From b880337ff2f253001a3b45785cc9a9cb6b80a0c9 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Wed, 9 Dec 2015 08:12:01 -0800 Subject: [PATCH] Linux v4.4-rc4-48-gaa53685 --- ...set-pin-its-css-s-to-avoid-use-afer-.patch | 92 ------------------- gitrev | 2 +- kbuild-AFTER_LINK.patch | 24 ++--- kernel.spec | 8 +- 4 files changed, 17 insertions(+), 109 deletions(-) delete mode 100644 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch diff --git a/0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch b/0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch deleted file mode 100644 index f6d32220c..000000000 --- a/0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch +++ /dev/null @@ -1,92 +0,0 @@ -From befa45e320edbded63b6900c4ba63df7a8db445c Mon Sep 17 00:00:00 2001 -From: Tejun Heo -Date: Mon, 23 Nov 2015 14:55:41 -0500 -Subject: [PATCH] cgroup: make css_set pin its css's to avoid use-afer-free - -A css_set represents the relationship between a set of tasks and -css's. css_set never pinned the associated css's. This was okay -because tasks used to always disassociate immediately (in RCU sense) - -either a task is moved to a different css_set or exits and never -accesses css_set again. - -Unfortunately, afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method -and use it to fix pids controller") and patches leading up to it made -a zombie hold onto its css_set and deref the associated css's on its -release. Nothing pins the css's after exit and it might have already -been freed leading to use-after-free. - - general protection fault: 0000 [#1] PREEMPT SMP - task: ffffffff81bf2500 ti: ffffffff81be4000 task.ti: ffffffff81be4000 - RIP: 0010:[] [] pids_cancel.constprop.4+0x5/0x40 - ... - Call Trace: - - [] ? pids_free+0x3d/0xa0 - [] cgroup_free+0x53/0xe0 - [] __put_task_struct+0x42/0x130 - [] delayed_put_task_struct+0x77/0x130 - [] rcu_process_callbacks+0x2f4/0x820 - [] ? rcu_process_callbacks+0x2b3/0x820 - [] __do_softirq+0xd4/0x460 - [] irq_exit+0x89/0xa0 - [] smp_apic_timer_interrupt+0x42/0x50 - [] apic_timer_interrupt+0x84/0x90 - - ... - Code: 5b 5d c3 48 89 df 48 c7 c2 c9 f9 ae 81 48 c7 c6 91 2c ae 81 e8 1d 94 0e 00 31 c0 5b 5d c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 83 87 e0 00 00 00 ff 78 01 c3 80 3d 08 7a c1 00 00 74 02 - RIP [] pids_cancel.constprop.4+0x5/0x40 - RSP - ---[ end trace 89a4a4b916b90c49 ]--- - Kernel panic - not syncing: Fatal exception in interrupt - Kernel Offset: disabled - ---[ end Kernel panic - not syncing: Fatal exception in interrupt - -Fix it by making css_set pin the associate css's until its release. - -Signed-off-by: Tejun Heo -Reported-by: Dave Jones -Reported-by: Daniel Wagner -Link: http://lkml.kernel.org/g/20151120041836.GA18390@codemonkey.org.uk -Link: http://lkml.kernel.org/g/5652D448.3080002@bmw-carit.de -Fixes: afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method and use it to fix pids controller") ---- - kernel/cgroup.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index f1603c1..17773d6 100644 ---- a/kernel/cgroup.c -+++ b/kernel/cgroup.c -@@ -754,9 +754,11 @@ static void put_css_set_locked(struct css_set *cset) - if (!atomic_dec_and_test(&cset->refcount)) - return; - -- /* This css_set is dead. unlink it and release cgroup refcounts */ -- for_each_subsys(ss, ssid) -+ /* This css_set is dead. unlink it and release cgroup and css refs */ -+ for_each_subsys(ss, ssid) { - list_del(&cset->e_cset_node[ssid]); -+ css_put(cset->subsys[ssid]); -+ } - hash_del(&cset->hlist); - css_set_count--; - -@@ -1056,9 +1058,13 @@ static struct css_set *find_css_set(struct css_set *old_cset, - key = css_set_hash(cset->subsys); - hash_add(css_set_table, &cset->hlist, key); - -- for_each_subsys(ss, ssid) -+ for_each_subsys(ss, ssid) { -+ struct cgroup_subsys_state *css = cset->subsys[ssid]; -+ - list_add_tail(&cset->e_cset_node[ssid], -- &cset->subsys[ssid]->cgroup->e_csets[ssid]); -+ &css->cgroup->e_csets[ssid]); -+ css_get(css); -+ } - - spin_unlock_bh(&css_set_lock); - --- -2.5.0 - diff --git a/gitrev b/gitrev index 1be57f253..e85ae3e49 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -62ea1ec5e17fe36e2c728bc534f9f78b216dfe83 +aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85 diff --git a/kbuild-AFTER_LINK.patch b/kbuild-AFTER_LINK.patch index 7a18fd241..805b6eef8 100644 --- a/kbuild-AFTER_LINK.patch +++ b/kbuild-AFTER_LINK.patch @@ -1,4 +1,4 @@ -From 7877d76b409181af38d307b98d8fed1024f3c9c2 Mon Sep 17 00:00:00 2001 +From a9488dbeccf188f0bd83b9d5704892f2c0f97fdc Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Mon, 6 Oct 2008 23:03:03 -0700 Subject: [PATCH] kbuild: AFTER_LINK @@ -21,10 +21,10 @@ Signed-off-by: Roland McGrath 7 files changed, 17 insertions(+), 7 deletions(-) diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile -index f6fe17d88da5..eb6ddbf37f30 100644 +index b467fd0..feeff5e 100644 --- a/arch/arm64/kernel/vdso/Makefile +++ b/arch/arm64/kernel/vdso/Makefile -@@ -52,7 +52,8 @@ $(obj-vdso): %.o: %.S FORCE +@@ -55,7 +55,8 @@ $(obj-vdso): %.o: %.S FORCE # Actual build commands quiet_cmd_vdsold = VDSOL $@ @@ -35,7 +35,7 @@ index f6fe17d88da5..eb6ddbf37f30 100644 cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/powerpc/kernel/vdso32/Makefile b/arch/powerpc/kernel/vdso32/Makefile -index 53e6c9b979ec..e427844e9bb0 100644 +index 6abffb7..7b103bb 100644 --- a/arch/powerpc/kernel/vdso32/Makefile +++ b/arch/powerpc/kernel/vdso32/Makefile @@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S @@ -49,7 +49,7 @@ index 53e6c9b979ec..e427844e9bb0 100644 cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $< diff --git a/arch/powerpc/kernel/vdso64/Makefile b/arch/powerpc/kernel/vdso64/Makefile -index effca9404b17..713891a92d23 100644 +index 8c8f2ae..a743ebe 100644 --- a/arch/powerpc/kernel/vdso64/Makefile +++ b/arch/powerpc/kernel/vdso64/Makefile @@ -36,7 +36,8 @@ $(obj-vdso64): %.o: %.S @@ -63,7 +63,7 @@ index effca9404b17..713891a92d23 100644 cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile -index ee8a18e50a25..63e33fa049f8 100644 +index ee8a18e..63e33fa 100644 --- a/arch/s390/kernel/vdso32/Makefile +++ b/arch/s390/kernel/vdso32/Makefile @@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S @@ -77,7 +77,7 @@ index ee8a18e50a25..63e33fa049f8 100644 cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile -index c4b03f9ed228..550450fc2f95 100644 +index c4b03f9..550450f 100644 --- a/arch/s390/kernel/vdso64/Makefile +++ b/arch/s390/kernel/vdso64/Makefile @@ -43,7 +43,8 @@ $(obj-vdso64): %.o: %.S @@ -91,10 +91,10 @@ index c4b03f9ed228..550450fc2f95 100644 cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile -index a3d0767a6b29..078c9be1db8f 100644 +index 265c0ed..fd90c7d 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile -@@ -172,8 +172,9 @@ $(vdso32-images:%=$(obj)/%.dbg): $(obj)/vdso32-%.so.dbg: FORCE \ +@@ -159,8 +159,9 @@ $(obj)/vdso32.so.dbg: FORCE \ quiet_cmd_vdso = VDSO $@ cmd_vdso = $(CC) -nostdlib -o $@ \ $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \ @@ -107,11 +107,11 @@ index a3d0767a6b29..078c9be1db8f 100644 VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \ $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh -index 1a10d8ac8162..092d0c0cf72c 100755 +index dacf71a..72cbefd 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -65,6 +65,10 @@ vmlinux_link() - -lutil ${1} + -lutil -lrt ${1} rm -f linux fi + if [ -n "${AFTER_LINK}" ]; then @@ -122,5 +122,5 @@ index 1a10d8ac8162..092d0c0cf72c 100755 -- -2.4.3 +2.5.0 diff --git a/kernel.spec b/kernel.spec index f0b6fc175..1c68f51f5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,7 +67,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 4 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -582,9 +582,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch -#rhbz 1282706 -Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch - #CVE-2015-7833 rhbz 1270158 1270160 Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch @@ -2037,6 +2034,9 @@ fi # # %changelog +* Wed Dec 09 2015 Laura Abbott - 4.4.0-0.rc4.git2.1 +- Linux v4.4-rc4-48-gaa53685 + * Tue Dec 08 2015 Laura Abbott - 4.4.0-0.rc4.git1.1 - Linux v4.4-rc4-16-g62ea1ec - Reenable debugging options.