CVE request -- kernel: block: CLONE_IO io_context refcounting issues

[Petr Matousek <pmatouse () redhat com>]

With CLONE_IO, copy_io() increments both ioc->refcount and
ioc->nr_tasks. However exit_io_context() only decrements
ioc->refcount if ioc->nr_tasks reaches 0.

With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
decremented whenever copy_process() fails afterwards, which prevents
exit_io_context() from calling IO schedulers exit functions.

An unprivileged local user could use these flaws cause denial of
service.

Upstream fixes:
61cc74fbb87af6aa551a06a370590c9bc07e29d9
b69f2292063d2caf37ca9aec7d63ded203701bf3

References:
https://bugzilla.redhat.com/show_bug.cgi?id=796829
http://comments.gmane.org/gmane.linux.kernel/922519

Looks like it got fixed in Linux kernel 2.6.33(-rc1).

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team