1953,6 +1957,7 @@ fi
%changelog %changelog
* Sat Feb 12 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.38-0.rc4.git6.1 * Sat Feb 12 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.38-0.rc4.git6.1
- Linux 2.6.38-rc4-git6 - Linux 2.6.38-rc4-git6
- Fix memory corruption caused by bug in bridge code.
* Thu Feb 10 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.38-0.rc4.git3.1 * Thu Feb 10 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.38-0.rc4.git3.1
- Linux 2.6.38-rc4-git3 - Linux 2.6.38-rc4-git3