[kernel] r22605 - in dists/trunk/linux/debian: . patches patches/bugfix/all

Mon May 11 03:29:09 UTC 2015

Author: benh
Date: Mon May 11 03:29:09 2015
New Revision: 22605

Log:
mnt: Add missing pieces of fix for CVE-2014-9717

Added:
   dists/trunk/linux/debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch
   dists/trunk/linux/debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch
Modified:
   dists/trunk/linux/debian/changelog
   dists/trunk/linux/debian/patches/series

Modified: dists/trunk/linux/debian/changelog
==============================================================================

--- dists/trunk/linux/debian/changelog	Mon May 11 03:25:31 2015	(r22604)
+++ dists/trunk/linux/debian/changelog	Mon May 11 03:29:09 2015	(r22605)
@@ -147,6 +147,9 @@
   * [x86] nfc: Enable NFC_HCI, NFC_MEI_PHY, NFC_PN544, NFC_PN544_MEI as
     modules (Closes: #770323)
   * Set ABI to 1
+  * mnt: Add missing pieces of fix for CVE-2014-9717:
+    - mnt: Fail collect_mounts when applied to unmounted mounts
+    - fs_pin: Allow for the possibility that m_list or s_list go unused.
 
   [ Ian Campbell ]
   * [armhf] Enable support for Freescale SNVS RTC. (Closes: #782364)
@@ -155,7 +158,7 @@
     udeb. Patches from both Vagrant Cascadian and Wookey. (Closes: #783275)
   * [arm*] Install DTBS using dtbs_install target. (Closes: #784761)
 
- -- Ben Hutchings <ben at decadent.org.uk>  Sun, 10 May 2015 21:08:37 +0100
+ -- Ben Hutchings <ben at decadent.org.uk>  Mon, 11 May 2015 04:29:06 +0100
 
 linux (4.0-1~exp1) experimental; urgency=medium
 

Added: dists/trunk/linux/debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch	Mon May 11 03:29:09 2015	(r22605)
@@ -0,0 +1,51 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Thu, 2 Apr 2015 16:35:48 -0500
+Subject: fs_pin: Allow for the possibility that m_list or s_list go unused.
+Origin: https://git.kernel.org/linus/820f9f147dcce2602eefd9b575bbbd9ea14f0953
+
+This is needed to support lazily umounting locked mounts.  Because the
+entire unmounted subtree needs to stay together until there are no
+users with references to any part of the subtree.
+
+To support this guarantee that the fs_pin m_list and s_list nodes
+are initialized by initializing them in init_fs_pin allowing
+for the possibility that pin_insert_group does not touch them.
+
+Further use hlist_del_init in pin_remove so that there is
+a hlist_unhashed test before the list we attempt to update
+the previous list item.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+---
+ fs/fs_pin.c            | 4 ++--
+ include/linux/fs_pin.h | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/fs_pin.c b/fs/fs_pin.c
+index b06c987..611b540 100644
+--- a/fs/fs_pin.c
++++ b/fs/fs_pin.c
+@@ -9,8 +9,8 @@ static DEFINE_SPINLOCK(pin_lock);
+ void pin_remove(struct fs_pin *pin)
+ {
+ 	spin_lock(&pin_lock);
+-	hlist_del(&pin->m_list);
+-	hlist_del(&pin->s_list);
++	hlist_del_init(&pin->m_list);
++	hlist_del_init(&pin->s_list);
+ 	spin_unlock(&pin_lock);
+ 	spin_lock_irq(&pin->wait.lock);
+ 	pin->done = 1;
+diff --git a/include/linux/fs_pin.h b/include/linux/fs_pin.h
+index 9dc4e03..3886b3b 100644
+--- a/include/linux/fs_pin.h
++++ b/include/linux/fs_pin.h
+@@ -13,6 +13,8 @@ struct vfsmount;
+ static inline void init_fs_pin(struct fs_pin *p, void (*kill)(struct fs_pin *))
+ {
+ 	init_waitqueue_head(&p->wait);
++	INIT_HLIST_NODE(&p->s_list);
++	INIT_HLIST_NODE(&p->m_list);
+ 	p->kill = kill;
+ }
+ 

Added: dists/trunk/linux/debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch	Mon May 11 03:29:09 2015	(r22605)
@@ -0,0 +1,44 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Wed, 7 Jan 2015 14:28:26 -0600
+Subject: mnt: Fail collect_mounts when applied to unmounted mounts
+Origin: https://git.kernel.org/linus/cd4a40174b71acd021877341684d8bb1dc8ea4ae
+
+The only users of collect_mounts are in audit_tree.c
+
+In audit_trim_trees and audit_add_tree_rule the path passed into
+collect_mounts is generated from kern_path passed an audit_tree
+pathname which is guaranteed to be an absolute path.   In those cases
+collect_mounts is obviously intended to work on mounted paths and
+if a race results in paths that are unmounted when collect_mounts
+it is reasonable to fail early.
+
+The paths passed into audit_tag_tree don't have the absolute path
+check.  But are used to play with fsnotify and otherwise interact with
+the audit_trees, so again operating only on mounted paths appears
+reasonable.
+
+Avoid having to worry about what happens when we try and audit
+unmounted filesystems by restricting collect_mounts to mounts
+that appear in the mount tree.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+---
+ fs/namespace.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1709,8 +1709,11 @@ struct vfsmount *collect_mounts(struct p
+ {
+ 	struct mount *tree;
+ 	namespace_lock();
+-	tree = copy_tree(real_mount(path->mnt), path->dentry,
+-			 CL_COPY_ALL | CL_PRIVATE);
++	if (!check_mnt(real_mount(path->mnt)))
++		tree = ERR_PTR(-EINVAL);
++	else
++		tree = copy_tree(real_mount(path->mnt), path->dentry,
++				 CL_COPY_ALL | CL_PRIVATE);
+ 	namespace_unlock();
+ 	if (IS_ERR(tree))
+ 		return ERR_CAST(tree);

Modified: dists/trunk/linux/debian/patches/series
==============================================================================
--- dists/trunk/linux/debian/patches/series	Mon May 11 03:25:31 2015	(r22604)
+++ dists/trunk/linux/debian/patches/series	Mon May 11 03:29:09 2015	(r22605)
@@ -66,3 +66,5 @@
 features/all/efi-autoload-efi-pstore.patch
 bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
 bugfix/all/path_openat-fix-double-fput.patch
+bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch
+bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch

