1. 05 5月, 2010 13 次提交
    • T
      KEYS: find_keyring_by_name() can gain access to a freed keyring · cea7daa3
      Toshiyuki Okajima 提交于
      find_keyring_by_name() can gain access to a keyring that has had its reference
      count reduced to zero, and is thus ready to be freed.  This then allows the
      dead keyring to be brought back into use whilst it is being destroyed.
      
      The following timeline illustrates the process:
      
      |(cleaner)                           (user)
      |
      | free_user(user)                    sys_keyctl()
      |  |                                  |
      |  key_put(user->session_keyring)     keyctl_get_keyring_ID()
      |  ||	//=> keyring->usage = 0        |
      |  |schedule_work(&key_cleanup_task)   lookup_user_key()
      |  ||                                   |
      |  kmem_cache_free(,user)               |
      |  .                                    |[KEY_SPEC_USER_KEYRING]
      |  .                                    install_user_keyrings()
      |  .                                    ||
      | key_cleanup() [<= worker_thread()]    ||
      |  |                                    ||
      |  [spin_lock(&key_serial_lock)]        |[mutex_lock(&key_user_keyr..mutex)]
      |  |                                    ||
      |  atomic_read() == 0                   ||
      |  |{ rb_ease(&key->serial_node,) }     ||
      |  |                                    ||
      |  [spin_unlock(&key_serial_lock)]      |find_keyring_by_name()
      |  |                                    |||
      |  keyring_destroy(keyring)             ||[read_lock(&keyring_name_lock)]
      |  ||                                   |||
      |  |[write_lock(&keyring_name_lock)]    ||atomic_inc(&keyring->usage)
      |  |.                                   ||| *** GET freeing keyring ***
      |  |.                                   ||[read_unlock(&keyring_name_lock)]
      |  ||                                   ||
      |  |list_del()                          |[mutex_unlock(&key_user_k..mutex)]
      |  ||                                   |
      |  |[write_unlock(&keyring_name_lock)]  ** INVALID keyring is returned **
      |  |                                    .
      |  kmem_cache_free(,keyring)            .
      |                                       .
      |                                       atomic_dec(&keyring->usage)
      v                                         *** DESTROYED ***
      TIME
      
      If CONFIG_SLUB_DEBUG=y then we may see the following message generated:
      
      	=============================================================================
      	BUG key_jar: Poison overwritten
      	-----------------------------------------------------------------------------
      
      	INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b
      	INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086
      	INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10
      	INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3
      	INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300
      
      	Bytes b4 0xffff880197a7e1f0:  5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
      	  Object 0xffff880197a7e200:  6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk
      
      Alternatively, we may see a system panic happen, such as:
      
      	BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
      	IP: [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
      	PGD 6b2b4067 PUD 6a80d067 PMD 0
      	Oops: 0000 [#1] SMP
      	last sysfs file: /sys/kernel/kexec_crash_loaded
      	CPU 1
      	...
      	Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY
      	RIP: 0010:[<ffffffff810e61a3>]  [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
      	RSP: 0018:ffff88006af3bd98  EFLAGS: 00010002
      	RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b
      	RDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430
      	RBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000
      	R10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0
      	R13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce
      	FS:  00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000
      	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      	CR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0
      	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      	DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      	Process su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0)
      	Stack:
      	 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001
      	 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce
      	 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3
      	Call Trace:
      	 [<ffffffff810f20ce>] ? get_empty_filp+0x70/0x12f
      	 [<ffffffff810face3>] ? do_filp_open+0x145/0x590
      	 [<ffffffff810ce208>] ? tlb_finish_mmu+0x2a/0x33
      	 [<ffffffff810ce43c>] ? unmap_region+0xd3/0xe2
      	 [<ffffffff810e4393>] ? virt_to_head_page+0x9/0x2d
      	 [<ffffffff81103916>] ? alloc_fd+0x69/0x10e
      	 [<ffffffff810ef4ed>] ? do_sys_open+0x56/0xfc
      	 [<ffffffff81008a02>] ? system_call_fastpath+0x16/0x1b
      	Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 <48> 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef
      	RIP  [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
      
      This problem is that find_keyring_by_name does not confirm that the keyring is
      valid before accepting it.
      
      Skipping keyrings that have been reduced to a zero count seems the way to go.
      To this end, use atomic_inc_not_zero() to increment the usage count and skip
      the candidate keyring if that returns false.
      
      The following script _may_ cause the bug to happen, but there's no guarantee
      as the window of opportunity is small:
      
      	#!/bin/sh
      	LOOP=100000
      	USER=dummy_user
      	/bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; }
      	for ((i=0; i<LOOP; i++))
      	do
      		/bin/su -c "echo '$i' > /dev/null" $USER
      	done
      	(( add == 1 )) && /usr/sbin/userdel -r $USER
      	exit
      
      Note that the nominated user must not be in use.
      
      An alternative way of testing this may be:
      
      	for ((i=0; i<100000; i++))
      	do
      		keyctl session foo /bin/true || break
      	done >&/dev/null
      
      as that uses a keyring named "foo" rather than relying on the user and
      user-session named keyrings.
      Reported-by: NToshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NToshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      cea7daa3
    • L
      Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 · 7ebd4675
      Linus Torvalds 提交于
      * 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
        drm/radeon/kms/legacy: only enable load detection property on DVI-I
        drm/radeon/kms: fix panel scaling adjusted mode setup
        drivers/gpu/drm/drm_sysfs.c: sysfs files error handling
        drivers/gpu/drm/radeon/radeon_atombios.c: range check issues
        gpu: vga_switcheroo, fix lock imbalance
        drivers/gpu/drm/drm_memory.c: fix check for end of loop
        drivers/gpu/drm/via/via_video.c: fix off by one issue
        drm/radeon/kms/agp The wrong AGP chipset can cause a NULL pointer dereference
        drm/radeon/kms: r300 fix CS checker to allow zbuffer-only fastfill
      7ebd4675
    • L
      Merge branch 'x86-fixes-for-linus' of... · d7526f27
      Linus Torvalds 提交于
      Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-tip
      
      * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-tip:
        powernow-k8: Fix frequency reporting
        x86: Fix parse_reservetop() build failure on certain configs
        x86: Fix NULL pointer access in irq_force_complete_move() for Xen guests
        x86: Fix 'reservetop=' functionality
      d7526f27
    • L
      Merge branch 'for-linus' of... · 67bff7c0
      Linus Torvalds 提交于
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
        KEYS: Fix RCU handling in key_gc_keyring()
        KEYS: Fix an RCU warning in the reading of user keys
      67bff7c0
    • D
      KEYS: Fix RCU handling in key_gc_keyring() · cf8304e8
      David Howells 提交于
      key_gc_keyring() needs to either hold the RCU read lock or hold the keyring
      semaphore if it's going to scan the keyring's list.  Given that it only needs
      to read the key list, and it's doing so under a spinlock, the RCU read lock is
      the thing to use.
      
      Furthermore, the RCU check added in e7b0a61b is
      incorrect as holding the spinlock on key_serial_lock is not grounds for
      assuming a keyring's pointer list can be read safely.  Instead, a simple
      rcu_dereference() inside of the previously mentioned RCU read lock is what we
      want.
      Reported-by: NSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Acked-by: N"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      cf8304e8
    • D
      KEYS: Fix an RCU warning in the reading of user keys · d9a9b4ae
      David Howells 提交于
      Fix an RCU warning in the reading of user keys:
      
      ===================================================
      [ INFO: suspicious rcu_dereference_check() usage. ]
      ---------------------------------------------------
      security/keys/user_defined.c:202 invoked rcu_dereference_check() without protection!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 1, debug_locks = 0
      1 lock held by keyctl/3637:
       #0:  (&key->sem){+++++.}, at: [<ffffffff811a80ae>] keyctl_read_key+0x9c/0xcf
      
      stack backtrace:
      Pid: 3637, comm: keyctl Not tainted 2.6.34-rc5-cachefs #18
      Call Trace:
       [<ffffffff81051f6c>] lockdep_rcu_dereference+0xaa/0xb2
       [<ffffffff811aa55f>] user_read+0x47/0x91
       [<ffffffff811a80be>] keyctl_read_key+0xac/0xcf
       [<ffffffff811a8a06>] sys_keyctl+0x75/0xb7
       [<ffffffff81001eeb>] system_call_fastpath+0x16/0x1b
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d9a9b4ae
    • A
      drm/radeon/kms/legacy: only enable load detection property on DVI-I · 68b3adb4
      Alex Deucher 提交于
      DVI-D doesn't have analog.  This matches the avivo behavior.
      Signed-off-by: NAlex Deucher <alexdeucher@gmail.com>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      68b3adb4
    • A
      drm/radeon/kms: fix panel scaling adjusted mode setup · 3515387b
      Alex Deucher 提交于
      This should duplicate exactly what the ddx does for both
      legacy and avivo.
      Signed-off-by: NAlex Deucher <alexdeucher@gmail.com>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      3515387b
    • L
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2 · 7572e563
      Linus Torvalds 提交于
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2:
        ocfs2: Avoid a gcc warning in ocfs2_wipe_inode().
        ocfs2: Avoid direct write if we fall back to buffered I/O
        ocfs2_dlmfs: Fix math error when reading LVB.
        ocfs2: Update VFS inode's id info after reflink.
        ocfs2: potential ERR_PTR dereference on error paths
        ocfs2: Add directory entry later in ocfs2_symlink() and ocfs2_mknod()
        ocfs2: use OCFS2_INODE_SKIP_ORPHAN_DIR in ocfs2_mknod error path
        ocfs2: use OCFS2_INODE_SKIP_ORPHAN_DIR in ocfs2_symlink error path
        ocfs2: add OCFS2_INODE_SKIP_ORPHAN_DIR flag and honor it in the inode wipe code
        ocfs2: Reset status if we want to restart file extension.
        ocfs2: Compute metaecc for superblocks during online resize.
        ocfs2: Check the owner of a lockres inside the spinlock
        ocfs2: one more warning fix in ocfs2_file_aio_write(), v2
        ocfs2_dlmfs: User DLM_* when decoding file open flags.
      7572e563
    • D
      Fix the x86_64 implementation of call_rwsem_wait() · a66f6375
      David Howells 提交于
      The x86_64 call_rwsem_wait() treats the active state counter part of the
      R/W semaphore state as being 16-bit when it's actually 32-bit (it's half
      of the 64-bit state).  It should do "decl %edx" not "decw %dx".
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a66f6375
    • L
      Merge branch 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging · c81406d6
      Linus Torvalds 提交于
      * 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
        i2c-core: Use per-adapter userspace device lists
        i2c: Fix probing of FSC hardware monitoring chips
        i2c-core: Erase pointer to clientdata on removal
      c81406d6
    • L
      Merge branch 'perf-fixes-for-linus' of... · f5fa05d9
      Linus Torvalds 提交于
      Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
      
      * 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
        perf: Fix resource leak in failure path of perf_event_open()
      f5fa05d9
    • L
      Merge branch 'core-fixes-for-linus' of... · f2809d61
      Linus Torvalds 提交于
      Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
      
      * 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
        rcu: Fix RCU lockdep splat on freezer_fork path
        rcu: Fix RCU lockdep splat in set_task_cpu on fork path
        mutex: Don't spin when the owner CPU is offline or other weird cases
      f2809d61
  2. 04 5月, 2010 16 次提交
  3. 03 5月, 2010 5 次提交
  4. 01 5月, 2010 6 次提交