Linux v4.4-rc4-48-gaa53685
This commit is contained in:
Laura Abbott
parent
89f514b41b
commit
b880337ff2
|
|
@ -1,92 +0,0 @@
|
|||
From befa45e320edbded63b6900c4ba63df7a8db445c Mon Sep 17 00:00:00 2001
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Mon, 23 Nov 2015 14:55:41 -0500
|
||||
Subject: [PATCH] cgroup: make css_set pin its css's to avoid use-afer-free
|
||||
|
||||
A css_set represents the relationship between a set of tasks and
|
||||
css's. css_set never pinned the associated css's. This was okay
|
||||
because tasks used to always disassociate immediately (in RCU sense) -
|
||||
either a task is moved to a different css_set or exits and never
|
||||
accesses css_set again.
|
||||
|
||||
Unfortunately, afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method
|
||||
and use it to fix pids controller") and patches leading up to it made
|
||||
a zombie hold onto its css_set and deref the associated css's on its
|
||||
release. Nothing pins the css's after exit and it might have already
|
||||
been freed leading to use-after-free.
|
||||
|
||||
general protection fault: 0000 [#1] PREEMPT SMP
|
||||
task: ffffffff81bf2500 ti: ffffffff81be4000 task.ti: ffffffff81be4000
|
||||
RIP: 0010:[<ffffffff810fa205>] [<ffffffff810fa205>] pids_cancel.constprop.4+0x5/0x40
|
||||
...
|
||||
Call Trace:
|
||||
<IRQ>
|
||||
[<ffffffff810fb02d>] ? pids_free+0x3d/0xa0
|
||||
[<ffffffff810f8893>] cgroup_free+0x53/0xe0
|
||||
[<ffffffff8104ed62>] __put_task_struct+0x42/0x130
|
||||
[<ffffffff81053557>] delayed_put_task_struct+0x77/0x130
|
||||
[<ffffffff810c6b34>] rcu_process_callbacks+0x2f4/0x820
|
||||
[<ffffffff810c6af3>] ? rcu_process_callbacks+0x2b3/0x820
|
||||
[<ffffffff81056e54>] __do_softirq+0xd4/0x460
|
||||
[<ffffffff81057369>] irq_exit+0x89/0xa0
|
||||
[<ffffffff81876212>] smp_apic_timer_interrupt+0x42/0x50
|
||||
[<ffffffff818747f4>] apic_timer_interrupt+0x84/0x90
|
||||
<EOI>
|
||||
...
|
||||
Code: 5b 5d c3 48 89 df 48 c7 c2 c9 f9 ae 81 48 c7 c6 91 2c ae 81 e8 1d 94 0e 00 31 c0 5b 5d c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <f0> 48 83 87 e0 00 00 00 ff 78 01 c3 80 3d 08 7a c1 00 00 74 02
|
||||
RIP [<ffffffff810fa205>] pids_cancel.constprop.4+0x5/0x40
|
||||
RSP <ffff88001fc03e20>
|
||||
---[ end trace 89a4a4b916b90c49 ]---
|
||||
Kernel panic - not syncing: Fatal exception in interrupt
|
||||
Kernel Offset: disabled
|
||||
---[ end Kernel panic - not syncing: Fatal exception in interrupt
|
||||
|
||||
Fix it by making css_set pin the associate css's until its release.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Reported-by: Dave Jones <davej@codemonkey.org.uk>
|
||||
Reported-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
|
||||
Link: http://lkml.kernel.org/g/20151120041836.GA18390@codemonkey.org.uk
|
||||
Link: http://lkml.kernel.org/g/5652D448.3080002@bmw-carit.de
|
||||
Fixes: afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method and use it to fix pids controller")
|
||||
---
|
||||
kernel/cgroup.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
|
||||
index f1603c1..17773d6 100644
|
||||
--- a/kernel/cgroup.c
|
||||
+++ b/kernel/cgroup.c
|
||||
@@ -754,9 +754,11 @@ static void put_css_set_locked(struct css_set *cset)
|
||||
if (!atomic_dec_and_test(&cset->refcount))
|
||||
return;
|
||||
|
||||
- /* This css_set is dead. unlink it and release cgroup refcounts */
|
||||
- for_each_subsys(ss, ssid)
|
||||
+ /* This css_set is dead. unlink it and release cgroup and css refs */
|
||||
+ for_each_subsys(ss, ssid) {
|
||||
list_del(&cset->e_cset_node[ssid]);
|
||||
+ css_put(cset->subsys[ssid]);
|
||||
+ }
|
||||
hash_del(&cset->hlist);
|
||||
css_set_count--;
|
||||
|
||||
@@ -1056,9 +1058,13 @@ static struct css_set *find_css_set(struct css_set *old_cset,
|
||||
key = css_set_hash(cset->subsys);
|
||||
hash_add(css_set_table, &cset->hlist, key);
|
||||
|
||||
- for_each_subsys(ss, ssid)
|
||||
+ for_each_subsys(ss, ssid) {
|
||||
+ struct cgroup_subsys_state *css = cset->subsys[ssid];
|
||||
+
|
||||
list_add_tail(&cset->e_cset_node[ssid],
|
||||
- &cset->subsys[ssid]->cgroup->e_csets[ssid]);
|
||||
+ &css->cgroup->e_csets[ssid]);
|
||||
+ css_get(css);
|
||||
+ }
|
||||
|
||||
spin_unlock_bh(&css_set_lock);
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
||||
2
gitrev
2
gitrev
|
|
@ -1 +1 @@
|
|||
62ea1ec5e17fe36e2c728bc534f9f78b216dfe83
|
||||
aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 7877d76b409181af38d307b98d8fed1024f3c9c2 Mon Sep 17 00:00:00 2001
|
||||
From a9488dbeccf188f0bd83b9d5704892f2c0f97fdc Mon Sep 17 00:00:00 2001
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Mon, 6 Oct 2008 23:03:03 -0700
|
||||
Subject: [PATCH] kbuild: AFTER_LINK
|
||||
|
|
@ -21,10 +21,10 @@ Signed-off-by: Roland McGrath <roland@redhat.com>
|
|||
7 files changed, 17 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
|
||||
index f6fe17d88da5..eb6ddbf37f30 100644
|
||||
index b467fd0..feeff5e 100644
|
||||
--- a/arch/arm64/kernel/vdso/Makefile
|
||||
+++ b/arch/arm64/kernel/vdso/Makefile
|
||||
@@ -52,7 +52,8 @@ $(obj-vdso): %.o: %.S FORCE
|
||||
@@ -55,7 +55,8 @@ $(obj-vdso): %.o: %.S FORCE
|
||||
|
||||
# Actual build commands
|
||||
quiet_cmd_vdsold = VDSOL $@
|
||||
|
|
@ -35,7 +35,7 @@ index f6fe17d88da5..eb6ddbf37f30 100644
|
|||
cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/powerpc/kernel/vdso32/Makefile b/arch/powerpc/kernel/vdso32/Makefile
|
||||
index 53e6c9b979ec..e427844e9bb0 100644
|
||||
index 6abffb7..7b103bb 100644
|
||||
--- a/arch/powerpc/kernel/vdso32/Makefile
|
||||
+++ b/arch/powerpc/kernel/vdso32/Makefile
|
||||
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
||||
|
|
@ -49,7 +49,7 @@ index 53e6c9b979ec..e427844e9bb0 100644
|
|||
cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/powerpc/kernel/vdso64/Makefile b/arch/powerpc/kernel/vdso64/Makefile
|
||||
index effca9404b17..713891a92d23 100644
|
||||
index 8c8f2ae..a743ebe 100644
|
||||
--- a/arch/powerpc/kernel/vdso64/Makefile
|
||||
+++ b/arch/powerpc/kernel/vdso64/Makefile
|
||||
@@ -36,7 +36,8 @@ $(obj-vdso64): %.o: %.S
|
||||
|
|
@ -63,7 +63,7 @@ index effca9404b17..713891a92d23 100644
|
|||
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile
|
||||
index ee8a18e50a25..63e33fa049f8 100644
|
||||
index ee8a18e..63e33fa 100644
|
||||
--- a/arch/s390/kernel/vdso32/Makefile
|
||||
+++ b/arch/s390/kernel/vdso32/Makefile
|
||||
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
||||
|
|
@ -77,7 +77,7 @@ index ee8a18e50a25..63e33fa049f8 100644
|
|||
cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile
|
||||
index c4b03f9ed228..550450fc2f95 100644
|
||||
index c4b03f9..550450f 100644
|
||||
--- a/arch/s390/kernel/vdso64/Makefile
|
||||
+++ b/arch/s390/kernel/vdso64/Makefile
|
||||
@@ -43,7 +43,8 @@ $(obj-vdso64): %.o: %.S
|
||||
|
|
@ -91,10 +91,10 @@ index c4b03f9ed228..550450fc2f95 100644
|
|||
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
|
||||
index a3d0767a6b29..078c9be1db8f 100644
|
||||
index 265c0ed..fd90c7d 100644
|
||||
--- a/arch/x86/entry/vdso/Makefile
|
||||
+++ b/arch/x86/entry/vdso/Makefile
|
||||
@@ -172,8 +172,9 @@ $(vdso32-images:%=$(obj)/%.dbg): $(obj)/vdso32-%.so.dbg: FORCE \
|
||||
@@ -159,8 +159,9 @@ $(obj)/vdso32.so.dbg: FORCE \
|
||||
quiet_cmd_vdso = VDSO $@
|
||||
cmd_vdso = $(CC) -nostdlib -o $@ \
|
||||
$(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
|
||||
|
|
@ -107,11 +107,11 @@ index a3d0767a6b29..078c9be1db8f 100644
|
|||
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
|
||||
$(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
|
||||
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
|
||||
index 1a10d8ac8162..092d0c0cf72c 100755
|
||||
index dacf71a..72cbefd 100755
|
||||
--- a/scripts/link-vmlinux.sh
|
||||
+++ b/scripts/link-vmlinux.sh
|
||||
@@ -65,6 +65,10 @@ vmlinux_link()
|
||||
-lutil ${1}
|
||||
-lutil -lrt ${1}
|
||||
rm -f linux
|
||||
fi
|
||||
+ if [ -n "${AFTER_LINK}" ]; then
|
||||
|
|
@ -122,5 +122,5 @@ index 1a10d8ac8162..092d0c0cf72c 100755
|
|||
|
||||
|
||||
--
|
||||
2.4.3
|
||||
2.5.0
|
||||
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ Summary: The Linux kernel
|
|||
# The rc snapshot level
|
||||
%define rcrev 4
|
||||
# The git snapshot level
|
||||
%define gitrev 1
|
||||
%define gitrev 2
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 4.%{upstream_sublevel}.0
|
||||
%endif
|
||||
|
|
@ -582,9 +582,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
|
|||
|
||||
Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
|
||||
|
||||
#rhbz 1282706
|
||||
Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch
|
||||
|
||||
#CVE-2015-7833 rhbz 1270158 1270160
|
||||
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
|
||||
|
||||
|
|
@ -2037,6 +2034,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Dec 09 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git2.1
|
||||
- Linux v4.4-rc4-48-gaa53685
|
||||
|
||||
* Tue Dec 08 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git1.1
|
||||
- Linux v4.4-rc4-16-g62ea1ec
|
||||
- Reenable debugging options.
|
||||
|
|
|
|||
Loading…
Reference in New Issue