[kernel] Fix memory corruption caused by bug in bridge code.

Chuck Ebbert cebbert at fedoraproject.org
Sun Feb 13 02:03:03 UTC 2011 

commit 822aa68f4f152ce198f040dadb1ffd2fcf522e89
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Sat Feb 12 21:00:46 2011 -0500

    Fix memory corruption caused by bug in bridge code.

 ...orruption-that-leads-to-memory-corruption.patch |   42 ++++++++++++++++++++
 kernel.spec                                        |    5 ++
 2 files changed, 47 insertions(+), 0 deletions(-)
---
diff --git a/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch b/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
new file mode 100644
index 0000000..198a93b
--- /dev/null
+++ b/bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
@@ -0,0 +1,42 @@
+bridge: Fix mglist corruption that leads to memory corruption
+
+The list mp->mglist is used to indicate whether a multicast group
+is active on the bridge interface itself as opposed to one of the
+constituent interfaces in the bridge.
+
+Unfortunately the operation that adds the mp->mglist node to the
+list neglected to check whether it has already been added.  This
+leads to list corruption in the form of nodes pointing to itself.
+
+Normally this would be quite obvious as it would cause an infinite
+loop when walking the list.  However, as this list is never actually
+walked (which means that we don't really need it, I'll get rid of
+it in a subsequent patch), this instead is hidden until we perform
+a delete operation on the affected nodes.
+
+As the same node may now be pointed to by more than one node, the
+delete operations can then cause modification of freed memory.
+
+This was observed in practice to cause corruption in 512-byte slabs,
+most commonly leading to crashes in jbd2.
+
+Thanks to Josef Bacik for pointing me in the right direction.
+
+Reported-by: Ian Page Hands <ihands at redhat.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index f701a21..802d3f8 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -719,7 +719,8 @@ static int br_multicast_add_group(struct net_bridge *br,
+ 		goto err;
+ 
+ 	if (!port) {
+-		hlist_add_head(&mp->mglist, &br->mglist);
++		if (hlist_unhashed(&mp->mglist))
++			hlist_add_head(&mp->mglist, &br->mglist);
+ 		mod_timer(&mp->timer, now + br->multicast_membership_interval);
+ 		goto out;
+ 	}
+
diff --git a/kernel.spec b/kernel.spec
index 4ce8ec0..b948966 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -733,6 +733,8 @@ Patch12421: fs-call-security_d_instantiate-in-d_obtain_alias.patch
 
 Patch12438: ath5k-fix-fast-channel-change.patch
 
+Patch12440: bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1348,6 +1350,8 @@ ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch
 # rhbz#672778
 ApplyPatch ath5k-fix-fast-channel-change.patch
 
+ApplyPatch bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1953,6 +1957,7 @@ fi
 %changelog
 * Sat Feb 12 2011 Chuck Ebbert <cebbert at redhat.com>  2.6.38-0.rc4.git6.1
 - Linux 2.6.38-rc4-git6
+- Fix memory corruption caused by bug in bridge code.
 
 * Thu Feb 10 2011 Chuck Ebbert <cebbert at redhat.com>  2.6.38-0.rc4.git3.1
 - Linux 2.6.38-rc4-git3

More information about the scm-commits mailing list