Linux v4.4-rc4-48-gaa53685
This commit is contained in:
parent
89f514b41b
commit
b880337ff2
@ -1,92 +0,0 @@
|
|||||||
From befa45e320edbded63b6900c4ba63df7a8db445c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tejun Heo <tj@kernel.org>
|
|
||||||
Date: Mon, 23 Nov 2015 14:55:41 -0500
|
|
||||||
Subject: [PATCH] cgroup: make css_set pin its css's to avoid use-afer-free
|
|
||||||
|
|
||||||
A css_set represents the relationship between a set of tasks and
|
|
||||||
css's. css_set never pinned the associated css's. This was okay
|
|
||||||
because tasks used to always disassociate immediately (in RCU sense) -
|
|
||||||
either a task is moved to a different css_set or exits and never
|
|
||||||
accesses css_set again.
|
|
||||||
|
|
||||||
Unfortunately, afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method
|
|
||||||
and use it to fix pids controller") and patches leading up to it made
|
|
||||||
a zombie hold onto its css_set and deref the associated css's on its
|
|
||||||
release. Nothing pins the css's after exit and it might have already
|
|
||||||
been freed leading to use-after-free.
|
|
||||||
|
|
||||||
general protection fault: 0000 [#1] PREEMPT SMP
|
|
||||||
task: ffffffff81bf2500 ti: ffffffff81be4000 task.ti: ffffffff81be4000
|
|
||||||
RIP: 0010:[<ffffffff810fa205>] [<ffffffff810fa205>] pids_cancel.constprop.4+0x5/0x40
|
|
||||||
...
|
|
||||||
Call Trace:
|
|
||||||
<IRQ>
|
|
||||||
[<ffffffff810fb02d>] ? pids_free+0x3d/0xa0
|
|
||||||
[<ffffffff810f8893>] cgroup_free+0x53/0xe0
|
|
||||||
[<ffffffff8104ed62>] __put_task_struct+0x42/0x130
|
|
||||||
[<ffffffff81053557>] delayed_put_task_struct+0x77/0x130
|
|
||||||
[<ffffffff810c6b34>] rcu_process_callbacks+0x2f4/0x820
|
|
||||||
[<ffffffff810c6af3>] ? rcu_process_callbacks+0x2b3/0x820
|
|
||||||
[<ffffffff81056e54>] __do_softirq+0xd4/0x460
|
|
||||||
[<ffffffff81057369>] irq_exit+0x89/0xa0
|
|
||||||
[<ffffffff81876212>] smp_apic_timer_interrupt+0x42/0x50
|
|
||||||
[<ffffffff818747f4>] apic_timer_interrupt+0x84/0x90
|
|
||||||
<EOI>
|
|
||||||
...
|
|
||||||
Code: 5b 5d c3 48 89 df 48 c7 c2 c9 f9 ae 81 48 c7 c6 91 2c ae 81 e8 1d 94 0e 00 31 c0 5b 5d c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <f0> 48 83 87 e0 00 00 00 ff 78 01 c3 80 3d 08 7a c1 00 00 74 02
|
|
||||||
RIP [<ffffffff810fa205>] pids_cancel.constprop.4+0x5/0x40
|
|
||||||
RSP <ffff88001fc03e20>
|
|
||||||
---[ end trace 89a4a4b916b90c49 ]---
|
|
||||||
Kernel panic - not syncing: Fatal exception in interrupt
|
|
||||||
Kernel Offset: disabled
|
|
||||||
---[ end Kernel panic - not syncing: Fatal exception in interrupt
|
|
||||||
|
|
||||||
Fix it by making css_set pin the associate css's until its release.
|
|
||||||
|
|
||||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
|
||||||
Reported-by: Dave Jones <davej@codemonkey.org.uk>
|
|
||||||
Reported-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
|
|
||||||
Link: http://lkml.kernel.org/g/20151120041836.GA18390@codemonkey.org.uk
|
|
||||||
Link: http://lkml.kernel.org/g/5652D448.3080002@bmw-carit.de
|
|
||||||
Fixes: afcf6c8b7544 ("cgroup: add cgroup_subsys->free() method and use it to fix pids controller")
|
|
||||||
---
|
|
||||||
kernel/cgroup.c | 14 ++++++++++----
|
|
||||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
|
|
||||||
index f1603c1..17773d6 100644
|
|
||||||
--- a/kernel/cgroup.c
|
|
||||||
+++ b/kernel/cgroup.c
|
|
||||||
@@ -754,9 +754,11 @@ static void put_css_set_locked(struct css_set *cset)
|
|
||||||
if (!atomic_dec_and_test(&cset->refcount))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- /* This css_set is dead. unlink it and release cgroup refcounts */
|
|
||||||
- for_each_subsys(ss, ssid)
|
|
||||||
+ /* This css_set is dead. unlink it and release cgroup and css refs */
|
|
||||||
+ for_each_subsys(ss, ssid) {
|
|
||||||
list_del(&cset->e_cset_node[ssid]);
|
|
||||||
+ css_put(cset->subsys[ssid]);
|
|
||||||
+ }
|
|
||||||
hash_del(&cset->hlist);
|
|
||||||
css_set_count--;
|
|
||||||
|
|
||||||
@@ -1056,9 +1058,13 @@ static struct css_set *find_css_set(struct css_set *old_cset,
|
|
||||||
key = css_set_hash(cset->subsys);
|
|
||||||
hash_add(css_set_table, &cset->hlist, key);
|
|
||||||
|
|
||||||
- for_each_subsys(ss, ssid)
|
|
||||||
+ for_each_subsys(ss, ssid) {
|
|
||||||
+ struct cgroup_subsys_state *css = cset->subsys[ssid];
|
|
||||||
+
|
|
||||||
list_add_tail(&cset->e_cset_node[ssid],
|
|
||||||
- &cset->subsys[ssid]->cgroup->e_csets[ssid]);
|
|
||||||
+ &css->cgroup->e_csets[ssid]);
|
|
||||||
+ css_get(css);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
spin_unlock_bh(&css_set_lock);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.5.0
|
|
||||||
|
|
2
gitrev
2
gitrev
@ -1 +1 @@
|
|||||||
62ea1ec5e17fe36e2c728bc534f9f78b216dfe83
|
aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 7877d76b409181af38d307b98d8fed1024f3c9c2 Mon Sep 17 00:00:00 2001
|
From a9488dbeccf188f0bd83b9d5704892f2c0f97fdc Mon Sep 17 00:00:00 2001
|
||||||
From: Roland McGrath <roland@redhat.com>
|
From: Roland McGrath <roland@redhat.com>
|
||||||
Date: Mon, 6 Oct 2008 23:03:03 -0700
|
Date: Mon, 6 Oct 2008 23:03:03 -0700
|
||||||
Subject: [PATCH] kbuild: AFTER_LINK
|
Subject: [PATCH] kbuild: AFTER_LINK
|
||||||
@ -21,10 +21,10 @@ Signed-off-by: Roland McGrath <roland@redhat.com>
|
|||||||
7 files changed, 17 insertions(+), 7 deletions(-)
|
7 files changed, 17 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
|
diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
|
||||||
index f6fe17d88da5..eb6ddbf37f30 100644
|
index b467fd0..feeff5e 100644
|
||||||
--- a/arch/arm64/kernel/vdso/Makefile
|
--- a/arch/arm64/kernel/vdso/Makefile
|
||||||
+++ b/arch/arm64/kernel/vdso/Makefile
|
+++ b/arch/arm64/kernel/vdso/Makefile
|
||||||
@@ -52,7 +52,8 @@ $(obj-vdso): %.o: %.S FORCE
|
@@ -55,7 +55,8 @@ $(obj-vdso): %.o: %.S FORCE
|
||||||
|
|
||||||
# Actual build commands
|
# Actual build commands
|
||||||
quiet_cmd_vdsold = VDSOL $@
|
quiet_cmd_vdsold = VDSOL $@
|
||||||
@ -35,7 +35,7 @@ index f6fe17d88da5..eb6ddbf37f30 100644
|
|||||||
cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
|
cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
|
||||||
|
|
||||||
diff --git a/arch/powerpc/kernel/vdso32/Makefile b/arch/powerpc/kernel/vdso32/Makefile
|
diff --git a/arch/powerpc/kernel/vdso32/Makefile b/arch/powerpc/kernel/vdso32/Makefile
|
||||||
index 53e6c9b979ec..e427844e9bb0 100644
|
index 6abffb7..7b103bb 100644
|
||||||
--- a/arch/powerpc/kernel/vdso32/Makefile
|
--- a/arch/powerpc/kernel/vdso32/Makefile
|
||||||
+++ b/arch/powerpc/kernel/vdso32/Makefile
|
+++ b/arch/powerpc/kernel/vdso32/Makefile
|
||||||
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
||||||
@ -49,7 +49,7 @@ index 53e6c9b979ec..e427844e9bb0 100644
|
|||||||
cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $<
|
cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $<
|
||||||
|
|
||||||
diff --git a/arch/powerpc/kernel/vdso64/Makefile b/arch/powerpc/kernel/vdso64/Makefile
|
diff --git a/arch/powerpc/kernel/vdso64/Makefile b/arch/powerpc/kernel/vdso64/Makefile
|
||||||
index effca9404b17..713891a92d23 100644
|
index 8c8f2ae..a743ebe 100644
|
||||||
--- a/arch/powerpc/kernel/vdso64/Makefile
|
--- a/arch/powerpc/kernel/vdso64/Makefile
|
||||||
+++ b/arch/powerpc/kernel/vdso64/Makefile
|
+++ b/arch/powerpc/kernel/vdso64/Makefile
|
||||||
@@ -36,7 +36,8 @@ $(obj-vdso64): %.o: %.S
|
@@ -36,7 +36,8 @@ $(obj-vdso64): %.o: %.S
|
||||||
@ -63,7 +63,7 @@ index effca9404b17..713891a92d23 100644
|
|||||||
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
||||||
|
|
||||||
diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile
|
diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile
|
||||||
index ee8a18e50a25..63e33fa049f8 100644
|
index ee8a18e..63e33fa 100644
|
||||||
--- a/arch/s390/kernel/vdso32/Makefile
|
--- a/arch/s390/kernel/vdso32/Makefile
|
||||||
+++ b/arch/s390/kernel/vdso32/Makefile
|
+++ b/arch/s390/kernel/vdso32/Makefile
|
||||||
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
||||||
@ -77,7 +77,7 @@ index ee8a18e50a25..63e33fa049f8 100644
|
|||||||
cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
|
cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
|
||||||
|
|
||||||
diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile
|
diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile
|
||||||
index c4b03f9ed228..550450fc2f95 100644
|
index c4b03f9..550450f 100644
|
||||||
--- a/arch/s390/kernel/vdso64/Makefile
|
--- a/arch/s390/kernel/vdso64/Makefile
|
||||||
+++ b/arch/s390/kernel/vdso64/Makefile
|
+++ b/arch/s390/kernel/vdso64/Makefile
|
||||||
@@ -43,7 +43,8 @@ $(obj-vdso64): %.o: %.S
|
@@ -43,7 +43,8 @@ $(obj-vdso64): %.o: %.S
|
||||||
@ -91,10 +91,10 @@ index c4b03f9ed228..550450fc2f95 100644
|
|||||||
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
|
||||||
|
|
||||||
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
|
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
|
||||||
index a3d0767a6b29..078c9be1db8f 100644
|
index 265c0ed..fd90c7d 100644
|
||||||
--- a/arch/x86/entry/vdso/Makefile
|
--- a/arch/x86/entry/vdso/Makefile
|
||||||
+++ b/arch/x86/entry/vdso/Makefile
|
+++ b/arch/x86/entry/vdso/Makefile
|
||||||
@@ -172,8 +172,9 @@ $(vdso32-images:%=$(obj)/%.dbg): $(obj)/vdso32-%.so.dbg: FORCE \
|
@@ -159,8 +159,9 @@ $(obj)/vdso32.so.dbg: FORCE \
|
||||||
quiet_cmd_vdso = VDSO $@
|
quiet_cmd_vdso = VDSO $@
|
||||||
cmd_vdso = $(CC) -nostdlib -o $@ \
|
cmd_vdso = $(CC) -nostdlib -o $@ \
|
||||||
$(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
|
$(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
|
||||||
@ -107,11 +107,11 @@ index a3d0767a6b29..078c9be1db8f 100644
|
|||||||
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
|
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
|
||||||
$(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
|
$(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
|
||||||
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
|
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
|
||||||
index 1a10d8ac8162..092d0c0cf72c 100755
|
index dacf71a..72cbefd 100755
|
||||||
--- a/scripts/link-vmlinux.sh
|
--- a/scripts/link-vmlinux.sh
|
||||||
+++ b/scripts/link-vmlinux.sh
|
+++ b/scripts/link-vmlinux.sh
|
||||||
@@ -65,6 +65,10 @@ vmlinux_link()
|
@@ -65,6 +65,10 @@ vmlinux_link()
|
||||||
-lutil ${1}
|
-lutil -lrt ${1}
|
||||||
rm -f linux
|
rm -f linux
|
||||||
fi
|
fi
|
||||||
+ if [ -n "${AFTER_LINK}" ]; then
|
+ if [ -n "${AFTER_LINK}" ]; then
|
||||||
@ -122,5 +122,5 @@ index 1a10d8ac8162..092d0c0cf72c 100755
|
|||||||
|
|
||||||
|
|
||||||
--
|
--
|
||||||
2.4.3
|
2.5.0
|
||||||
|
|
||||||
|
@ -67,7 +67,7 @@ Summary: The Linux kernel
|
|||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 4
|
%define rcrev 4
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 1
|
%define gitrev 2
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%define rpmversion 4.%{upstream_sublevel}.0
|
%define rpmversion 4.%{upstream_sublevel}.0
|
||||||
%endif
|
%endif
|
||||||
@ -582,9 +582,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
|
|||||||
|
|
||||||
Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
|
Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
|
||||||
|
|
||||||
#rhbz 1282706
|
|
||||||
Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch
|
|
||||||
|
|
||||||
#CVE-2015-7833 rhbz 1270158 1270160
|
#CVE-2015-7833 rhbz 1270158 1270160
|
||||||
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
|
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
|
||||||
|
|
||||||
@ -2037,6 +2034,9 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 09 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git2.1
|
||||||
|
- Linux v4.4-rc4-48-gaa53685
|
||||||
|
|
||||||
* Tue Dec 08 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git1.1
|
* Tue Dec 08 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git1.1
|
||||||
- Linux v4.4-rc4-16-g62ea1ec
|
- Linux v4.4-rc4-16-g62ea1ec
|
||||||
- Reenable debugging options.
|
- Reenable debugging options.
|
||||||
|
Loading…
Reference in New Issue
Block a user