linux/net
Herbert Xu 6b0d6a9b42 bridge: Fix mglist corruption that leads to memory corruption
The list mp->mglist is used to indicate whether a multicast group
is active on the bridge interface itself as opposed to one of the
constituent interfaces in the bridge.

Unfortunately the operation that adds the mp->mglist node to the
list neglected to check whether it has already been added.  This
leads to list corruption in the form of nodes pointing to itself.

Normally this would be quite obvious as it would cause an infinite
loop when walking the list.  However, as this list is never actually
walked (which means that we don't really need it, I'll get rid of
it in a subsequent patch), this instead is hidden until we perform
a delete operation on the affected nodes.

As the same node may now be pointed to by more than one node, the
delete operations can then cause modification of freed memory.

This was observed in practice to cause corruption in 512-byte slabs,
most commonly leading to crashes in jbd2.

Thanks to Josef Bacik for pointing me in the right direction.

Reported-by: Ian Page Hands <ihands@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-11 21:59:37 -08:00
..
9p net/9p: Use proper data types 2011-01-11 09:58:07 -06:00
802 net/802: add __rcu annotations 2010-10-25 13:09:44 -07:00
8021q 8021q: vlan device is lockless do not transfer real_num_{tx|rx}_queues 2010-11-28 10:47:19 -08:00
appletalk
atm Merge branch 'for-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2011-01-07 16:58:04 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv batman-adv: Linearize fragment packets before merge 2011-02-08 00:54:31 +01:00
bluetooth Bluetooth: Fix race condition with conn->sec_level 2011-01-19 14:43:11 -02:00
bridge bridge: Fix mglist corruption that leads to memory corruption 2011-02-11 21:59:37 -08:00
caif net/caif: Fix dangling list pointer in freed object on error. 2011-02-08 14:31:31 -08:00
can can: test size of struct sockaddr in sendmsg 2011-01-15 20:56:42 -08:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2011-01-13 10:25:24 -08:00
core net: Fix lockdep regression caused by initializing netdev queues too early. 2011-02-08 15:02:50 -08:00
dcb dcbnl: make get_app handling symmetric for IEEE and CEE DCBx 2011-01-24 15:19:55 -08:00
dccp Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
decnet Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
dns_resolver Net: dns_resolver: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:10 -08:00
dsa module: fix missing semicolons in MODULE macro usage 2011-01-24 14:32:54 +10:30
econet econet: remove compiler warnings 2011-01-27 14:15:54 -08:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154 net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
ipv4 ip_gre: Add IPPROTO_GRE to flowi in ipgre_tunnel_xmit 2011-02-11 11:23:12 -08:00
ipv6 net: Provide compat support for SIOCGETMIFCNT_IN6 and SIOCGETSGCNT_IN6. 2011-02-03 18:05:29 -08:00
ipx BKL: introduce CONFIG_BKL. 2010-10-21 15:44:13 +02:00
irda Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-26 22:37:05 -08:00
iucv [S390] irq: have detailed statistics for interrupt types 2011-01-05 12:47:25 +01:00
key
l2tp Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
lapb Net: lapb: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:14 -08:00
llc net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-08 12:03:54 -08:00
netfilter netfilter: nf_conntrack: set conntrack templates again if we return NF_REPEAT 2011-02-09 08:08:20 +01:00
netlabel net: kill unused macros 2010-12-19 21:59:35 -08:00
netlink Revert "netlink: test for all flags of the NLM_F_DUMP composite" 2011-01-19 13:34:20 -08:00
netrom
packet net: Use skb_checksum_start_offset() 2010-12-16 14:43:14 -08:00
phonet phonet: some signedness bugs 2011-01-10 13:33:17 -08:00
rds Net: rds: Makefile: Remove deprecated items 2010-11-22 08:16:15 -08:00
rfkill kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
rose
rxrpc rxrpc: rxrpc_workqueue isn't used during memory reclaim 2011-01-14 09:25:11 -08:00
sched Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2011-01-24 13:17:06 -08:00
sctp sctp: user perfect name for Delayed SACK Timer option 2011-01-19 16:51:29 -08:00
sunrpc Merge branch 'for-2.6.38' of git://linux-nfs.org/~bfields/linux 2011-01-14 13:17:26 -08:00
tipc tipc: update log.h re-include protection to reflect new name 2011-01-01 14:56:18 -08:00
unix af_unix: Avoid socket->sk NULL OOPS in stream connect security hooks. 2011-01-05 15:38:53 -08:00
wanrouter Net: wanrouter: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:16 -08:00
wimax
wireless kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
x25 x25: Do not reference freed memory. 2011-02-09 22:36:13 -08:00
xfrm xfrm: avoid possible oopse in xfrm_alloc_dst 2011-02-10 23:08:33 -08:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
Kconfig Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
Makefile net: Add batman-adv meshing protocol 2010-12-16 13:44:24 -08:00
nonet.c
socket.c pass default dentry_operations to mount_pseudo() 2011-01-12 20:03:43 -05:00
sysctl_net.c
TUNABLE