1. 29 Jul, 2010 6 commits
    • David Howells's avatar
      CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials · de09a977
      David Howells authored
      It's possible for get_task_cred() as it currently stands to 'corrupt' a set of
      credentials by incrementing their usage count after their replacement by the
      task being accessed.
      
      What happens is that get_task_cred() can race with commit_creds():
      
      	TASK_1			TASK_2			RCU_CLEANER
      	-->get_task_cred(TASK_2)
      	rcu_read_lock()
      	__cred = __task_cred(TASK_2)
      				-->commit_creds()
      				old_cred = TASK_2->real_cred
      				TASK_2->real_cred = ...
      				put_cred(old_cred)
      				  call_rcu(old_cred)
      		[__cred->usage == 0]
      	get_cred(__cred)
      		[__cred->usage == 1]
      	rcu_read_unlock()
      							-->put_cred_rcu()
      							[__cred->usage == 1]
      							panic()
      
      However, since a tasks credentials are generally not changed very often, we can
      reasonably make use of a loop involving reading the creds pointer and using
      atomic_inc_not_zero() to attempt to increment it if it hasn't already hit zero.
      
      If successful, we can safely return the credentials in the knowledge that, even
      if the task we're accessing has released them, they haven't gone to the RCU
      cleanup code.
      
      We then change task_state() in procfs to use get_task_cred() rather than
      calling get_cred() on the result of __task_cred(), as that suffers from the
      same problem.
      
      Without this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be
      tripped when it is noticed that the usage count is not zero as it ought to be,
      for example:
      
      kernel BUG at kernel/cred.c:168!
      invalid opcode: 0000 [#1] SMP
      last sysfs file: /sys/kernel/mm/ksm/run
      CPU 0
      Pid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex
      745
      RIP: 0010:[<ffffffff81069881>]  [<ffffffff81069881>] __put_cred+0xc/0x45
      RSP: 0018:ffff88019e7e9eb8  EFLAGS: 00010202
      RAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff
      RDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0
      RBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0
      R13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001
      FS:  00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0)
      Stack:
       ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45
      <0> ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000
      <0> ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246
      Call Trace:
       [<ffffffff810698cd>] put_cred+0x13/0x15
       [<ffffffff81069b45>] commit_creds+0x16b/0x175
       [<ffffffff8106aace>] set_current_groups+0x47/0x4e
       [<ffffffff8106ac89>] sys_setgroups+0xf6/0x105
       [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b
      Code: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00
      48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 <0f> 0b eb fe 65 48 8b
      04 25 00 cc 00 00 48 3b b8 58 04 00 00 75
      RIP  [<ffffffff81069881>] __put_cred+0xc/0x45
       RSP <ffff88019e7e9eb8>
      ---[ end trace df391256a100ebdd ]---
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarJiri Olsa <jolsa@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      de09a977
    • Linus Torvalds's avatar
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6 · 2fa82e1f
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
        [SCSI] ibmvscsi: Fix oops when an interrupt is pending during probe
        [SCSI] zfcp: Update status read mempool
        [SCSI] zfcp: Do not wait for SBALs on stopped queue
        [SCSI] zfcp: Fix check whether unchained ct_els is possible
        [SCSI] ipr: fix resource path display and formatting
      2fa82e1f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6 · 8785eb1e
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6:
        davinci: da850/omap-l138 evm: account for DEFDCDC{2,3} being tied high
        regulator: tps6507x: allow driver to use DEFDCDC{2,3}_HIGH register
        wm8350-regulator: fix wm8350_register_regulator error handling
        ab3100: fix off-by-one value range checking for voltage selector
      8785eb1e
    • Andre Osterhues's avatar
      ecryptfs: Bugfix for error related to ecryptfs_hash_buckets · a6f80fb7
      Andre Osterhues authored
      The function ecryptfs_uid_hash wrongly assumes that the
      second parameter to hash_long() is the number of hash
      buckets instead of the number of hash bits.
      This patch fixes that and renames the variable
      ecryptfs_hash_buckets to ecryptfs_hash_bits to make it
      clearer.
      
      Fixes: CVE-2010-2492
      Signed-off-by: default avatarAndre Osterhues <aosterhues@escrypt.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a6f80fb7
    • Jason Wessel's avatar
      x86,kgdb: Fix hw breakpoint regression · ba773f7c
      Jason Wessel authored
      HW breakpoints events stopped working correctly with kgdb
      as a result of commit: 018cbffe
      (Merge commit 'v2.6.33' into perf/core).
      
      The regression occurred because the behavior changed for setting
      NOTIFY_STOP as the return value to the die notifier if the breakpoint
      was known to the HW breakpoint API.  Because kgdb is using the HW
      breakpoint API to register HW breakpoints slots, it must also now
      implement the overflow_handler call back else kgdb does not get to see
      the events from the die notifier.
      
      The kgdb_ll_trap function will be changed to be general purpose code
      which can allow an easy way to implement the hw_breakpoint API
      overflow call back.
      Signed-off-by: default avatarJason Wessel <jason.wessel@windriver.com>
      Acked-by: default avatarDongdong Deng <dongdong.deng@windriver.com>
      Acked-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      ba773f7c
  2. 28 Jul, 2010 4 commits
  3. 27 Jul, 2010 14 commits
  4. 26 Jul, 2010 16 commits