Linux v4.4-rc8
- Disable debugging options.
This commit is contained in:
Laura Abbott
parent
dbf7dd9516
commit
94beff34d1
@ -1,108 +0,0 @@
|
||||
From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 14 Dec 2015 10:36:31 -0500
|
||||
Subject: [PATCH] KEYS: Fix race between read and revoke
|
||||
|
||||
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
|
||||
happens between keyctl_read() checking the validity of a key and the key's
|
||||
semaphore being taken, then the key type read method will see a revoked key.
|
||||
|
||||
This causes a problem for the user-defined key type because it assumes in
|
||||
its read method that there will always be a payload in a non-revoked key
|
||||
and doesn't check for a NULL pointer.
|
||||
|
||||
Fix this by making keyctl_read() check the validity of a key after taking
|
||||
semaphore instead of before.
|
||||
|
||||
This was discovered by a multithreaded test program generated by syzkaller
|
||||
(http://github.com/google/syzkaller). Here's a cleaned up version:
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <keyutils.h>
|
||||
#include <pthread.h>
|
||||
void *thr0(void *arg)
|
||||
{
|
||||
key_serial_t key = (unsigned long)arg;
|
||||
keyctl_revoke(key);
|
||||
return 0;
|
||||
}
|
||||
void *thr1(void *arg)
|
||||
{
|
||||
key_serial_t key = (unsigned long)arg;
|
||||
char buffer[16];
|
||||
keyctl_read(key, buffer, 16);
|
||||
return 0;
|
||||
}
|
||||
int main()
|
||||
{
|
||||
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
|
||||
pthread_t th[5];
|
||||
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
|
||||
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
|
||||
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
|
||||
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
|
||||
pthread_join(th[0], 0);
|
||||
pthread_join(th[1], 0);
|
||||
pthread_join(th[2], 0);
|
||||
pthread_join(th[3], 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
Build as:
|
||||
|
||||
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
|
||||
|
||||
Run as:
|
||||
|
||||
while keyctl-race; do :; done
|
||||
|
||||
as it may need several iterations to crash the kernel. The crash can be
|
||||
summarised as:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
|
||||
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
|
||||
[<ffffffff81277815>] SyS_keyctl+0x83/0xe0
|
||||
[<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/keyctl.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index fb111eafcb89..1c3872aeed14 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
|
||||
|
||||
/* the key is probably readable - now try to read it */
|
||||
can_read_key:
|
||||
- ret = key_validate(key);
|
||||
- if (ret == 0) {
|
||||
- ret = -EOPNOTSUPP;
|
||||
- if (key->type->read) {
|
||||
- /* read the data with the semaphore held (since we
|
||||
- * might sleep) */
|
||||
- down_read(&key->sem);
|
||||
+ ret = -EOPNOTSUPP;
|
||||
+ if (key->type->read) {
|
||||
+ /* Read the data with the semaphore held (since we might sleep)
|
||||
+ * to protect against the key being updated or revoked.
|
||||
+ */
|
||||
+ down_read(&key->sem);
|
||||
+ ret = key_validate(key);
|
||||
+ if (ret == 0)
|
||||
ret = key->type->read(key, buffer, buflen);
|
||||
- up_read(&key->sem);
|
||||
- }
|
||||
+ up_read(&key->sem);
|
||||
}
|
||||
|
||||
error2:
|
||||
--
|
||||
2.5.0
|
||||
|
||||
@ -1799,13 +1799,13 @@ CONFIG_B43_PCMCIA=y
|
||||
CONFIG_B43_SDIO=y
|
||||
CONFIG_B43_BCMA=y
|
||||
CONFIG_B43_BCMA_PIO=y
|
||||
CONFIG_B43_DEBUG=y
|
||||
# CONFIG_B43_DEBUG is not set
|
||||
CONFIG_B43_PHY_LP=y
|
||||
CONFIG_B43_PHY_N=y
|
||||
CONFIG_B43_PHY_HT=y
|
||||
CONFIG_B43_PHY_G=y
|
||||
CONFIG_B43LEGACY=m
|
||||
CONFIG_B43LEGACY_DEBUG=y
|
||||
# CONFIG_B43LEGACY_DEBUG is not set
|
||||
CONFIG_B43LEGACY_DMA=y
|
||||
CONFIG_B43LEGACY_PIO=y
|
||||
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
|
||||
@ -5046,7 +5046,7 @@ CONFIG_PM_DEBUG=y
|
||||
# CONFIG_DPM_WATCHDOG is not set # revisit this in debug
|
||||
CONFIG_PM_TRACE=y
|
||||
CONFIG_PM_TRACE_RTC=y
|
||||
CONFIG_PM_TEST_SUSPEND=y
|
||||
# CONFIG_PM_TEST_SUSPEND is not set
|
||||
# CONFIG_PM_OPP is not set
|
||||
# CONFIG_PM_AUTOSLEEP is not set
|
||||
# CONFIG_PM_WAKELOCKS is not set
|
||||
|
||||
110
config-nodebug
110
config-nodebug
@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y
|
||||
CONFIG_SND_DEBUG=y
|
||||
CONFIG_SND_PCM_XRUN_DEBUG=y
|
||||
|
||||
CONFIG_DEBUG_ATOMIC_SLEEP=y
|
||||
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
|
||||
|
||||
CONFIG_DEBUG_MUTEXES=y
|
||||
CONFIG_DEBUG_RT_MUTEXES=y
|
||||
CONFIG_DEBUG_LOCK_ALLOC=y
|
||||
CONFIG_LOCK_TORTURE_TEST=m
|
||||
CONFIG_PROVE_LOCKING=y
|
||||
CONFIG_DEBUG_SPINLOCK=y
|
||||
CONFIG_PROVE_RCU=y
|
||||
# CONFIG_DEBUG_MUTEXES is not set
|
||||
# CONFIG_DEBUG_RT_MUTEXES is not set
|
||||
# CONFIG_DEBUG_LOCK_ALLOC is not set
|
||||
# CONFIG_LOCK_TORTURE_TEST is not set
|
||||
# CONFIG_PROVE_LOCKING is not set
|
||||
# CONFIG_DEBUG_SPINLOCK is not set
|
||||
# CONFIG_PROVE_RCU is not set
|
||||
# CONFIG_PROVE_RCU_REPEATEDLY is not set
|
||||
CONFIG_DEBUG_PER_CPU_MAPS=y
|
||||
# CONFIG_DEBUG_PER_CPU_MAPS is not set
|
||||
CONFIG_CPUMASK_OFFSTACK=y
|
||||
|
||||
CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
|
||||
# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
|
||||
|
||||
CONFIG_FAULT_INJECTION=y
|
||||
CONFIG_FAILSLAB=y
|
||||
CONFIG_FAIL_PAGE_ALLOC=y
|
||||
CONFIG_FAIL_MAKE_REQUEST=y
|
||||
CONFIG_FAULT_INJECTION_DEBUG_FS=y
|
||||
CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
|
||||
CONFIG_FAIL_IO_TIMEOUT=y
|
||||
CONFIG_FAIL_MMC_REQUEST=y
|
||||
# CONFIG_FAULT_INJECTION is not set
|
||||
# CONFIG_FAILSLAB is not set
|
||||
# CONFIG_FAIL_PAGE_ALLOC is not set
|
||||
# CONFIG_FAIL_MAKE_REQUEST is not set
|
||||
# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
|
||||
# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
|
||||
# CONFIG_FAIL_IO_TIMEOUT is not set
|
||||
# CONFIG_FAIL_MMC_REQUEST is not set
|
||||
|
||||
CONFIG_LOCK_STAT=y
|
||||
# CONFIG_LOCK_STAT is not set
|
||||
|
||||
CONFIG_DEBUG_STACK_USAGE=y
|
||||
# CONFIG_DEBUG_STACK_USAGE is not set
|
||||
|
||||
CONFIG_ACPI_DEBUG=y
|
||||
# CONFIG_ACPI_DEBUG is not set
|
||||
# CONFIG_ACPI_DEBUGGER is not set
|
||||
|
||||
CONFIG_DEBUG_SG=y
|
||||
CONFIG_DEBUG_PI_LIST=y
|
||||
# CONFIG_DEBUG_SG is not set
|
||||
# CONFIG_DEBUG_PI_LIST is not set
|
||||
|
||||
# CONFIG_PAGE_EXTENSION is not set
|
||||
# CONFIG_PAGE_OWNER is not set
|
||||
# CONFIG_DEBUG_PAGEALLOC is not set
|
||||
|
||||
CONFIG_DEBUG_OBJECTS=y
|
||||
# CONFIG_DEBUG_OBJECTS is not set
|
||||
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
|
||||
CONFIG_DEBUG_OBJECTS_FREE=y
|
||||
CONFIG_DEBUG_OBJECTS_TIMERS=y
|
||||
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
|
||||
# CONFIG_DEBUG_OBJECTS_FREE is not set
|
||||
# CONFIG_DEBUG_OBJECTS_TIMERS is not set
|
||||
# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
|
||||
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
|
||||
|
||||
CONFIG_X86_PTDUMP=y
|
||||
CONFIG_ARM64_PTDUMP=y
|
||||
CONFIG_EFI_PGT_DUMP=y
|
||||
# CONFIG_ARM64_PTDUMP is not set
|
||||
# CONFIG_EFI_PGT_DUMP is not set
|
||||
|
||||
CONFIG_CAN_DEBUG_DEVICES=y
|
||||
# CONFIG_CAN_DEBUG_DEVICES is not set
|
||||
|
||||
CONFIG_MODULE_FORCE_UNLOAD=y
|
||||
# CONFIG_MODULE_FORCE_UNLOAD is not set
|
||||
|
||||
|
||||
CONFIG_DEBUG_NOTIFIERS=y
|
||||
# CONFIG_DEBUG_NOTIFIERS is not set
|
||||
|
||||
CONFIG_DMA_API_DEBUG=y
|
||||
# CONFIG_DMA_API_DEBUG is not set
|
||||
|
||||
CONFIG_MMIOTRACE=y
|
||||
# CONFIG_MMIOTRACE is not set
|
||||
|
||||
CONFIG_DEBUG_CREDENTIALS=y
|
||||
# CONFIG_DEBUG_CREDENTIALS is not set
|
||||
|
||||
# off in both production debug and nodebug builds,
|
||||
# on in rawhide nodebug builds
|
||||
CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
|
||||
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
|
||||
|
||||
CONFIG_EXT4_DEBUG=y
|
||||
# CONFIG_EXT4_DEBUG is not set
|
||||
|
||||
# CONFIG_XFS_WARN is not set
|
||||
|
||||
CONFIG_DEBUG_PERF_USE_VMALLOC=y
|
||||
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
|
||||
|
||||
CONFIG_JBD2_DEBUG=y
|
||||
# CONFIG_JBD2_DEBUG is not set
|
||||
|
||||
CONFIG_NFSD_FAULT_INJECTION=y
|
||||
# CONFIG_NFSD_FAULT_INJECTION is not set
|
||||
|
||||
CONFIG_DEBUG_BLK_CGROUP=y
|
||||
# CONFIG_DEBUG_BLK_CGROUP is not set
|
||||
|
||||
CONFIG_DRBD_FAULT_INJECTION=y
|
||||
# CONFIG_DRBD_FAULT_INJECTION is not set
|
||||
|
||||
CONFIG_ATH_DEBUG=y
|
||||
CONFIG_CARL9170_DEBUGFS=y
|
||||
CONFIG_IWLWIFI_DEVICE_TRACING=y
|
||||
# CONFIG_ATH_DEBUG is not set
|
||||
# CONFIG_CARL9170_DEBUGFS is not set
|
||||
# CONFIG_IWLWIFI_DEVICE_TRACING is not set
|
||||
|
||||
# CONFIG_RTLWIFI_DEBUG is not set
|
||||
|
||||
CONFIG_DEBUG_OBJECTS_WORK=y
|
||||
# CONFIG_DEBUG_OBJECTS_WORK is not set
|
||||
|
||||
CONFIG_DMADEVICES_DEBUG=y
|
||||
# CONFIG_DMADEVICES_DEBUG is not set
|
||||
# CONFIG_DMADEVICES_VDEBUG is not set
|
||||
|
||||
CONFIG_PM_ADVANCED_DEBUG=y
|
||||
|
||||
CONFIG_CEPH_LIB_PRETTYDEBUG=y
|
||||
CONFIG_QUOTA_DEBUG=y
|
||||
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
|
||||
# CONFIG_QUOTA_DEBUG is not set
|
||||
|
||||
|
||||
CONFIG_KGDB_KDB=y
|
||||
@ -104,18 +104,18 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0
|
||||
CONFIG_KDB_KEYBOARD=y
|
||||
CONFIG_KDB_CONTINUE_CATASTROPHIC=0
|
||||
|
||||
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
|
||||
# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
|
||||
# CONFIG_PERCPU_TEST is not set
|
||||
CONFIG_TEST_LIST_SORT=y
|
||||
# CONFIG_TEST_LIST_SORT is not set
|
||||
# CONFIG_TEST_STRING_HELPERS is not set
|
||||
|
||||
CONFIG_DETECT_HUNG_TASK=y
|
||||
# CONFIG_DETECT_HUNG_TASK is not set
|
||||
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
|
||||
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
|
||||
|
||||
CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
|
||||
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
|
||||
|
||||
CONFIG_DEBUG_KMEMLEAK=y
|
||||
# CONFIG_DEBUG_KMEMLEAK is not set
|
||||
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
|
||||
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
|
||||
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
|
||||
@ -126,4 +126,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
|
||||
|
||||
# CONFIG_SPI_DEBUG is not set
|
||||
|
||||
CONFIG_X86_DEBUG_STATIC_CPU_HAS=y
|
||||
# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
|
||||
|
||||
@ -368,7 +368,7 @@ CONFIG_SP5100_TCO=m
|
||||
|
||||
# CONFIG_MEMTEST is not set
|
||||
# CONFIG_DEBUG_TLBFLUSH is not set
|
||||
CONFIG_MAXSMP=y
|
||||
# CONFIG_MAXSMP is not set
|
||||
|
||||
|
||||
CONFIG_HP_ILO=m
|
||||
|
||||
13
kernel.spec
13
kernel.spec
@ -65,9 +65,9 @@ Summary: The Linux kernel
|
||||
# The next upstream release sublevel (base_sublevel+1)
|
||||
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
||||
# The rc snapshot level
|
||||
%define rcrev 6
|
||||
%define rcrev 8
|
||||
# The git snapshot level
|
||||
%define gitrev 1
|
||||
%define gitrev 0
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 4.%{upstream_sublevel}.0
|
||||
%endif
|
||||
@ -122,7 +122,7 @@ Summary: The Linux kernel
|
||||
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
|
||||
# and 0 for rawhide (all kernels are debug kernels).
|
||||
# See also 'make debug' and 'make release'.
|
||||
%define debugbuildsenabled 0
|
||||
%define debugbuildsenabled 1
|
||||
|
||||
# Want to build a vanilla kernel build without any non-upstream patches?
|
||||
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
|
||||
@ -598,9 +598,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
|
||||
#rhbz 1288687
|
||||
Patch572: alua_fix.patch
|
||||
|
||||
#CVE-2015-7550 rhbz 1291197 1291198
|
||||
Patch575: KEYS-Fix-race-between-read-and-revoke.patch
|
||||
|
||||
#rhbz 1275718
|
||||
Patch577: 0001-device-property-always-check-for-fwnode-type.patch
|
||||
Patch578: 0002-device-property-rename-helper-functions.patch
|
||||
@ -2062,6 +2059,10 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Jan 04 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git0.1
|
||||
- Linux v4.4-rc8
|
||||
- Disable debugging options.
|
||||
|
||||
* Sun Dec 27 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Minor ARMv7/aarch64/ppc/s390 config cleanups
|
||||
- Enable rk3368 aarch64 platforms
|
||||
|
||||
Loading…
Reference in New Issue
Block a user