[linux] 01/01: Rename patches for crash issue when attempting to garbage collect an uninstantiated keyring
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Oct 20 12:08:09 UTC 2015
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 4a5cabce55d3b647df1935ef3a00e30ca1594bd1
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Tue Oct 20 14:04:29 2015 +0200
Rename patches for crash issue when attempting to garbage collect an uninstantiated keyring
---
...ash-when-attempt-to-garbage-collect-an-un.patch | 77 ---------------------
...permit-request_key-to-construct-a-new-key.patch | 33 ---------
...permit-request_key-to-construct-a-new-key.patch | 37 ++++++++++
...ash-when-attempt-to-garbage-collect-an-un.patch | 79 ++++++++++++++++++++++
...e-between-key-destruction-and-finding-a-.patch} | 0
debian/patches/series | 6 +-
6 files changed, 119 insertions(+), 113 deletions(-)
diff --git a/debian/patches/bugfix/all/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch b/debian/patches/bugfix/all/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
deleted file mode 100644
index d2850c9..0000000
--- a/debian/patches/bugfix/all/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Thu, 15 Oct 2015 17:21:37 +0100
-Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
-Origin: http://pkgs.fedoraproject.org/cgit/kernel.git/plain/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch?id=d76d5fe34b5c151ad83761160998b1075729b541
-
- The following sequence of commands:
-
- i=`keyctl add user a a @s`
- keyctl request2 keyring foo bar @t
- keyctl unlink $i @s
-
- tries to invoke an upcall to instantiate a keyring if one doesn't already
- exist by that name within the user's keyring set. However, if the upcall
- fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
- other error code. When the key is garbage collected, the key destroy
- function is called unconditionally and keyring_destroy() uses list_empty()
- on keyring->type_data.link - which is in a union with reject_error.
- Subsequently, the kernel tries to unlink the keyring from the keyring names
- list - which oopses like this:
-
- BUG: unable to handle kernel paging request at 00000000ffffff8a
- IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
- ...
- Workqueue: events key_garbage_collector
- ...
- RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
- RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
- RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
- RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
- RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
- R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
- R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
- ...
- CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
- ...
- Call Trace:
- [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
- [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
- [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
- [<ffffffff8105fd17>] worker_thread+0x26e/0x361
- [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
- [<ffffffff810648ad>] kthread+0xf3/0xfb
- [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
- [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
- [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
-
- Note the value in RAX. This is a 32-bit representation of -ENOKEY.
-
- The solution is to only call ->destroy() if the key was successfully
- instantiated.
-
- Reported-by: Dmitry Vyukov <dvyukov at google.com>
- Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/gc.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index 39eac1fd5706..addf060399e0 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- kdebug("- %u", key->serial);
- key_check(key);
-
-- /* Throw away the key data */
-- if (key->type->destroy)
-+ /* Throw away the key data if the key is instantiated */
-+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
-+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
-+ key->type->destroy)
- key->type->destroy(key);
-
- security_key_free(key);
---
-2.4.3
-
diff --git a/debian/patches/bugfix/all/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch b/debian/patches/bugfix/all/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
deleted file mode 100644
index 7ad72d5..0000000
--- a/debian/patches/bugfix/all/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Mon, 19 Oct 2015 11:33:38 +0100
-Subject: KEYS: Don't permit request_key() to construct a new keyring
-Origin: http://pkgs.fedoraproject.org/cgit/kernel.git/plain/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch?id=d76d5fe34b5c151ad83761160998b1075729b541
-
- If request_key() is used to find a keyring, only do the search part - don't
- do the construction part if the keyring was not found by the search. We
- don't really want keyrings in the negative instantiated state since the
- rejected/negative instantiation error value in the payload is unioned with
- keyring metadata.
-
- Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/request_key.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/security/keys/request_key.c b/security/keys/request_key.c
-index 486ef6fa393b..0d6253124278 100644
---- a/security/keys/request_key.c
-+++ b/security/keys/request_key.c
-@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
-
- kenter("");
-
-+ if (ctx->index_key.type == &key_type_keyring)
-+ return ERR_PTR(-EPERM);
-+
- user = key_user_lookup(current_fsuid());
- if (!user)
- return ERR_PTR(-ENOMEM);
---
-2.4.3
-
diff --git a/debian/patches/bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch b/debian/patches/bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
new file mode 100644
index 0000000..e2859ca
--- /dev/null
+++ b/debian/patches/bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
@@ -0,0 +1,37 @@
+From: David Howells <dhowells at redhat.com>
+Date: Mon, 19 Oct 2015 11:20:28 +0100
+Subject: KEYS: Don't permit request_key() to construct a new keyring
+Origin: https://git.kernel.org/linus/911b79cde95c7da0ec02f48105358a36636b7a71
+
+If request_key() is used to find a keyring, only do the search part - don't
+do the construction part if the keyring was not found by the search. We
+don't really want keyrings in the negative instantiated state since the
+rejected/negative instantiation error value in the payload is unioned with
+keyring metadata.
+
+Now the kernel gives an error:
+
+ request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ security/keys/request_key.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 486ef6f..0d62531 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+
+ kenter("");
+
++ if (ctx->index_key.type == &key_type_keyring)
++ return ERR_PTR(-EPERM);
++
+ user = key_user_lookup(current_fsuid());
+ if (!user)
+ return ERR_PTR(-ENOMEM);
+--
+2.6.1
+
diff --git a/debian/patches/bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch b/debian/patches/bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
new file mode 100644
index 0000000..4369a05
--- /dev/null
+++ b/debian/patches/bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
@@ -0,0 +1,79 @@
+From: David Howells <dhowells at redhat.com>
+Date: Thu, 15 Oct 2015 17:21:37 +0100
+Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated
+ keyring
+Origin: https://git.kernel.org/linus/f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61
+
+The following sequence of commands:
+
+ i=`keyctl add user a a @s`
+ keyctl request2 keyring foo bar @t
+ keyctl unlink $i @s
+
+tries to invoke an upcall to instantiate a keyring if one doesn't already
+exist by that name within the user's keyring set. However, if the upcall
+fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
+other error code. When the key is garbage collected, the key destroy
+function is called unconditionally and keyring_destroy() uses list_empty()
+on keyring->type_data.link - which is in a union with reject_error.
+Subsequently, the kernel tries to unlink the keyring from the keyring names
+list - which oopses like this:
+
+ BUG: unable to handle kernel paging request at 00000000ffffff8a
+ IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
+ ...
+ Workqueue: events key_garbage_collector
+ ...
+ RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
+ RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
+ RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
+ RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
+ R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
+ R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
+ ...
+ CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
+ ...
+ Call Trace:
+ [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
+ [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
+ [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
+ [<ffffffff8105fd17>] worker_thread+0x26e/0x361
+ [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
+ [<ffffffff810648ad>] kthread+0xf3/0xfb
+ [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
+ [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
+ [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
+
+Note the value in RAX. This is a 32-bit representation of -ENOKEY.
+
+The solution is to only call ->destroy() if the key was successfully
+instantiated.
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Dmitry Vyukov <dvyukov at google.com>
+---
+ security/keys/gc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 39eac1f..addf060 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+ kdebug("- %u", key->serial);
+ key_check(key);
+
+- /* Throw away the key data */
+- if (key->type->destroy)
++ /* Throw away the key data if the key is instantiated */
++ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
++ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
++ key->type->destroy)
+ key->type->destroy(key);
+
+ security_key_free(key);
+--
+2.6.1
+
diff --git a/debian/patches/bugfix/all/0001-KEYS-Fix-race-between-key-destruction-and-finding-a-.patch b/debian/patches/bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
similarity index 100%
rename from debian/patches/bugfix/all/0001-KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
rename to debian/patches/bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
diff --git a/debian/patches/series b/debian/patches/series
index fdc565f..2ce2e4b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -108,6 +108,6 @@ bugfix/all/nbd-fix-timeout-detection.patch
bugfix/all/nbd-remove-variable-pid.patch
bugfix/all/nbd-add-locking-for-tasks.patch
-bugfix/all/0001-KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
-bugfix/all/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
-bugfix/all/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
+bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
+bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
+bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list