diff --git a/0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch b/0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch new file mode 100644 index 000000000..f6d32220c --- /dev/null +++ b/0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch @@ -0,0 +1,92 @@ +From befa45e320edbded63b6900c4ba63df7a8db445c Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 23 Nov 2015 14:55:41 -0500 +Subject: [PATCH] cgroup: make css_set pin its css's to avoid use-afer-free + +A css_set represents the relationship between a set of tasks and +css's. css_set never pinned the associated css's. This was okay +because tasks used to always disassociate immediately (in RCU sense) - +either a task is moved to a different css_set or exits and never +accesses css_set again. + +Unfortunately, afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method +and use it to fix pids controller") and patches leading up to it made +a zombie hold onto its css_set and deref the associated css's on its +release. Nothing pins the css's after exit and it might have already +been freed leading to use-after-free. + + general protection fault: 0000 [#1] PREEMPT SMP + task: ffffffff81bf2500 ti: ffffffff81be4000 task.ti: ffffffff81be4000 + RIP: 0010:[] [] pids_cancel.constprop.4+0x5/0x40 + ... + Call Trace: + + [] ? pids_free+0x3d/0xa0 + [] cgroup_free+0x53/0xe0 + [] __put_task_struct+0x42/0x130 + [] delayed_put_task_struct+0x77/0x130 + [] rcu_process_callbacks+0x2f4/0x820 + [] ? rcu_process_callbacks+0x2b3/0x820 + [] __do_softirq+0xd4/0x460 + [] irq_exit+0x89/0xa0 + [] smp_apic_timer_interrupt+0x42/0x50 + [] apic_timer_interrupt+0x84/0x90 + + ... + Code: 5b 5d c3 48 89 df 48 c7 c2 c9 f9 ae 81 48 c7 c6 91 2c ae 81 e8 1d 94 0e 00 31 c0 5b 5d c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 83 87 e0 00 00 00 ff 78 01 c3 80 3d 08 7a c1 00 00 74 02 + RIP [] pids_cancel.constprop.4+0x5/0x40 + RSP + ---[ end trace 89a4a4b916b90c49 ]--- + Kernel panic - not syncing: Fatal exception in interrupt + Kernel Offset: disabled + ---[ end Kernel panic - not syncing: Fatal exception in interrupt + +Fix it by making css_set pin the associate css's until its release. + +Signed-off-by: Tejun Heo +Reported-by: Dave Jones +Reported-by: Daniel Wagner +Link: http://lkml.kernel.org/g/20151120041836.GA18390@codemonkey.org.uk +Link: http://lkml.kernel.org/g/5652D448.3080002@bmw-carit.de +Fixes: afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method and use it to fix pids controller") +--- + kernel/cgroup.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index f1603c1..17773d6 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -754,9 +754,11 @@ static void put_css_set_locked(struct css_set *cset) + if (!atomic_dec_and_test(&cset->refcount)) + return; + +- /* This css_set is dead. unlink it and release cgroup refcounts */ +- for_each_subsys(ss, ssid) ++ /* This css_set is dead. unlink it and release cgroup and css refs */ ++ for_each_subsys(ss, ssid) { + list_del(&cset->e_cset_node[ssid]); ++ css_put(cset->subsys[ssid]); ++ } + hash_del(&cset->hlist); + css_set_count--; + +@@ -1056,9 +1058,13 @@ static struct css_set *find_css_set(struct css_set *old_cset, + key = css_set_hash(cset->subsys); + hash_add(css_set_table, &cset->hlist, key); + +- for_each_subsys(ss, ssid) ++ for_each_subsys(ss, ssid) { ++ struct cgroup_subsys_state *css = cset->subsys[ssid]; ++ + list_add_tail(&cset->e_cset_node[ssid], +- &cset->subsys[ssid]->cgroup->e_csets[ssid]); ++ &css->cgroup->e_csets[ssid]); ++ css_get(css); ++ } + + spin_unlock_bh(&css_set_lock); + +-- +2.5.0 + diff --git a/0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch b/0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch deleted file mode 100644 index 7dab1ff5c..000000000 --- a/0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 721ebb3cf4788107424f92ac2da6cfce20c67297 Mon Sep 17 00:00:00 2001 -From: Peter Robinson -Date: Sun, 1 Nov 2015 23:54:08 +0000 -Subject: [PATCH] watchdog: omap_wdt: fix null pointer dereference - -Fix issue from two patches overlapping causing a kernel oops - -[ 3569.297449] Unable to handle kernel NULL pointer dereference at virtual address 00000088 -[ 3569.306272] pgd = dc894000 -[ 3569.309287] [00000088] *pgd=00000000 -[ 3569.313104] Internal error: Oops: 5 [#1] SMP ARM -[ 3569.317986] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_security ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_filter ip6_tables iptable_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle musb_dsps cppi41 musb_hdrc phy_am335x udc_core phy_generic phy_am335x_control omap_sham omap_aes omap_rng omap_hwspinlock omap_mailbox hwspinlock_core musb_am335x omap_wdt at24 8250_omap leds_gpio cpufreq_dt smsc davinci_mdio mmc_block ti_cpsw cpsw_common ptp pps_core cpsw_ale davinci_cpdma omap_hsmmc omap_dma mmc_core i2c_dev -[ 3569.386293] CPU: 0 PID: 1429 Comm: wdctl Not tainted 4.3.0-0.rc7.git0.1.fc24.armv7hl #1 -[ 3569.394740] Hardware name: Generic AM33XX (Flattened Device Tree) -[ 3569.401179] task: dbd11a00 ti: dbaac000 task.ti: dbaac000 -[ 3569.406917] PC is at omap_wdt_get_timeleft+0xc/0x20 [omap_wdt] -[ 3569.413106] LR is at watchdog_ioctl+0x3cc/0x42c -[ 3569.417902] pc : [] lr : [] psr: 600f0013 -[ 3569.417902] sp : dbaadf18 ip : 00000003 fp : 7f5d3bbe -[ 3569.430014] r10: 00000000 r9 : 00000003 r8 : bef21ab8 -[ 3569.435535] r7 : dbbc0f7c r6 : dbbc0f18 r5 : bef21ab8 r4 : 00000000 -[ 3569.442427] r3 : 00000000 r2 : 00000000 r1 : 8004570a r0 : dbbc0f18 -[ 3569.449323] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none -[ 3569.456858] Control: 10c5387d Table: 9c894019 DAC: 00000051 -[ 3569.462927] Process wdctl (pid: 1429, stack limit = 0xdbaac220) -[ 3569.469179] Stack: (0xdbaadf18 to 0xdbaae000) -[ 3569.473790] df00: bef21ab8 dbf60e38 -[ 3569.482441] df20: dc91b840 8004570a bef21ab8 c03988a4 dbaadf48 dc854000 00000000 dd313850 -[ 3569.491092] df40: ddf033b8 0000570a dc91b80b dbaadf3c dbf60e38 00000020 c0df9250 c0df6c48 -[ 3569.499741] df60: dc91b840 8004570a 00000000 dc91b840 dc91b840 8004570a bef21ab8 00000003 -[ 3569.508389] df80: 00000000 c03989d4 bef21b74 7f5d3bad 00000003 00000036 c020fcc4 dbaac000 -[ 3569.517037] dfa0: 00000000 c020fb00 bef21b74 7f5d3bad 00000003 8004570a bef21ab8 00000001 -[ 3569.525685] dfc0: bef21b74 7f5d3bad 00000003 00000036 00000001 00000000 7f5e4eb0 7f5d3bbe -[ 3569.534334] dfe0: 7f5e4f10 bef21a3c 7f5d0a54 b6e97e0c a00f0010 00000003 00000000 00000000 -[ 3569.543038] [] (omap_wdt_get_timeleft [omap_wdt]) from [] (watchdog_ioctl+0x3cc/0x42c) -[ 3569.553266] [] (watchdog_ioctl) from [] (do_vfs_ioctl+0x5bc/0x698) -[ 3569.561648] [] (do_vfs_ioctl) from [] (SyS_ioctl+0x54/0x7c) -[ 3569.569400] [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x3c) -[ 3569.577413] Code: e12fff1e e52de004 e8bd4000 e5903060 (e5933088) -[ 3569.584089] ---[ end trace cec3039bd3ae610a ]--- - -Cc: # v4.2+ -Signed-off-by: Peter Robinson ---- - drivers/watchdog/omap_wdt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/watchdog/omap_wdt.c b/drivers/watchdog/omap_wdt.c -index d96bee0..6f17c93 100644 ---- a/drivers/watchdog/omap_wdt.c -+++ b/drivers/watchdog/omap_wdt.c -@@ -205,7 +205,7 @@ static int omap_wdt_set_timeout(struct watchdog_device *wdog, - - static unsigned int omap_wdt_get_timeleft(struct watchdog_device *wdog) - { -- struct omap_wdt_dev *wdev = watchdog_get_drvdata(wdog); -+ struct omap_wdt_dev *wdev = to_omap_wdt_dev(wdog); - void __iomem *base = wdev->base; - u32 value; - --- -2.5.0 - diff --git a/config-arm64 b/config-arm64 index 9f1abd312..bf9c15ff8 100644 --- a/config-arm64 +++ b/config-arm64 @@ -31,6 +31,7 @@ CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_832075=y CONFIG_ARM64_ERRATUM_843419=y +CONFIG_ARM64_ERRATUM_834220=y CONFIG_CAVIUM_ERRATUM_22375=y CONFIG_CAVIUM_ERRATUM_23154=y diff --git a/config-generic b/config-generic index 0bccb4525..7f3115ebc 100644 --- a/config-generic +++ b/config-generic @@ -1792,13 +1792,13 @@ CONFIG_B43_PCMCIA=y CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y CONFIG_B43_PHY_G=y CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -5039,7 +5039,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set diff --git a/config-nodebug b/config-nodebug index 1b93255c0..65e8accd1 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_LOCK_TORTURE_TEST=m -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUGGER is not set -CONFIG_DEBUG_SG=y -CONFIG_DEBUG_PI_LIST=y +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_PI_LIST is not set # CONFIG_PAGE_EXTENSION is not set # CONFIG_PAGE_OWNER is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_X86_PTDUMP=y -CONFIG_ARM64_PTDUMP=y -CONFIG_EFI_PGT_DUMP=y +# CONFIG_ARM64_PTDUMP is not set +# CONFIG_EFI_PGT_DUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set # CONFIG_XFS_WARN is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set # CONFIG_RTLWIFI_DEBUG is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set # CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_KGDB_KDB=y @@ -104,18 +104,18 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0 CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set # CONFIG_PERCPU_TEST is not set -CONFIG_TEST_LIST_SORT=y +# CONFIG_TEST_LIST_SORT is not set # CONFIG_TEST_STRING_HELPERS is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -126,4 +126,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -CONFIG_X86_DEBUG_STATIC_CPU_HAS=y +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set diff --git a/config-x86-generic b/config-x86-generic index dff8775a6..cc67788a6 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -365,7 +365,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index 7f39a9c4a..8e9ce1fbb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -65,9 +65,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 2 +%define rcrev 3 # The git snapshot level -%define gitrev 2 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -122,7 +122,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -502,8 +502,6 @@ Patch456: arm64-acpi-drop-expert-patch.patch Patch457: ARM-tegra-usb-no-reset.patch -Patch459: 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch - Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch Patch463: arm-i.MX6-Utilite-device-dtb.patch @@ -590,6 +588,9 @@ Patch510: 0001-iwlwifi-Add-new-PCI-IDs-for-the-8260-series.patch #CVE-2015-7990 rhbz 1276437 1276438 Patch511: RDS-fix-race-condition-when-sending-a-message-on-unb.patch +#rhbz 1282706 +Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch + # END OF PATCH DEFINITIONS %endif @@ -2033,6 +2034,11 @@ fi # # %changelog +* Mon Nov 30 2015 Laura Abbott - 4.4.0-0.rc3.git0.1 +- Linux v4.4-rc3 +- Fix for cgroup use after free (rhbz 1282706) +- Disable debugging options. + * Wed Nov 25 2015 Laura Abbott - 4.4.0-0.rc2.git2.1 - Linux v4.4-rc2-44-g6ffeba9 diff --git a/sources b/sources index 9ad241408..4290552ba 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ 58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz 7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz -db11195bab1230374cd0ecc8e8ed1420 patch-4.4-rc2.xz -665dad96bdc1793bf80c2ca671fa9c67 patch-4.4-rc2-git2.xz +83b0e08492978a49c4b176646c6345b5 patch-4.4-rc3.xz