Update to 4.6.5
Drop patches applied upstream. There are some ABI changes still to be resolved.
This commit is contained in:
parent
9da8616b57
commit
e8c1b8e306
|
@ -1,3 +1,212 @@
|
|||
linux (4.6.5-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5
|
||||
- cfg80211: remove get/set antenna and tx power warnings
|
||||
- mac80211: fix fast_tx header alignment
|
||||
- mac80211: mesh: flush mesh paths unconditionally
|
||||
- mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
|
||||
- mac80211: Fix mesh estab_plinks counting in STA removal case
|
||||
- cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC
|
||||
header
|
||||
- EDAC: Fix workqueues poll period resetting
|
||||
- [x86] EDAC, sb_edac: Fix rank lookup on Broadwell
|
||||
- futex: Calculate the futex key based on a tail page for file-based futexes
|
||||
- IB/core: Fix bit curruption in ib_device_cap_flags structure
|
||||
- IB/cm: Fix a recently introduced locking bug
|
||||
- IB/rdmavt: Correct qp_priv_alloc() return value test
|
||||
- IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
|
||||
- [powerpc*] iommu: Remove the dependency on EEH struct in DDW mechanism
|
||||
- [powerpc*] pseries: Fix PCI config address for DDW
|
||||
- [powerpc*] pseries: Fix IBM_ARCH_VEC_NRCORES_OFFSET since POWER8NVL was
|
||||
added
|
||||
- USB: EHCI: declare hostpc register as zero-length array
|
||||
- USB: don't free bandwidth_mutex too early
|
||||
- usb: common: otg-fsm: add license to usb-otg-fsm
|
||||
- mnt: fs_fully_visible test the proper mount for MNT_LOCKED
|
||||
- mnt: Account for MS_RDONLY in fs_fully_visible
|
||||
- mnt: If fs_fully_visible fails call put_filesystem.
|
||||
- of: fix autoloading due to broken modalias with no 'compatible'
|
||||
- of: irq: fix of_irq_get[_byname]() kernel-doc
|
||||
- [x86] msr: Use the proper trace point conditional for writes
|
||||
- locking/ww_mutex: Report recursive ww_mutex locking early
|
||||
- locking/qspinlock: Fix spin_unlock_wait() some more
|
||||
- locking/static_key: Fix concurrent static_key_slow_inc()
|
||||
- [x86] kprobes: Clear TF bit in fault on single-stepping
|
||||
- [x86] perf/intel/rapl: Fix pmus free during cleanup
|
||||
- [x86] amd_nb: Fix boot crash on non-AMD systems
|
||||
- [x86] perf: Fix 32-bit perf user callgraph collection
|
||||
- [armhf] extcon: palmas: Fix boot up state of VBUS when using GPIO
|
||||
detection
|
||||
- gpio: make library immune to error pointers
|
||||
- [x86] gpio: sch: Fix Oops on module load on Asus Eee PC 1201
|
||||
- Revert "gpiolib: Split GPIO flags parsing and GPIO configuration"
|
||||
- autofs braino fix for do_last()
|
||||
- rtlwifi: Fix scheduling while atomic error from commit 49f86ec21c01
|
||||
- uvc: Forward compat ioctls to their handlers directly
|
||||
- thermal: cpu_cooling: fix improper order during initialization
|
||||
- writeback: use higher precision calculation in domain_dirty_limits()
|
||||
- sd: Fix rw_max for devices that report an optimal xfer size
|
||||
- nfsd4/rpc: move backchannel create logic into rpc code
|
||||
- nfsd: Always lock state exclusively.
|
||||
- nfsd: Extend the mutex holding region around in nfsd4_process_open2()
|
||||
- pnfs_nfs: fix _cancel_empty_pagelist
|
||||
- NFS: Fix a double page unlock
|
||||
- make nfs_atomic_open() call d_drop() on all ->open_context() errors.
|
||||
- NFS: Fix another OPEN_DOWNGRADE bug
|
||||
- SUNRPC: fix xprt leak on xps allocation failure
|
||||
- rpc: share one xps between all backchannels
|
||||
- [arm64] regulator: qcom_smd: add list_voltage callback
|
||||
- [arm64] regulator: qcom_smd: add regulator ops for pm8941 lnldo
|
||||
- [armhf] imx6ul: Fix Micrel PHY mask
|
||||
- [armel,armhf] 8578/1: mm: ensure pmd_present only checks the valid bit
|
||||
- [armel,armhf] 8579/1: mm: Fix definition of pmd_mknotpresent
|
||||
- [armhf] dts: sun6i: yones-toptech-bs1078-v2: Drop constraints on dc1sw
|
||||
regulator
|
||||
- [armhf] dts: sun6i: primo81: Drop constraints on dc1sw regulator
|
||||
- mm: Export migrate_page_move_mapping and migrate_page_copy
|
||||
- UBIFS: Implement ->migratepage()
|
||||
- sched/fair: Fix cfs_rq avg tracking underflow
|
||||
- packet: Use symmetric hash for PACKET_FANOUT_HASH.
|
||||
- net_sched: fix mirrored packets checksum
|
||||
- geneve: fix max_mtu setting
|
||||
- cdc_ncm: workaround for EM7455 "silent" data interface
|
||||
- ipv6: Fix mem leak in rt6i_pcpu
|
||||
- [x86] kvm: vmx: check apicv is active before using VT-d posted interrupt
|
||||
- kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
|
||||
- [s390x] KVM: mm: Fix CMMA reset during reboot
|
||||
- [arm*] KVM: Stop leaking vcpu pid references
|
||||
- [x86] KVM: nVMX: VMX instructions: fix segment checks when L1 is in
|
||||
long mode.
|
||||
- HID: elo: kill not flush the work
|
||||
- Revert "HID: multitouch: enable palm rejection if device implements
|
||||
confidence usage"
|
||||
- HID: multitouch: enable palm rejection for Windows Precision Touchpad
|
||||
- tracing: Handle NULL formats in hold_module_trace_bprintk_format()
|
||||
- base: make module_create_drivers_dir race-free
|
||||
- [armhf] iommu/rockchip: Fix zap cache during device attach
|
||||
- [armhf] iommu/arm-smmu: Wire up map_sg for arm-smmu-v3
|
||||
- [x86] iommu/vt-d: Enable QI on all IOMMUs before setting root entry
|
||||
- [x86] iommu/amd: Fix unity mapping initialization race
|
||||
- [x86] drm/mgag200: Black screen fix for G200e rev 4
|
||||
- [armhf] drm/fsl-dcu: use flat regmap cache
|
||||
- ipmi: Remove smi_msg from waiting_rcv_msgs list before
|
||||
handle_one_recv_msg()
|
||||
- [arm64] drm/nouveau/Revert "drm/nouveau/device/pci: set as
|
||||
non-CPU-coherent on ARM64"
|
||||
- [arm64] fix dump_instr when PAN and UAO are in use
|
||||
- [arm64] mm: remove page_mapping check in __sync_icache_dcache
|
||||
- [arm64] kernel: Save and restore UAO and addr_limit on exception entry
|
||||
- vfs: add d_real_inode() helper
|
||||
- af_unix: fix hard linked sockets on overlay
|
||||
- btrfs: account for non-CoW'd blocks in btrfs_abort_transaction
|
||||
- [x86] drm/radeon: fix asic initialization for virtualized environments
|
||||
- [x86] drm/amdgpu/gfx7: fix broken condition check
|
||||
- [x86] drm/amdgpu: fix num_rbs exposed to userspace (v2)
|
||||
- [x86] drm/amdgpu: initialize amdgpu_cgs_acpi_eval_object result value
|
||||
- ubi: Make recover_peb power cut aware
|
||||
- [x86] drm/amdkfd: unbind only existing processes
|
||||
- [x86] drm/amdkfd: destroy dbgmgr in notifier release
|
||||
- drm/dp/mst: Always clear proposed vcpi table for port.
|
||||
- virtio_balloon: fix PFN format for virtio-1
|
||||
- drm/nouveau/bios/disp: fix handling of "match any protocol" entries
|
||||
- drm/nouveau/disp/sor/gf119: both links use the same training register
|
||||
- drm/nouveau/gr/gf100-: update sm error decoding from gk20a nvgpu headers
|
||||
- drm/nouveau/ltc/gm107-: fix typo in the address of NV_PLTCG_LTC0_LTS0_INTR
|
||||
- drm/nouveau/fbcon: fix out-of-bounds memory accesses
|
||||
- drm/nouveau/disp/sor/gm107: training pattern registers are like gm200
|
||||
- drm/nouveau: fix for disabled fbdev emulation
|
||||
- drm/nouveau/disp/sor/gf119: select correct sor when poking training
|
||||
pattern
|
||||
- [x86] drm/i915/ilk: Don't disable SSC source if it's in use
|
||||
- [x86] drm/i915/fbc: Disable on HSW by default for now
|
||||
- [x86] drm/i915: Refresh cached DP port register value on resume
|
||||
- [x86] drm/i915: Update ifdeffery for mutex->owner
|
||||
- drm: add missing drm_mode_set_crtcinfo call
|
||||
- drm: make drm_atomic_set_mode_prop_for_crtc() more reliable
|
||||
- drm: Wrap direct calls to driver->gem_free_object from CMA
|
||||
- [x86] drm/amd/powerplay: fix bug that function parameter was incorect.
|
||||
- [x86] drm/amd/powerplay: need to notify system bios pcie device ready
|
||||
- [x86] drm/amd/powerplay: fix logic error.
|
||||
- [x86] drm/amd/powerplay: incorrectly use of the function return value
|
||||
- [x86] drm/amd/powerplay: fix incorrect voltage table value for tonga
|
||||
- drm: atmel-hlcdc: actually disable scaling when no scaling is required
|
||||
- drm/atomic: Make drm_atomic_legacy_backoff reset crtc->acquire_ctx
|
||||
- drm/ttm: Make ttm_bo_mem_compat available
|
||||
- [x86] drm/vmwgfx: Add an option to change assumed FB bpp
|
||||
- [x86] drm/vmwgfx: Work around mode set failure in 2D VMs
|
||||
- [x86] drm/vmwgfx: Check pin count before attempting to move a buffer
|
||||
- [x86] drm/vmwgfx: Delay pinning fbdev framebuffer until after mode set
|
||||
- [x86] drm/vmwgfx: Fix corner case screen target management
|
||||
- [x86] drm/vmwgfx: Fix error paths when mapping framebuffer
|
||||
- [armhf] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
|
||||
- PCI: Fix unaligned accesses in VC code
|
||||
- iio: Fix error handling in iio_trigger_attach_poll_func
|
||||
- iio:st_pressure: fix sampling gains (bring inline with ABI)
|
||||
- iio: light apds9960: Add the missing dev.parent
|
||||
- iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output
|
||||
- iio: proximity: as3935: remove triggered buffer processing
|
||||
- iio: proximity: as3935: fix buffer stack trashing
|
||||
- iio: humidity: hdc100x: correct humidity integration time mask
|
||||
- iio: humidity: hdc100x: fix IIO_TEMP channel reporting
|
||||
- iio: hudmidity: hdc100x: fix incorrect shifting and scaling
|
||||
- staging: iio: accel: fix error check
|
||||
- iio: accel: kxsd9: fix the usage of spi_w8r8()
|
||||
- iio:ad7266: Fix broken regulator error handling
|
||||
- iio:ad7266: Fix support for optional regulators
|
||||
- iio:ad7266: Fix probe deferral for vref
|
||||
- tty: vt: Fix soft lockup in fbcon cursor blink timer.
|
||||
- tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
|
||||
- [x86] hwmon: (dell-smm) Restrict fan control and serial number to
|
||||
CAP_SYS_ADMIN by default
|
||||
- [x86] hwmon: (dell-smm) Disallow fan_type() calls on broken machines
|
||||
- [x86] hwmon: (dell-smm) Cache fan_type() calls and change fan detection
|
||||
- ALSA: dummy: Fix a use-after-free at closing
|
||||
- ALSA: hdac_regmap - fix the register access for runtime PM
|
||||
- [x86] ALSA: hda - Fix the headset mic jack detection on Dell machine
|
||||
- [x86] ALSA: hda / realtek - add two more Thinkpad IDs (5050,5053) for
|
||||
tpt460 fixup
|
||||
- ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
|
||||
- ALSA: echoaudio: Fix memory allocation
|
||||
- ALSA: timer: Fix negative queue usage by racy accesses
|
||||
- [x86] ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
|
||||
- [x86] ALSA: hda - Add PCI ID for Kabylake-H
|
||||
- ALSA: hda - fix read before array start
|
||||
- ALSA: usb-audio: Fix quirks code is not called
|
||||
- ALSA: hda/realtek - add new pin definition in alc225 pin quirk table
|
||||
- ALSA: pcm: Free chmap at PCM free callback, too
|
||||
- ALSA: ctl: Stop notification after disconnection
|
||||
- ALSA: hda - fix use-after-free after module unload
|
||||
- [x86] ALSA: hda: add AMD Stoney PCI ID with proper driver caps
|
||||
- [armhf] sunxi/dt: make the CHIP inherit from allwinner,sun5i-a13
|
||||
- [armhf] dts: armada-38x: fix MBUS_ID for crypto SRAM on Armada 385 Linksys
|
||||
- [armel,armhf] mvebu: fix HW I/O coherency related deadlocks
|
||||
- ovl: fix dentry leak for default_permissions
|
||||
- ovl: get_write_access() in truncate
|
||||
- ovl: Copy up underlying inode's ->i_mode to overlay inode
|
||||
- ovl: handle ATTR_KILL*
|
||||
- ovl: verify upper dentry in ovl_remove_and_whiteout()
|
||||
- scsi: fix race between simultaneous decrements of ->host_failed
|
||||
- [s390x] fix test_fp_ctl inline assembly contraints
|
||||
- [s390x] Revert "s390/kdump: Clear subchannel ID to signal
|
||||
non-CCW/SCSI IPL"
|
||||
- 53c700: fix BUG on untagged commands
|
||||
- cifs: Fix reconnect to not defer smb3 session reconnect long after socket
|
||||
reconnect
|
||||
- cifs: dynamic allocation of ntlmssp blob
|
||||
- cifs: File names with trailing period or space need special case
|
||||
conversion
|
||||
- [x86] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
|
||||
- tmpfs: don't undo fallocate past its last page
|
||||
- tmpfs: fix regression hang in fallocate undo
|
||||
- crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request struct
|
||||
- [x86] crypto: qat - make qat_asym_algs.o depend on asn1 headers
|
||||
- [x86] drm/i915: Revert DisplayPort fast link training feature
|
||||
- ovl: Do d_type check only if work dir creation was successful
|
||||
- ovl: warn instead of error if d_type is not supported
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 30 Jul 2016 14:23:58 +0100
|
||||
|
||||
linux (4.6.4-1) unstable; urgency=medium
|
||||
|
||||
* Team upload.
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
From: Scott Bauer <sbauer@plzdonthack.me>
|
||||
Date: Thu, 23 Jun 2016 08:59:47 -0600
|
||||
Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
|
||||
commands
|
||||
Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
|
||||
|
||||
This patch validates the num_values parameter from userland during the
|
||||
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
|
||||
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
|
||||
leading to a heap overflow.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/usbhid/hiddev.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
|
||||
index 2f1ddca..700145b 100644
|
||||
--- a/drivers/hid/usbhid/hiddev.c
|
||||
+++ b/drivers/hid/usbhid/hiddev.c
|
||||
@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
|
||||
goto inval;
|
||||
} else if (uref->usage_index >= field->report_count)
|
||||
goto inval;
|
||||
-
|
||||
- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
|
||||
- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
|
||||
- uref->usage_index + uref_multi->num_values > field->report_count))
|
||||
- goto inval;
|
||||
}
|
||||
|
||||
+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
|
||||
+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
|
||||
+ uref->usage_index + uref_multi->num_values > field->report_count))
|
||||
+ goto inval;
|
||||
+
|
||||
switch (cmd) {
|
||||
case HIDIOCGUSAGE:
|
||||
uref->value = field->value[uref->usage_index];
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -1,115 +0,0 @@
|
|||
From: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Date: Thu, 7 Jul 2016 13:41:11 -0700
|
||||
Subject: apparmor: fix oops, validate buffer size in apparmor_setprocattr()
|
||||
Origin: https://git.kernel.org/linus/30a46a4647fd1df9cf52e43bf467f0d9265096ca
|
||||
|
||||
When proc_pid_attr_write() was changed to use memdup_user apparmor's
|
||||
(interface violating) assumption that the setprocattr buffer was always
|
||||
a single page was violated.
|
||||
|
||||
The size test is not strictly speaking needed as proc_pid_attr_write()
|
||||
will reject anything larger, but for the sake of robustness we can keep
|
||||
it in.
|
||||
|
||||
SMACK and SELinux look safe to me, but somebody else should probably
|
||||
have a look just in case.
|
||||
|
||||
Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
|
||||
modified for the case that apparmor provides null termination.
|
||||
|
||||
Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
|
||||
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: John Johansen <john.johansen@canonical.com>
|
||||
Cc: Paul Moore <paul@paul-moore.com>
|
||||
Cc: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Cc: Eric Paris <eparis@parisplace.org>
|
||||
Cc: Casey Schaufler <casey@schaufler-ca.com>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
|
||||
1 file changed, 19 insertions(+), 17 deletions(-)
|
||||
|
||||
--- a/security/apparmor/lsm.c
|
||||
+++ b/security/apparmor/lsm.c
|
||||
@@ -523,34 +523,34 @@ static int apparmor_setprocattr(struct t
|
||||
{
|
||||
struct common_audit_data sa;
|
||||
struct apparmor_audit_data aad = {0,};
|
||||
- char *command, *args = value;
|
||||
+ char *command, *largs = NULL, *args = value;
|
||||
size_t arg_size;
|
||||
int error;
|
||||
|
||||
if (size == 0)
|
||||
return -EINVAL;
|
||||
- /* args points to a PAGE_SIZE buffer, AppArmor requires that
|
||||
- * the buffer must be null terminated or have size <= PAGE_SIZE -1
|
||||
- * so that AppArmor can null terminate them
|
||||
- */
|
||||
- if (args[size - 1] != '\0') {
|
||||
- if (size == PAGE_SIZE)
|
||||
- return -EINVAL;
|
||||
- args[size] = '\0';
|
||||
- }
|
||||
-
|
||||
/* task can only write its own attributes */
|
||||
if (current != task)
|
||||
return -EACCES;
|
||||
|
||||
- args = value;
|
||||
+ /* AppArmor requires that the buffer must be null terminated atm */
|
||||
+ if (args[size - 1] != '\0') {
|
||||
+ /* null terminate */
|
||||
+ largs = args = kmalloc(size + 1, GFP_KERNEL);
|
||||
+ if (!args)
|
||||
+ return -ENOMEM;
|
||||
+ memcpy(args, value, size);
|
||||
+ args[size] = '\0';
|
||||
+ }
|
||||
+
|
||||
+ error = -EINVAL;
|
||||
args = strim(args);
|
||||
command = strsep(&args, " ");
|
||||
if (!args)
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
args = skip_spaces(args);
|
||||
if (!*args)
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
|
||||
arg_size = size - (args - (char *) value);
|
||||
if (strcmp(name, "current") == 0) {
|
||||
@@ -576,10 +576,12 @@ static int apparmor_setprocattr(struct t
|
||||
goto fail;
|
||||
} else
|
||||
/* only support the "current" and "exec" process attributes */
|
||||
- return -EINVAL;
|
||||
+ goto fail;
|
||||
|
||||
if (!error)
|
||||
error = size;
|
||||
+out:
|
||||
+ kfree(largs);
|
||||
return error;
|
||||
|
||||
fail:
|
||||
@@ -588,9 +590,9 @@ fail:
|
||||
aad.profile = aa_current_profile();
|
||||
aad.op = OP_SETPROCATTR;
|
||||
aad.info = name;
|
||||
- aad.error = -EINVAL;
|
||||
+ aad.error = error = -EINVAL;
|
||||
aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
static int apparmor_task_setrlimit(struct task_struct *task,
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Thu, 16 Jun 2016 15:48:57 +0100
|
||||
Subject: KEYS: potential uninitialized variable
|
||||
Origin: https://git.kernel.org/linus/38327424b40bcebe2de92d07312c89360ac9229a
|
||||
|
||||
If __key_link_begin() failed then "edit" would be uninitialized. I've
|
||||
added a check to fix that.
|
||||
|
||||
This allows a random user to crash the kernel, though it's quite
|
||||
difficult to achieve. There are three ways it can be done as the user
|
||||
would have to cause an error to occur in __key_link():
|
||||
|
||||
(1) Cause the kernel to run out of memory. In practice, this is difficult
|
||||
to achieve without ENOMEM cropping up elsewhere and aborting the
|
||||
attempt.
|
||||
|
||||
(2) Revoke the destination keyring between the keyring ID being looked up
|
||||
and it being tested for revocation. In practice, this is difficult to
|
||||
time correctly because the KEYCTL_REJECT function can only be used
|
||||
from the request-key upcall process. Further, users can only make use
|
||||
of what's in /sbin/request-key.conf, though this does including a
|
||||
rejection debugging test - which means that the destination keyring
|
||||
has to be the caller's session keyring in practice.
|
||||
|
||||
(3) Have just enough key quota available to create a key, a new session
|
||||
keyring for the upcall and a link in the session keyring, but not then
|
||||
sufficient quota to create a link in the nominated destination keyring
|
||||
so that it fails with EDQUOT.
|
||||
|
||||
The bug can be triggered using option (3) above using something like the
|
||||
following:
|
||||
|
||||
echo 80 >/proc/sys/kernel/keys/root_maxbytes
|
||||
keyctl request2 user debug:fred negate @t
|
||||
|
||||
The above sets the quota to something much lower (80) to make the bug
|
||||
easier to trigger, but this is dependent on the system. Note also that
|
||||
the name of the keyring created contains a random number that may be
|
||||
between 1 and 10 characters in size, so may throw the test off by
|
||||
changing the amount of quota used.
|
||||
|
||||
Assuming the failure occurs, something like the following will be seen:
|
||||
|
||||
kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
|
||||
------------[ cut here ]------------
|
||||
kernel BUG at ../mm/slab.c:2821!
|
||||
...
|
||||
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
|
||||
RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
|
||||
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
|
||||
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
|
||||
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
|
||||
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
|
||||
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
|
||||
...
|
||||
Call Trace:
|
||||
kfree+0xde/0x1bc
|
||||
assoc_array_cancel_edit+0x1f/0x36
|
||||
__key_link_end+0x55/0x63
|
||||
key_reject_and_link+0x124/0x155
|
||||
keyctl_reject_key+0xb6/0xe0
|
||||
keyctl_negate_key+0x10/0x12
|
||||
SyS_keyctl+0x9f/0xe7
|
||||
do_syscall_64+0x63/0x13a
|
||||
entry_SYSCALL64_slow_path+0x25/0x25
|
||||
|
||||
Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
security/keys/key.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/security/keys/key.c
|
||||
+++ b/security/keys/key.c
|
||||
@@ -584,7 +584,7 @@ int key_reject_and_link(struct key *key,
|
||||
|
||||
mutex_unlock(&key_construction_mutex);
|
||||
|
||||
- if (keyring)
|
||||
+ if (keyring && link_ret == 0)
|
||||
__key_link_end(keyring, &key->index_key, edit);
|
||||
|
||||
/* wake up anyone waiting for a key to be constructed */
|
|
@ -1,145 +0,0 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Wed, 22 Jun 2016 19:43:35 +0100
|
||||
Subject: [PATCH] nfsd: check permissions when setting ACLs
|
||||
Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=999653786df6954a31044528ac3f7a5dadca08f4
|
||||
|
||||
Use set_posix_acl, which includes proper permission checks, instead of
|
||||
calling ->set_acl directly. Without this anyone may be able to grant
|
||||
themselves permissions to a file by setting the ACL.
|
||||
|
||||
Lock the inode to make the new checks atomic with respect to set_acl.
|
||||
(Also, nfsd was the only caller of set_acl not locking the inode, so I
|
||||
suspect this may fix other races.)
|
||||
|
||||
This also simplifies the code, and ensures our ACLs are checked by
|
||||
posix_acl_valid.
|
||||
|
||||
The permission checks and the inode locking were lost with commit
|
||||
4ac7249e, which changed nfsd to use the set_acl inode operation directly
|
||||
instead of going through xattr handlers.
|
||||
|
||||
Reported-by: David Sinquin <david@sinquin.eu>
|
||||
[agreunba@redhat.com: use set_posix_acl]
|
||||
Fixes: 4ac7249e
|
||||
Cc: Christoph Hellwig <hch@infradead.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
---
|
||||
fs/nfsd/nfs2acl.c | 20 ++++++++++----------
|
||||
fs/nfsd/nfs3acl.c | 16 +++++++---------
|
||||
fs/nfsd/nfs4acl.c | 16 ++++++++--------
|
||||
3 files changed, 25 insertions(+), 27 deletions(-)
|
||||
|
||||
--- a/fs/nfsd/nfs2acl.c
|
||||
+++ b/fs/nfsd/nfs2acl.c
|
||||
@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct
|
||||
goto out;
|
||||
|
||||
inode = d_inode(fh->fh_dentry);
|
||||
- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
|
||||
- error = -EOPNOTSUPP;
|
||||
- goto out_errno;
|
||||
- }
|
||||
|
||||
error = fh_want_write(fh);
|
||||
if (error)
|
||||
goto out_errno;
|
||||
|
||||
- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
|
||||
+ fh_lock(fh);
|
||||
+
|
||||
+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
|
||||
if (error)
|
||||
- goto out_drop_write;
|
||||
- error = inode->i_op->set_acl(inode, argp->acl_default,
|
||||
- ACL_TYPE_DEFAULT);
|
||||
+ goto out_drop_lock;
|
||||
+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
|
||||
if (error)
|
||||
- goto out_drop_write;
|
||||
+ goto out_drop_lock;
|
||||
+
|
||||
+ fh_unlock(fh);
|
||||
|
||||
fh_drop_write(fh);
|
||||
|
||||
@@ -131,7 +130,8 @@ out:
|
||||
posix_acl_release(argp->acl_access);
|
||||
posix_acl_release(argp->acl_default);
|
||||
return nfserr;
|
||||
-out_drop_write:
|
||||
+out_drop_lock:
|
||||
+ fh_unlock(fh);
|
||||
fh_drop_write(fh);
|
||||
out_errno:
|
||||
nfserr = nfserrno(error);
|
||||
--- a/fs/nfsd/nfs3acl.c
|
||||
+++ b/fs/nfsd/nfs3acl.c
|
||||
@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s
|
||||
goto out;
|
||||
|
||||
inode = d_inode(fh->fh_dentry);
|
||||
- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
|
||||
- error = -EOPNOTSUPP;
|
||||
- goto out_errno;
|
||||
- }
|
||||
|
||||
error = fh_want_write(fh);
|
||||
if (error)
|
||||
goto out_errno;
|
||||
|
||||
- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
|
||||
+ fh_lock(fh);
|
||||
+
|
||||
+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
|
||||
if (error)
|
||||
- goto out_drop_write;
|
||||
- error = inode->i_op->set_acl(inode, argp->acl_default,
|
||||
- ACL_TYPE_DEFAULT);
|
||||
+ goto out_drop_lock;
|
||||
+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
|
||||
|
||||
-out_drop_write:
|
||||
+out_drop_lock:
|
||||
+ fh_unlock(fh);
|
||||
fh_drop_write(fh);
|
||||
out_errno:
|
||||
nfserr = nfserrno(error);
|
||||
--- a/fs/nfsd/nfs4acl.c
|
||||
+++ b/fs/nfsd/nfs4acl.c
|
||||
@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
|
||||
dentry = fhp->fh_dentry;
|
||||
inode = d_inode(dentry);
|
||||
|
||||
- if (!inode->i_op->set_acl || !IS_POSIXACL(inode))
|
||||
- return nfserr_attrnotsupp;
|
||||
-
|
||||
if (S_ISDIR(inode->i_mode))
|
||||
flags = NFS4_ACL_DIR;
|
||||
|
||||
@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
|
||||
if (host_error < 0)
|
||||
goto out_nfserr;
|
||||
|
||||
- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS);
|
||||
+ fh_lock(fhp);
|
||||
+
|
||||
+ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
|
||||
if (host_error < 0)
|
||||
- goto out_release;
|
||||
+ goto out_drop_lock;
|
||||
|
||||
if (S_ISDIR(inode->i_mode)) {
|
||||
- host_error = inode->i_op->set_acl(inode, dpacl,
|
||||
- ACL_TYPE_DEFAULT);
|
||||
+ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
|
||||
}
|
||||
|
||||
-out_release:
|
||||
+out_drop_lock:
|
||||
+ fh_unlock(fhp);
|
||||
+
|
||||
posix_acl_release(pacl);
|
||||
posix_acl_release(dpacl);
|
||||
out_nfserr:
|
|
@ -1,153 +0,0 @@
|
|||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Wed, 25 May 2016 11:48:25 -0400
|
||||
Subject: percpu: fix synchronization between chunk->map_extend_work and chunk
|
||||
destruction
|
||||
Origin: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3
|
||||
|
||||
Atomic allocations can trigger async map extensions which is serviced
|
||||
by chunk->map_extend_work. pcpu_balance_work which is responsible for
|
||||
destroying idle chunks wasn't synchronizing properly against
|
||||
chunk->map_extend_work and may end up freeing the chunk while the work
|
||||
item is still in flight.
|
||||
|
||||
This patch fixes the bug by rolling async map extension operations
|
||||
into pcpu_balance_work.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
|
||||
Reported-by: Vlastimil Babka <vbabka@suse.cz>
|
||||
Reported-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: stable@vger.kernel.org # v3.18+
|
||||
Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
|
||||
---
|
||||
mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
|
||||
1 file changed, 36 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/mm/percpu.c b/mm/percpu.c
|
||||
index 0c59684f1ff2..b1d2a3844792 100644
|
||||
--- a/mm/percpu.c
|
||||
+++ b/mm/percpu.c
|
||||
@@ -112,7 +112,7 @@ struct pcpu_chunk {
|
||||
int map_used; /* # of map entries used before the sentry */
|
||||
int map_alloc; /* # of map entries allocated */
|
||||
int *map; /* allocation map */
|
||||
- struct work_struct map_extend_work;/* async ->map[] extension */
|
||||
+ struct list_head map_extend_list;/* on pcpu_map_extend_chunks */
|
||||
|
||||
void *data; /* chunk data */
|
||||
int first_free; /* no free below this */
|
||||
@@ -166,6 +166,9 @@ static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */
|
||||
|
||||
static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
|
||||
|
||||
+/* chunks which need their map areas extended, protected by pcpu_lock */
|
||||
+static LIST_HEAD(pcpu_map_extend_chunks);
|
||||
+
|
||||
/*
|
||||
* The number of empty populated pages, protected by pcpu_lock. The
|
||||
* reserved chunk doesn't contribute to the count.
|
||||
@@ -395,13 +398,19 @@ static int pcpu_need_to_extend(struct pcpu_chunk *chunk, bool is_atomic)
|
||||
{
|
||||
int margin, new_alloc;
|
||||
|
||||
+ lockdep_assert_held(&pcpu_lock);
|
||||
+
|
||||
if (is_atomic) {
|
||||
margin = 3;
|
||||
|
||||
if (chunk->map_alloc <
|
||||
- chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW &&
|
||||
- pcpu_async_enabled)
|
||||
- schedule_work(&chunk->map_extend_work);
|
||||
+ chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW) {
|
||||
+ if (list_empty(&chunk->map_extend_list)) {
|
||||
+ list_add_tail(&chunk->map_extend_list,
|
||||
+ &pcpu_map_extend_chunks);
|
||||
+ pcpu_schedule_balance_work();
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
margin = PCPU_ATOMIC_MAP_MARGIN_HIGH;
|
||||
}
|
||||
@@ -467,20 +476,6 @@ out_unlock:
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static void pcpu_map_extend_workfn(struct work_struct *work)
|
||||
-{
|
||||
- struct pcpu_chunk *chunk = container_of(work, struct pcpu_chunk,
|
||||
- map_extend_work);
|
||||
- int new_alloc;
|
||||
-
|
||||
- spin_lock_irq(&pcpu_lock);
|
||||
- new_alloc = pcpu_need_to_extend(chunk, false);
|
||||
- spin_unlock_irq(&pcpu_lock);
|
||||
-
|
||||
- if (new_alloc)
|
||||
- pcpu_extend_area_map(chunk, new_alloc);
|
||||
-}
|
||||
-
|
||||
/**
|
||||
* pcpu_fit_in_area - try to fit the requested allocation in a candidate area
|
||||
* @chunk: chunk the candidate area belongs to
|
||||
@@ -740,7 +735,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void)
|
||||
chunk->map_used = 1;
|
||||
|
||||
INIT_LIST_HEAD(&chunk->list);
|
||||
- INIT_WORK(&chunk->map_extend_work, pcpu_map_extend_workfn);
|
||||
+ INIT_LIST_HEAD(&chunk->map_extend_list);
|
||||
chunk->free_size = pcpu_unit_size;
|
||||
chunk->contig_hint = pcpu_unit_size;
|
||||
|
||||
@@ -1129,6 +1124,7 @@ static void pcpu_balance_workfn(struct work_struct *work)
|
||||
if (chunk == list_first_entry(free_head, struct pcpu_chunk, list))
|
||||
continue;
|
||||
|
||||
+ list_del_init(&chunk->map_extend_list);
|
||||
list_move(&chunk->list, &to_free);
|
||||
}
|
||||
|
||||
@@ -1146,6 +1142,25 @@ static void pcpu_balance_workfn(struct work_struct *work)
|
||||
pcpu_destroy_chunk(chunk);
|
||||
}
|
||||
|
||||
+ /* service chunks which requested async area map extension */
|
||||
+ do {
|
||||
+ int new_alloc = 0;
|
||||
+
|
||||
+ spin_lock_irq(&pcpu_lock);
|
||||
+
|
||||
+ chunk = list_first_entry_or_null(&pcpu_map_extend_chunks,
|
||||
+ struct pcpu_chunk, map_extend_list);
|
||||
+ if (chunk) {
|
||||
+ list_del_init(&chunk->map_extend_list);
|
||||
+ new_alloc = pcpu_need_to_extend(chunk, false);
|
||||
+ }
|
||||
+
|
||||
+ spin_unlock_irq(&pcpu_lock);
|
||||
+
|
||||
+ if (new_alloc)
|
||||
+ pcpu_extend_area_map(chunk, new_alloc);
|
||||
+ } while (chunk);
|
||||
+
|
||||
/*
|
||||
* Ensure there are certain number of free populated pages for
|
||||
* atomic allocs. Fill up from the most packed so that atomic
|
||||
@@ -1644,7 +1659,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
|
||||
*/
|
||||
schunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
|
||||
INIT_LIST_HEAD(&schunk->list);
|
||||
- INIT_WORK(&schunk->map_extend_work, pcpu_map_extend_workfn);
|
||||
+ INIT_LIST_HEAD(&schunk->map_extend_list);
|
||||
schunk->base_addr = base_addr;
|
||||
schunk->map = smap;
|
||||
schunk->map_alloc = ARRAY_SIZE(smap);
|
||||
@@ -1673,7 +1688,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
|
||||
if (dyn_size) {
|
||||
dchunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
|
||||
INIT_LIST_HEAD(&dchunk->list);
|
||||
- INIT_WORK(&dchunk->map_extend_work, pcpu_map_extend_workfn);
|
||||
+ INIT_LIST_HEAD(&dchunk->map_extend_list);
|
||||
dchunk->base_addr = base_addr;
|
||||
dchunk->map = dmap;
|
||||
dchunk->map_alloc = ARRAY_SIZE(dmap);
|
|
@ -1,104 +0,0 @@
|
|||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Wed, 25 May 2016 11:48:25 -0400
|
||||
Subject: percpu: fix synchronization between synchronous map extension and
|
||||
chunk destruction
|
||||
Origin: https://git.kernel.org/linus/6710e594f71ccaad8101bc64321152af7cd9ea28
|
||||
|
||||
For non-atomic allocations, pcpu_alloc() can try to extend the area
|
||||
map synchronously after dropping pcpu_lock; however, the extension
|
||||
wasn't synchronized against chunk destruction and the chunk might get
|
||||
freed while extension is in progress.
|
||||
|
||||
This patch fixes the bug by putting most of non-atomic allocations
|
||||
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
|
||||
is responsible for async chunk management including destruction.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
|
||||
Reported-by: Vlastimil Babka <vbabka@suse.cz>
|
||||
Reported-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: stable@vger.kernel.org # v3.18+
|
||||
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
|
||||
---
|
||||
mm/percpu.c | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/mm/percpu.c b/mm/percpu.c
|
||||
index b1d2a3844792..9903830aaebb 100644
|
||||
--- a/mm/percpu.c
|
||||
+++ b/mm/percpu.c
|
||||
@@ -162,7 +162,7 @@ static struct pcpu_chunk *pcpu_reserved_chunk;
|
||||
static int pcpu_reserved_chunk_limit;
|
||||
|
||||
static DEFINE_SPINLOCK(pcpu_lock); /* all internal data structures */
|
||||
-static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */
|
||||
+static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop, map ext */
|
||||
|
||||
static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
|
||||
|
||||
@@ -444,6 +444,8 @@ static int pcpu_extend_area_map(struct pcpu_chunk *chunk, int new_alloc)
|
||||
size_t old_size = 0, new_size = new_alloc * sizeof(new[0]);
|
||||
unsigned long flags;
|
||||
|
||||
+ lockdep_assert_held(&pcpu_alloc_mutex);
|
||||
+
|
||||
new = pcpu_mem_zalloc(new_size);
|
||||
if (!new)
|
||||
return -ENOMEM;
|
||||
@@ -890,6 +892,9 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ if (!is_atomic)
|
||||
+ mutex_lock(&pcpu_alloc_mutex);
|
||||
+
|
||||
spin_lock_irqsave(&pcpu_lock, flags);
|
||||
|
||||
/* serve reserved allocations from the reserved chunk if available */
|
||||
@@ -962,12 +967,9 @@ restart:
|
||||
if (is_atomic)
|
||||
goto fail;
|
||||
|
||||
- mutex_lock(&pcpu_alloc_mutex);
|
||||
-
|
||||
if (list_empty(&pcpu_slot[pcpu_nr_slots - 1])) {
|
||||
chunk = pcpu_create_chunk();
|
||||
if (!chunk) {
|
||||
- mutex_unlock(&pcpu_alloc_mutex);
|
||||
err = "failed to allocate new chunk";
|
||||
goto fail;
|
||||
}
|
||||
@@ -978,7 +980,6 @@ restart:
|
||||
spin_lock_irqsave(&pcpu_lock, flags);
|
||||
}
|
||||
|
||||
- mutex_unlock(&pcpu_alloc_mutex);
|
||||
goto restart;
|
||||
|
||||
area_found:
|
||||
@@ -988,8 +989,6 @@ area_found:
|
||||
if (!is_atomic) {
|
||||
int page_start, page_end, rs, re;
|
||||
|
||||
- mutex_lock(&pcpu_alloc_mutex);
|
||||
-
|
||||
page_start = PFN_DOWN(off);
|
||||
page_end = PFN_UP(off + size);
|
||||
|
||||
@@ -1000,7 +999,6 @@ area_found:
|
||||
|
||||
spin_lock_irqsave(&pcpu_lock, flags);
|
||||
if (ret) {
|
||||
- mutex_unlock(&pcpu_alloc_mutex);
|
||||
pcpu_free_area(chunk, off, &occ_pages);
|
||||
err = "failed to populate";
|
||||
goto fail_unlock;
|
||||
@@ -1040,6 +1038,8 @@ fail:
|
||||
/* see the flag handling in pcpu_blance_workfn() */
|
||||
pcpu_atomic_alloc_failed = true;
|
||||
pcpu_schedule_balance_work();
|
||||
+ } else {
|
||||
+ mutex_unlock(&pcpu_alloc_mutex);
|
||||
}
|
||||
return NULL;
|
||||
}
|
|
@ -1,82 +0,0 @@
|
|||
From: Andreas Gruenbacher <agruenba@redhat.com>
|
||||
Date: Wed, 22 Jun 2016 23:57:25 +0200
|
||||
Subject: [PATCH] posix_acl: Add set_posix_acl
|
||||
Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
|
||||
|
||||
Factor out part of posix_acl_xattr_set into a common function that takes
|
||||
a posix_acl, which nfsd can also call.
|
||||
|
||||
The prototype already exists in include/linux/posix_acl.h.
|
||||
|
||||
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Christoph Hellwig <hch@infradead.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
[bwh: Backported to 4.6: posix_acl_xattr_set() parameters are different]
|
||||
---
|
||||
--- a/fs/posix_acl.c
|
||||
+++ b/fs/posix_acl.c
|
||||
@@ -786,39 +786,43 @@ posix_acl_xattr_get(const struct xattr_h
|
||||
return error;
|
||||
}
|
||||
|
||||
-static int
|
||||
-posix_acl_xattr_set(const struct xattr_handler *handler,
|
||||
- struct dentry *dentry, const char *name,
|
||||
- const void *value, size_t size, int flags)
|
||||
+int
|
||||
+set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
|
||||
{
|
||||
- struct inode *inode = d_backing_inode(dentry);
|
||||
- struct posix_acl *acl = NULL;
|
||||
- int ret;
|
||||
-
|
||||
if (!IS_POSIXACL(inode))
|
||||
return -EOPNOTSUPP;
|
||||
if (!inode->i_op->set_acl)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
|
||||
- return value ? -EACCES : 0;
|
||||
+ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
|
||||
+ return acl ? -EACCES : 0;
|
||||
if (!inode_owner_or_capable(inode))
|
||||
return -EPERM;
|
||||
|
||||
+ if (acl) {
|
||||
+ int ret = posix_acl_valid(acl);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+ }
|
||||
+ return inode->i_op->set_acl(inode, acl, type);
|
||||
+}
|
||||
+EXPORT_SYMBOL(set_posix_acl);
|
||||
+
|
||||
+static int
|
||||
+posix_acl_xattr_set(const struct xattr_handler *handler,
|
||||
+ struct dentry *dentry, const char *name,
|
||||
+ const void *value, size_t size, int flags)
|
||||
+{
|
||||
+ struct inode *inode = d_backing_inode(dentry);
|
||||
+ struct posix_acl *acl = NULL;
|
||||
+ int ret;
|
||||
+
|
||||
if (value) {
|
||||
acl = posix_acl_from_xattr(&init_user_ns, value, size);
|
||||
if (IS_ERR(acl))
|
||||
return PTR_ERR(acl);
|
||||
-
|
||||
- if (acl) {
|
||||
- ret = posix_acl_valid(acl);
|
||||
- if (ret)
|
||||
- goto out;
|
||||
- }
|
||||
}
|
||||
-
|
||||
- ret = inode->i_op->set_acl(inode, acl, handler->flags);
|
||||
-out:
|
||||
+ ret = set_posix_acl(inode, handler->flags, acl);
|
||||
posix_acl_release(acl);
|
||||
return ret;
|
||||
}
|
|
@ -1,106 +0,0 @@
|
|||
From: Cyril Bur <cyrilbur@gmail.com>
|
||||
Date: Fri, 17 Jun 2016 14:58:34 +1000
|
||||
Subject: powerpc/tm: Always reclaim in start_thread() for exec() class
|
||||
syscalls
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6
|
||||
|
||||
Userspace can quite legitimately perform an exec() syscall with a
|
||||
suspended transaction. exec() does not return to the old process, rather
|
||||
it load a new one and starts that, the expectation therefore is that the
|
||||
new process starts not in a transaction. Currently exec() is not treated
|
||||
any differently to any other syscall which creates problems.
|
||||
|
||||
Firstly it could allow a new process to start with a suspended
|
||||
transaction for a binary that no longer exists. This means that the
|
||||
checkpointed state won't be valid and if the suspended transaction were
|
||||
ever to be resumed and subsequently aborted (a possibility which is
|
||||
exceedingly likely as exec()ing will likely doom the transaction) the
|
||||
new process will jump to invalid state.
|
||||
|
||||
Secondly the incorrect attempt to keep the transactional state while
|
||||
still zeroing state for the new process creates at least two TM Bad
|
||||
Things. The first triggers on the rfid to return to userspace as
|
||||
start_thread() has given the new process a 'clean' MSR but the suspend
|
||||
will still be set in the hardware MSR. The second TM Bad Thing triggers
|
||||
in __switch_to() as the processor is still transactionally suspended but
|
||||
__switch_to() wants to zero the TM sprs for the new process.
|
||||
|
||||
This is an example of the outcome of calling exec() with a suspended
|
||||
transaction. Note the first 700 is likely the first TM bad thing
|
||||
decsribed earlier only the kernel can't report it as we've loaded
|
||||
userspace registers. c000000000009980 is the rfid in
|
||||
fast_exception_return()
|
||||
|
||||
Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
|
||||
Oops: Bad kernel stack pointer, sig: 6 [#1]
|
||||
CPU: 0 PID: 2006 Comm: tm-execed Not tainted
|
||||
NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
|
||||
REGS: c00000003ffefd40 TRAP: 0700 Not tainted
|
||||
MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]> CR: 00000000 XER: 00000000
|
||||
CFAR: c0000000000098b4 SOFTE: 0
|
||||
PACATMSCRATCH: b00000010000d033
|
||||
GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
|
||||
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
|
||||
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
|
||||
GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
|
||||
NIP [c000000000009980] fast_exception_return+0xb0/0xb8
|
||||
LR [0000000000000000] (null)
|
||||
Call Trace:
|
||||
Instruction dump:
|
||||
f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
|
||||
e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
|
||||
|
||||
Kernel BUG at c000000000043e80 [verbose debug info unavailable]
|
||||
Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
|
||||
Oops: Unrecoverable exception, sig: 6 [#2]
|
||||
CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D
|
||||
task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
|
||||
NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
|
||||
REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D
|
||||
MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]> CR: 28002828 XER: 00000000
|
||||
CFAR: c000000000015a20 SOFTE: 0
|
||||
PACATMSCRATCH: b00000010000d033
|
||||
GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
|
||||
GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
|
||||
GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
|
||||
GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
|
||||
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
|
||||
GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
|
||||
GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
|
||||
GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
|
||||
NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
|
||||
LR [c000000000015a24] __switch_to+0x1f4/0x420
|
||||
Call Trace:
|
||||
Instruction dump:
|
||||
7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
|
||||
4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
|
||||
|
||||
This fixes CVE-2016-5828.
|
||||
|
||||
Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
|
||||
Cc: stable@vger.kernel.org # v3.9+
|
||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
---
|
||||
arch/powerpc/kernel/process.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
--- a/arch/powerpc/kernel/process.c
|
||||
+++ b/arch/powerpc/kernel/process.c
|
||||
@@ -1503,6 +1503,16 @@ void start_thread(struct pt_regs *regs,
|
||||
current->thread.regs = regs - 1;
|
||||
}
|
||||
|
||||
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
|
||||
+ /*
|
||||
+ * Clear any transactional state, we're exec()ing. The cause is
|
||||
+ * not important as there will never be a recheckpoint so it's not
|
||||
+ * user visible.
|
||||
+ */
|
||||
+ if (MSR_TM_SUSPENDED(mfmsr()))
|
||||
+ tm_reclaim_current(0);
|
||||
+#endif
|
||||
+
|
||||
memset(regs->gpr, 0, sizeof(regs->gpr));
|
||||
regs->ctr = 0;
|
||||
regs->link = 0;
|
|
@ -107,14 +107,6 @@ bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
|
|||
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||
bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
|
||||
bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
|
||||
bugfix/all/keys-potential-uninitialized-variable.patch
|
||||
bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch
|
||||
bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch
|
||||
bugfix/all/posix_acl-add-set_posix_acl.patch
|
||||
bugfix/all/nfsd-check-permissions-when-setting-acls.patch
|
||||
bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
|
||||
bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
|
||||
bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/mips-siginfo-fix-abi-change-in-4.6.2.patch
|
||||
|
|
Loading…
Reference in New Issue