Linux v3.13.9
This commit is contained in:
parent
0a005ac427
commit
89368f5bd2
|
@ -1,180 +0,0 @@
|
|||
Bugzilla: 1045775
|
||||
Upstream-status: queued for 3.14-rc3 and stable 3.12+
|
||||
|
||||
Path: news.gmane.org!not-for-mail
|
||||
From: Michal Hocko <mhocko@suse.cz>
|
||||
Newsgroups: gmane.linux.kernel,gmane.linux.kernel.cgroups
|
||||
Subject: Re: [PATCH] cgroup: protect modifications to cgroup_idr with
|
||||
cgroup_mutex
|
||||
Date: Wed, 12 Feb 2014 10:12:38 +0100
|
||||
Lines: 127
|
||||
Approved: news@gmane.org
|
||||
Message-ID: <20140212091238.GC28085@dhcp22.suse.cz>
|
||||
References: <52F9D9DA.7040108@huawei.com>
|
||||
<20140211102032.GA11946@dhcp22.suse.cz>
|
||||
NNTP-Posting-Host: plane.gmane.org
|
||||
Mime-Version: 1.0
|
||||
Content-Type: text/plain; charset=us-ascii
|
||||
X-Trace: ger.gmane.org 1392196376 529 80.91.229.3 (12 Feb 2014 09:12:56 GMT)
|
||||
X-Complaints-To: usenet@ger.gmane.org
|
||||
NNTP-Posting-Date: Wed, 12 Feb 2014 09:12:56 +0000 (UTC)
|
||||
Cc: Tejun Heo <tj@kernel.org>, LKML <linux-kernel@vger.kernel.org>,
|
||||
Cgroups <cgroups@vger.kernel.org>
|
||||
To: Li Zefan <lizefan@huawei.com>
|
||||
Original-X-From: linux-kernel-owner@vger.kernel.org Wed Feb 12 10:13:03 2014
|
||||
Return-path: <linux-kernel-owner@vger.kernel.org>
|
||||
Envelope-to: glk-linux-kernel-3@plane.gmane.org
|
||||
Original-Received: from vger.kernel.org ([209.132.180.67])
|
||||
by plane.gmane.org with esmtp (Exim 4.69)
|
||||
(envelope-from <linux-kernel-owner@vger.kernel.org>)
|
||||
id 1WDVsM-0003po-4o
|
||||
for glk-linux-kernel-3@plane.gmane.org; Wed, 12 Feb 2014 10:13:02 +0100
|
||||
Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1751758AbaBLJMs (ORCPT <rfc822;glk-linux-kernel-3@m.gmane.org>);
|
||||
Wed, 12 Feb 2014 04:12:48 -0500
|
||||
Original-Received: from cantor2.suse.de ([195.135.220.15]:34766 "EHLO mx2.suse.de"
|
||||
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
||||
id S1750890AbaBLJMk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
|
||||
Wed, 12 Feb 2014 04:12:40 -0500
|
||||
Original-Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
|
||||
by mx2.suse.de (Postfix) with ESMTP id 216F1ABB2;
|
||||
Wed, 12 Feb 2014 09:12:39 +0000 (UTC)
|
||||
Content-Disposition: inline
|
||||
In-Reply-To: <20140211102032.GA11946@dhcp22.suse.cz>
|
||||
User-Agent: Mutt/1.5.21 (2010-09-15)
|
||||
Original-Sender: linux-kernel-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
Xref: news.gmane.org gmane.linux.kernel:1646465 gmane.linux.kernel.cgroups:10357
|
||||
Archived-At: <http://permalink.gmane.org/gmane.linux.kernel/1646465>
|
||||
|
||||
Li has pointed out that my previous backport was not correct because
|
||||
err_unlock label releases a reference to supperblock which was not taken
|
||||
before idr_alloc. I've also removed cgroup_mutex from free_css_id as per
|
||||
Li.
|
||||
Fixed in this version.
|
||||
|
||||
---
|
||||
Date: Tue, 11 Feb 2014 16:05:46 +0800
|
||||
From: Li Zefan <lizefan@huawei.com>
|
||||
Subject: [PATCH - for 3.12] cgroup: protect modifications to cgroup_idr with cgroup_mutex
|
||||
|
||||
Setup cgroupfs like this:
|
||||
# mount -t cgroup -o cpuacct xxx /cgroup
|
||||
# mkdir /cgroup/sub1
|
||||
# mkdir /cgroup/sub2
|
||||
|
||||
Then run these two commands:
|
||||
# for ((; ;)) { mkdir /cgroup/sub1/tmp && rmdir /mnt/sub1/tmp; } &
|
||||
# for ((; ;)) { mkdir /cgroup/sub2/tmp && rmdir /mnt/sub2/tmp; } &
|
||||
|
||||
After seconds you may see this warning:
|
||||
|
||||
------------[ cut here ]------------
|
||||
WARNING: CPU: 1 PID: 25243 at lib/idr.c:527 sub_remove+0x87/0x1b0()
|
||||
idr_remove called for id=6 which is not allocated.
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff8156063c>] dump_stack+0x7a/0x96
|
||||
[<ffffffff810591ac>] warn_slowpath_common+0x8c/0xc0
|
||||
[<ffffffff81059296>] warn_slowpath_fmt+0x46/0x50
|
||||
[<ffffffff81300aa7>] sub_remove+0x87/0x1b0
|
||||
[<ffffffff810f3f02>] ? css_killed_work_fn+0x32/0x1b0
|
||||
[<ffffffff81300bf5>] idr_remove+0x25/0xd0
|
||||
[<ffffffff810f2bab>] cgroup_destroy_css_killed+0x5b/0xc0
|
||||
[<ffffffff810f4000>] css_killed_work_fn+0x130/0x1b0
|
||||
[<ffffffff8107cdbc>] process_one_work+0x26c/0x550
|
||||
[<ffffffff8107eefe>] worker_thread+0x12e/0x3b0
|
||||
[<ffffffff81085f96>] kthread+0xe6/0xf0
|
||||
[<ffffffff81570bac>] ret_from_fork+0x7c/0xb0
|
||||
---[ end trace 2d1577ec10cf80d0 ]---
|
||||
|
||||
It's because allocating/removing cgroup ID is not properly synchronized.
|
||||
|
||||
The bug was introduced when we converted cgroup_ida to cgroup_idr.
|
||||
While synchronization is already done inside ida_simple_{get,remove}(),
|
||||
users are responsible for concurrent calls to idr_{alloc,remove}().
|
||||
|
||||
[mhocko@suse.cz: ported to 3.12]
|
||||
Fixes: 4e96ee8e981b ("cgroup: convert cgroup_ida to cgroup_idr")
|
||||
Cc: <stable@vger.kernel.org> #3.12+
|
||||
Reported-by: Michal Hocko <mhocko@suse.cz>
|
||||
Signed-off-by: Li Zefan <lizefan@huawei.com>
|
||||
Signed-off-by: Michal Hocko <mhocko@suse.cz>
|
||||
---
|
||||
include/linux/cgroup.h | 2 ++
|
||||
kernel/cgroup.c | 23 ++++++++++++-----------
|
||||
2 files changed, 14 insertions(+), 11 deletions(-)
|
||||
|
||||
--- a/include/linux/cgroup.h
|
||||
+++ b/include/linux/cgroup.h
|
||||
@@ -169,6 +169,8 @@ struct cgroup {
|
||||
*
|
||||
* The ID of the root cgroup is always 0, and a new cgroup
|
||||
* will be assigned with a smallest available ID.
|
||||
+ *
|
||||
+ * Allocating/Removing ID must be protected by cgroup_mutex.
|
||||
*/
|
||||
int id;
|
||||
|
||||
--- a/kernel/cgroup.c
|
||||
+++ b/kernel/cgroup.c
|
||||
@@ -4410,16 +4410,6 @@ static long cgroup_create(struct cgroup
|
||||
rcu_assign_pointer(cgrp->name, name);
|
||||
|
||||
/*
|
||||
- * Temporarily set the pointer to NULL, so idr_find() won't return
|
||||
- * a half-baked cgroup.
|
||||
- */
|
||||
- cgrp->id = idr_alloc(&root->cgroup_idr, NULL, 1, 0, GFP_KERNEL);
|
||||
- if (cgrp->id < 0) {
|
||||
- err = -ENOMEM;
|
||||
- goto err_free_name;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
* Only live parents can have children. Note that the liveliness
|
||||
* check isn't strictly necessary because cgroup_mkdir() and
|
||||
* cgroup_rmdir() are fully synchronized by i_mutex; however, do it
|
||||
@@ -4426,7 +4418,7 @@ static long cgroup_create(struct cgroup
|
||||
*/
|
||||
if (!cgroup_lock_live_group(parent)) {
|
||||
err = -ENODEV;
|
||||
- goto err_free_id;
|
||||
+ goto err_free_name;
|
||||
}
|
||||
|
||||
/* Grab a reference on the superblock so the hierarchy doesn't
|
||||
@@ -4436,6 +4428,14 @@ static long cgroup_create(struct cgroup
|
||||
* fs */
|
||||
atomic_inc(&sb->s_active);
|
||||
|
||||
+ /*
|
||||
+ * Temporarily set the pointer to NULL, so idr_find() won't return
|
||||
+ * a half-baked cgroup.
|
||||
+ */
|
||||
+ cgrp->id = idr_alloc(&root->cgroup_idr, NULL, 1, 0, GFP_KERNEL);
|
||||
+ if (cgrp->id < 0)
|
||||
+ goto err_unlock;
|
||||
+
|
||||
init_cgroup_housekeeping(cgrp);
|
||||
|
||||
dentry->d_fsdata = cgrp;
|
||||
@@ -4542,11 +4542,11 @@ err_free_all:
|
||||
ss->css_free(css);
|
||||
}
|
||||
}
|
||||
+ idr_remove(&root->cgroup_idr, cgrp->id);
|
||||
+err_unlock:
|
||||
mutex_unlock(&cgroup_mutex);
|
||||
/* Release the reference count that we took on the superblock */
|
||||
deactivate_super(sb);
|
||||
-err_free_id:
|
||||
- idr_remove(&root->cgroup_idr, cgrp->id);
|
||||
err_free_name:
|
||||
kfree(rcu_dereference_raw(cgrp->name));
|
||||
err_free_cgrp:
|
||||
--
|
||||
Michal Hocko
|
||||
SUSE Labs
|
|
@ -1,50 +0,0 @@
|
|||
From c4aa64b54ecc029579b0c62e976d747a0e567dfc Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Fri, 21 Mar 2014 10:55:11 +0100
|
||||
Subject: [PATCH] input: cypress_ps2: Don't report the cypress PS/2 trackpads
|
||||
as a button pad
|
||||
|
||||
The cypress PS/2 trackpad models supported by the cypress_ps2 driver emulate
|
||||
BTN_RIGHT events in firmware based on the finger position, as part of this
|
||||
no motion events are sent when the finger is in the button area.
|
||||
|
||||
The INPUT_PROP_BUTTONPAD property is there to indicate to userspace that
|
||||
BTN_RIGHT events should be emulated in userspace, which is not necessary
|
||||
in this case.
|
||||
|
||||
When INPUT_PROP_BUTTONPAD is advertised userspace will wait for a motion event
|
||||
before propagating the button event higher up the stack, as it needs current
|
||||
abs x + y data for its BTN_RIGHT emulation. Since in the cypress_ps2 pads
|
||||
don't report motion events in the button area, this means that clicks in the
|
||||
button area end up being ignored, so INPUT_PROP_BUTTONPAD actually causes
|
||||
problems for these touchpads, and removing it fixes:
|
||||
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=76341
|
||||
|
||||
Reported-by: Adam Williamson <awilliam@redhat.com>
|
||||
Tested-by: Adam Williamson <awilliam@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Cc: Adam Williamson <awilliam@redhat.com>
|
||||
Cc: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
drivers/input/mouse/cypress_ps2.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/cypress_ps2.c b/drivers/input/mouse/cypress_ps2.c
|
||||
index 87095e2..8af34ff 100644
|
||||
--- a/drivers/input/mouse/cypress_ps2.c
|
||||
+++ b/drivers/input/mouse/cypress_ps2.c
|
||||
@@ -409,7 +409,6 @@ static int cypress_set_input_params(struct input_dev *input,
|
||||
__clear_bit(REL_X, input->relbit);
|
||||
__clear_bit(REL_Y, input->relbit);
|
||||
|
||||
- __set_bit(INPUT_PROP_BUTTONPAD, input->propbit);
|
||||
__set_bit(EV_KEY, input->evbit);
|
||||
__set_bit(BTN_LEFT, input->keybit);
|
||||
__set_bit(BTN_RIGHT, input->keybit);
|
||||
--
|
||||
1.9.0
|
||||
|
24
kernel.spec
24
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 8
|
||||
%define stable_update 9
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -725,9 +725,6 @@ Patch25168: rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails
|
|||
#rhbz 953211
|
||||
Patch25184: Input-ALPS-add-support-for-Dolphin-devices.patch
|
||||
|
||||
#rhbz 1045755
|
||||
Patch25195: cgroup-fixes.patch
|
||||
|
||||
#rhbz 1064430 1056711
|
||||
Patch25196: ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
|
||||
Patch25197: ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
|
||||
|
@ -765,9 +762,6 @@ Patch25041: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
|
|||
#rhbz 1046495
|
||||
Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
|
||||
|
||||
#CVE-2014-2523 rhbz 1077343 1077350
|
||||
Patch25045: netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
|
||||
|
||||
#CVE-2014-0131 rhbz 1074589 1079006
|
||||
Patch25048: skbuff-zero-copy.patch
|
||||
|
||||
|
@ -783,10 +777,6 @@ Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
|
|||
#CVE-2014-2580 rhbz 1080084 1080086
|
||||
Patch25052: net-xen-netback-disable-rogue-vif-in-kthread-context.patch
|
||||
|
||||
#https://bugs.freedesktop.org/show_bug.cgi?id=76341
|
||||
#will go upstream for 3.15, and will be backported to stable releases
|
||||
Patch25053: input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
|
||||
|
||||
#CVE-2014-2678 rhbz 1083274 1083280
|
||||
Patch25054: rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
|
||||
|
||||
|
@ -1462,9 +1452,6 @@ ApplyPatch rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.
|
|||
#rhbz 953211
|
||||
ApplyPatch Input-ALPS-add-support-for-Dolphin-devices.patch
|
||||
|
||||
#rhbz 1045755
|
||||
ApplyPatch cgroup-fixes.patch
|
||||
|
||||
#rhbz 1064430 1056711
|
||||
ApplyPatch ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
|
||||
ApplyPatch ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
|
||||
|
@ -1502,9 +1489,6 @@ ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
|
|||
#rhbz 1046495
|
||||
ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
|
||||
|
||||
#CVE-2014-2523 rhbz 1077343 1077350
|
||||
ApplyPatch netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
|
||||
|
||||
#CVE-2014-0131 rhbz 1074589 1079006
|
||||
ApplyPatch skbuff-zero-copy.patch
|
||||
|
||||
|
@ -1520,9 +1504,6 @@ ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
|
|||
#CVE-2014-2580 rhbz 1080084 1080086
|
||||
ApplyPatch net-xen-netback-disable-rogue-vif-in-kthread-context.patch
|
||||
|
||||
#https://bugs.freedesktop.org/show_bug.cgi?id=76341
|
||||
ApplyPatch input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
|
||||
|
||||
#CVE-2014-2678 rhbz 1083274 1083280
|
||||
ApplyPatch rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
|
||||
|
||||
|
@ -2338,6 +2319,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Apr 03 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.9-100
|
||||
- Linux v3.13.9
|
||||
|
||||
* Tue Apr 01 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-2678 net: rds: deref of NULL dev in rds_iw_laddr_check (rhbz 1083274 1083280)
|
||||
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
Bugzilla: 1077350
|
||||
Upstream-status: 3.14-rc1
|
||||
|
||||
From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Borkmann <dborkman@redhat.com>
|
||||
Date: Mon, 6 Jan 2014 00:57:54 +0100
|
||||
Subject: [PATCH] netfilter: nf_conntrack_dccp: fix skb_header_pointer API
|
||||
usages
|
||||
|
||||
Some occurences in the netfilter tree use skb_header_pointer() in
|
||||
the following way ...
|
||||
|
||||
struct dccp_hdr _dh, *dh;
|
||||
...
|
||||
skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||||
|
||||
... where dh itself is a pointer that is being passed as the copy
|
||||
buffer. Instead, we need to use &_dh as the forth argument so that
|
||||
we're copying the data into an actual buffer that sits on the stack.
|
||||
|
||||
Currently, we probably could overwrite memory on the stack (e.g.
|
||||
with a possibly mal-formed DCCP packet), but unintentionally, as
|
||||
we only want the buffer to be placed into _dh variable.
|
||||
|
||||
Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
|
||||
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
|
||||
index 3841268..cb372f9 100644
|
||||
--- a/net/netfilter/nf_conntrack_proto_dccp.c
|
||||
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
|
||||
@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
|
||||
const char *msg;
|
||||
u_int8_t state;
|
||||
|
||||
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||||
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
|
||||
BUG_ON(dh == NULL);
|
||||
|
||||
state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
|
||||
@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
|
||||
u_int8_t type, old_state, new_state;
|
||||
enum ct_dccp_roles role;
|
||||
|
||||
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||||
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
|
||||
BUG_ON(dh == NULL);
|
||||
type = dh->dccph_type;
|
||||
|
||||
@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
|
||||
unsigned int cscov;
|
||||
const char *msg;
|
||||
|
||||
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||||
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
|
||||
if (dh == NULL) {
|
||||
msg = "nf_ct_dccp: short packet ";
|
||||
goto out_invalid;
|
||||
--
|
||||
1.8.5.3
|
||||
|
Loading…
Reference in New Issue