- 06 Dec, 2016 19 commits
-
-
Johannes Weiner authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 89a28483 upstream. On 4.0, we saw a stack corruption from a page fault entering direct memory cgroup reclaim, calling into btrfs_releasepage(), which then tried to allocate an extent and recursed back into a kmem charge ad nauseam: [...] btrfs_releasepage+0x2c/0x30 try_to_release_page+0x32/0x50 shrink_page_list+0x6da/0x7a0 shrink_inactive_list+0x1e5/0x510 shrink_lruvec+0x605/0x7f0 shrink_zone+0xee/0x320 do_try_to_free_pages+0x174/0x440 try_to_free_mem_cgroup_pages+0xa7/0x130 try_charge+0x17b/0x830 memcg_charge_kmem+0x40/0x80 new_slab+0x2d9/0x5a0 __slab_alloc+0x2fd/0x44f kmem_cache_alloc+0x193/0x1e0 alloc_extent_state+0x21/0xc0 __clear_extent_bit+0x2b5/0x400 try_release_extent_mapping+0x1a3/0x220 __btrfs_releasepage+0x31/0x70 btrfs_releasepage+0x2c/0x30 try_to_release_page+0x32/0x50 shrink_page_list+0x6da/0x7a0 shrink_inactive_list+0x1e5/0x510 shrink_lruvec+0x605/0x7f0 shrink_zone+0xee/0x320 do_try_to_free_pages+0x174/0x440 try_to_free_mem_cgroup_pages+0xa7/0x130 try_charge+0x17b/0x830 mem_cgroup_try_charge+0x65/0x1c0 handle_mm_fault+0x117f/0x1510 __do_page_fault+0x177/0x420 do_page_fault+0xc/0x10 page_fault+0x22/0x30 On later kernels, kmem charging is opt-in rather than opt-out, and that particular kmem allocation in btrfs_releasepage() is no longer being charged and won't recurse and overrun the stack anymore. But it's not impossible for an accounted allocation to happen from the memcg direct reclaim context, and we needed to reproduce this crash many times before we even got a useful stack trace out of it. Like other direct reclaimers, mark tasks in memcg reclaim PF_MEMALLOC to avoid recursing into any other form of direct reclaim. Then let recursive charges from PF_MEMALLOC contexts bypass the cgroup limit. Link: http://lkml.kernel.org/r/20161025141050.GA13019@cmpxchg.orgSigned-off-by: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Michal Hocko <mhocko@suse.com> Cc: Vladimir Davydov <vdavydov.dev@gmail.com> Cc: Tejun Heo <tj@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Alexander Polakov authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 1bc11d70 upstream. As described in https://bugzilla.kernel.org/show_bug.cgi?id=177821: After some analysis it seems to be that the problem is in alloc_super(). In case list_lru_init_memcg() fails it goes into destroy_super(), which calls list_lru_destroy(). And in list_lru_init() we see that in case memcg_init_list_lru() fails, lru->node is freed, but not set NULL, which then leads list_lru_destroy() to believe it is initialized and call memcg_destroy_list_lru(). memcg_destroy_list_lru() in turn can access lru->node[i].memcg_lrus, which is NULL. [akpm@linux-foundation.org: add comment] Signed-off-by: Alexander Polakov <apolyakov@beget.ru> Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Darrick J. Wong authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 58d78967 upstream. The function xfs_calc_dquots_per_chunk takes a parameter in units of basic blocks. The kernel seems to get the units wrong, but userspace got 'fixed' by commenting out the unnecessary conversion. Fix both. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Mark Rutland authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 21753583 upstream. Back in commit f56141e3 ("all arches, signal: move restart_block to struct task_struct"), all architectures and core code were changed to use task_struct::restart_block. However, when h8300 support was subsequently restored in v4.2, it was not updated to account for this, and maintains thread_info::restart_block, which is not kept in sync. This patch drops the redundant restart_block from thread_info, and moves h8300 to the common one in task_struct, ensuring that syscall restarting always works as expected. Fixes: f56141e3 ("all arches, signal: move restart_block to struct task_struct") Link: http://lkml.kernel.org/r/1476714934-11635-1-git-send-email-mark.rutland@arm.comSigned-off-by: Mark Rutland <mark.rutland@arm.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Yoshinori Sato <ysato@users.sourceforge.jp> Cc: uclinux-h8-devel@lists.sourceforge.jp Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Ville Syrjälä authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 36e3fa6a upstream. The i2c adapter is only relevant for some peer device types, so let's clear the pdt if it's still the same as the old_pdt when we tear down the i2c adapter. I don't really like this design pattern of updating port->whatever before doing the accompanying changes and passing around old_whatever to figure stuff out. Would make much more sense to me to the pass the new value around and only update the port->whatever when things are consistent. But let's try to work with what we have right now. Quoting a follow-up from Ville: "And naturally I forgot to amend the commit message w.r.t. this guy [the change in drm_dp_destroy_port]. We don't really need to do this here, but I figured I'd try to be a bit more consistent by having it, just to avoid accidental mistakes if/when someone changes this stuff again later." v2: Clear port->pdt in the caller, if needed (Daniel) Cc: Daniel Vetter <daniel@ffwll.ch> Cc: Carlos Santa <carlos.santa@intel.com> Cc: Kirill A. Shutemov <kirill@shutemov.name> Tested-by: Carlos Santa <carlos.santa@intel.com> Tested-by: Kirill A. Shutemov <kirill@shutemov.name> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97666Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/1477488633-16544-1-git-send-email-ville.syrjala@linux.intel.comSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Vladimir Zapolskiy authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 147b36d5 upstream. Race condition between registering an I2C device driver and deregistering an I2C adapter device which is assumed to manage that I2C device may lead to a NULL pointer dereference due to the uninitialized list head of driver clients. The root cause of the issue is that the I2C bus may know about the registered device driver and thus it is matched by bus_for_each_drv(), but the list of clients is not initialized and commonly it is NULL, because I2C device drivers define struct i2c_driver as static and clients field is expected to be initialized by I2C core: i2c_register_driver() i2c_del_adapter() driver_register() ... bus_add_driver() ... ... bus_for_each_drv(..., __process_removed_adapter) ... i2c_do_del_adapter() ... list_for_each_entry_safe(..., &driver->clients, ...) INIT_LIST_HEAD(&driver->clients); To solve the problem it is sufficient to do clients list head initialization before calling driver_register(). The problem was found while using an I2C device driver with a sluggish registration routine on a bus provided by a physically detachable I2C master controller, but practically the oops may be reproduced under the race between arbitraty I2C device driver registration and managing I2C bus device removal e.g. by unbinding the latter over sysfs: % echo 21a4000.i2c > /sys/bus/platform/drivers/imx-i2c/unbind Unable to handle kernel NULL pointer dereference at virtual address 00000000 Internal error: Oops: 17 [#1] SMP ARM CPU: 2 PID: 533 Comm: sh Not tainted 4.9.0-rc3+ #61 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) task: e5ada400 task.stack: e4936000 PC is at i2c_do_del_adapter+0x20/0xcc LR is at __process_removed_adapter+0x14/0x1c Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 35bd004a DAC: 00000051 Process sh (pid: 533, stack limit = 0xe4936210) Stack: (0xe4937d28 to 0xe4938000) Backtrace: [<c0667be0>] (i2c_do_del_adapter) from [<c0667cc0>] (__process_removed_adapter+0x14/0x1c) [<c0667cac>] (__process_removed_adapter) from [<c0516998>] (bus_for_each_drv+0x6c/0xa0) [<c051692c>] (bus_for_each_drv) from [<c06685ec>] (i2c_del_adapter+0xbc/0x284) [<c0668530>] (i2c_del_adapter) from [<bf0110ec>] (i2c_imx_remove+0x44/0x164 [i2c_imx]) [<bf0110a8>] (i2c_imx_remove [i2c_imx]) from [<c051a838>] (platform_drv_remove+0x2c/0x44) [<c051a80c>] (platform_drv_remove) from [<c05183d8>] (__device_release_driver+0x90/0x12c) [<c0518348>] (__device_release_driver) from [<c051849c>] (device_release_driver+0x28/0x34) [<c0518474>] (device_release_driver) from [<c0517150>] (unbind_store+0x80/0x104) [<c05170d0>] (unbind_store) from [<c0516520>] (drv_attr_store+0x28/0x34) [<c05164f8>] (drv_attr_store) from [<c0298acc>] (sysfs_kf_write+0x50/0x54) [<c0298a7c>] (sysfs_kf_write) from [<c029801c>] (kernfs_fop_write+0x100/0x214) [<c0297f1c>] (kernfs_fop_write) from [<c0220130>] (__vfs_write+0x34/0x120) [<c02200fc>] (__vfs_write) from [<c0221088>] (vfs_write+0xa8/0x170) [<c0220fe0>] (vfs_write) from [<c0221e74>] (SyS_write+0x4c/0xa8) [<c0221e28>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c) Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Hoan Tran authored
BugLink: http://bugs.launchpad.net/bugs/1642572 commit 60361601 upstream. SMBus block command uses the first byte of buffer for the data length. The dma_buffer should be increased by 1 to avoid the overrun issue. Reported-by: Phil Endecott <phil_gjouf_endecott@chezphil.org> Signed-off-by: Hoan Tran <hotran@apm.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Eric W. Biederman authored
CAI Qian <caiqian@redhat.com> pointed out that the semantics of shared subtrees make it possible to create an exponentially increasing number of mounts in a mount namespace. mkdir /tmp/1 /tmp/2 mount --make-rshared / for i in $(seq 1 20) ; do mount --bind /tmp/1 /tmp/2 ; done Will create create 2^20 or 1048576 mounts, which is a practical problem as some people have managed to hit this by accident. As such CVE-2016-6213 was assigned. Ian Kent <raven@themaw.net> described the situation for autofs users as follows: > The number of mounts for direct mount maps is usually not very large because of > the way they are implemented, large direct mount maps can have performance > problems. There can be anywhere from a few (likely case a few hundred) to less > than 10000, plus mounts that have been triggered and not yet expired. > > Indirect mounts have one autofs mount at the root plus the number of mounts that > have been triggered and not yet expired. > > The number of autofs indirect map entries can range from a few to the common > case of several thousand and in rare cases up to between 30000 and 50000. I've > not heard of people with maps larger than 50000 entries. > > The larger the number of map entries the greater the possibility for a large > number of active mounts so it's not hard to expect cases of a 1000 or somewhat > more active mounts. So I am setting the default number of mounts allowed per mount namespace at 100,000. This is more than enough for any use case I know of, but small enough to quickly stop an exponential increase in mounts. Which should be perfect to catch misconfigurations and malfunctioning programs. For anyone who needs a higher limit this can be changed by writing to the new /proc/sys/fs/mount-max sysctl. Tested-by: CAI Qian <caiqian@redhat.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> CVE-2016-6213 (backported from commit d2921684) [ luis: adjust context ] Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com>
-
Dennis Wassenberg authored
Lenovo Thinkpad devices T460, T460s, T460p, T560, X260 use HKEY version 0x200 without adaptive keyboard. HKEY version 0x200 has method MHKA with one parameter value. Passing parameter value 1 will get hotkey_all_mask (the same like HKEY version 0x100 without parameter). Passing parameter value 2 to MHKA method will retrieve hotkey_all_adaptive_mask. If 0 is returned in that case there is no adaptive keyboard available. BugLink: http://bugs.launchpad.net/bugs/1642114Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com> Signed-off-by: Lyude <cpaul@redhat.com> Tested-by: Lyude <cpaul@redhat.com> Tested-by: Marco Trevisan <marco@ubuntu.com> Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> [dvhart: Keep MHKA error string on one line in new and existing pr_err calls] Signed-off-by: Darren Hart <dvhart@linux.intel.com> (cherry picked from commit 0118c2d3) Signed-off-by: Alex Hung <alex.hung@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Sakari Ailus authored
When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer which will be dequeued is not known until the buffer has been removed from the queue. The number of planes is specific to a buffer, not to the queue. This does lead to the situation where multi-plane buffers may be requested and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument struct with fewer planes. __fill_v4l2_buffer() however uses the number of planes from the dequeued videobuf2 buffer, overwriting kernel memory (the m.planes array allocated in video_usercopy() in v4l2-ioctl.c) if the user provided fewer planes than the dequeued buffer had. Oops! Fixes: b0e0e1f8 ("[media] media: videobuf2: Prepare to divide videobuf2") Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: stable@vger.kernel.org # for v4.4 and later Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> CVE-2016-4568 (cherry picked from commit 83934b75) Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com>
-
Kai-Heng Feng authored
BugLink: http://bugs.launchpad.net/bugs/1641562 Device 0cf3:e009 is one of the QCA ROME family. T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=e009 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (backported from commit 93519934) Signed-off-by: Phidias Chiang <phidias.chiang@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Wen-chien Jesse Sung authored
BugLink: https://launchpad.net/bugs/1641569 pci_get_subsys() will increase pci device refcount if it finds a match. Explicitly decrease refcount if a device is found. Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Wen-chien Jesse Sung authored
BugLink: https://launchpad.net/bugs/1640418 The DMI ID string may be changed in some models. Use PCI ID as an indentification instead. Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Long Li authored
BugLink: http://bugs.launchpad.net/bugs/1632786 The host keeps sending heartbeat packets independent of the guest responding to them. Even though we respond to the heartbeat messages at interrupt level, we can have situations where there maybe multiple heartbeat messages pending that have not been responded to. For instance this occurs when the VM is paused and the host continues to send the heartbeat messages. Address this issue by draining and responding to all the heartbeat messages that maybe pending. Signed-off-by: Long Li <longli@microsoft.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> CC: Stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 407a3aee) Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Nicolas Dichtel authored
BugLink: http://bugs.launchpad.net/bugs/1634545 The goal of the patch is to fix this scenario: ip link add dummy1 type dummy ip link set dummy1 up ip link set lo down ; ip link set lo up After that sequence, the local route to the link layer address of dummy1 is not there anymore. When the loopback is set down, all local routes are deleted by addrconf_ifdown()/rt6_ifdown(). At this time, the rt6_info entry still exists, because the corresponding idev has a reference on it. After the rcu grace period, dst_rcu_free() is called, and thus ___dst_free(), which will set obsolete to DST_OBSOLETE_DEAD. In this case, init_loopback() is called before dst_rcu_free(), thus obsolete is still sets to something <= 0. So, the function doesn't add the route again. To avoid that race, let's check the rt6 refcnt instead. Fixes: 25fb6ca4 ("net IPv6 : Fix broken IPv6 routing table after loopback down-up") Fixes: a881ae1f ("ipv6: don't call addrconf_dst_alloc again when enable lo") Fixes: 33d99113 ("ipv6: reallocate addrconf router for ipv6 address when lo device up") Reported-by: Francesco Santoro <francesco.santoro@6wind.com> Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com> CC: Balakumaran Kannan <Balakumaran.Kannan@ap.sony.com> CC: Maruthi Thotad <Maruthi.Thotad@ap.sony.com> CC: Sabrina Dubroca <sd@queasysnail.net> CC: Hannes Frederic Sowa <hannes@stressinduktion.org> CC: Weilong Chen <chenweilong@huawei.com> CC: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit a220445f) Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Richard Guy Briggs authored
BugLink: http://bugs.launchpad.net/bugs/1633404 Nothing prevents a new auditd starting up and replacing a valid audit_pid when an old auditd is still running, effectively starving out the old auditd since audit_pid no longer points to the old valid auditd. If no message to auditd has been attempted since auditd died unnaturally or got killed, audit_pid will still indicate it is alive. There isn't an easy way to detect if an old auditd is still running on the existing audit_pid other than attempting to send a message to see if it fails. An -ECONNREFUSED almost certainly means it disappeared and can be replaced. Other errors are not so straightforward and may indicate transient problems that will resolve themselves and the old auditd will recover. Yet others will likely need manual intervention for which a new auditd will not solve the problem. Send a new message type (AUDIT_REPLACE) to the old auditd containing a u32 with the PID of the new auditd. If the audit replace message succeeds (or doesn't fail with certainty), fail to register the new auditd and return an error (-EEXIST). This is expected to make the patch preventing an old auditd orphaning a new auditd redundant. V3: Switch audit message type from 1000 to 1300 block. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> (cherry picked from commit 133e1e5a) Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Andy Whitcroft authored
BugLink: http://bugs.launchpad.net/bugs/1640109Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Andy Whitcroft authored
BugLink: http://bugs.launchpad.net/bugs/1640109Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
Ignore: yes Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
- 01 Dec, 2016 3 commits
-
-
Brad Figg authored
Signed-off-by: Brad Figg <brad.figg@canonical.com>
-
Philip Pettersson authored
CVE-2016-8655 BugLink: http://bugs.launchpad.net/bugs/1646318 When packet_set_ring creates a ring buffer it will initialize a struct timer_list if the packet version is TPACKET_V3. This value can then be raced by a different thread calling setsockopt to set the version to TPACKET_V1 before packet_set_ring has finished. This leads to a use-after-free on a function pointer in the struct timer_list when the socket is closed as the previously initialized timer will not be deleted. The bug is fixed by taking lock_sock(sk) in packet_setsockopt when changing the packet version while also taking the lock at the start of packet_set_ring. Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Brad Figg <brad.figg@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Ben Romer <ben.romer@canonical.com>
-
Brad Figg authored
Ignore: yes Signed-off-by: Brad Figg <brad.figg@canonical.com>
-
- 24 Nov, 2016 4 commits
-
-
Luis Henriques authored
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644596 This reverts commit 7c50722a. The backports that fix bug #1633128 for xenial, in particular the backport of upstream commit a9a62c93 ("dma-mapping: introduce the DMA_ATTR_NO_WARN attribute"), introduce a regression. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644596 This reverts commit 96530c8a. The backports that fix bug #1633128 for xenial, in particular the backport of upstream commit a9a62c93 ("dma-mapping: introduce the DMA_ATTR_NO_WARN attribute"), introduce a regression. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644596 This reverts commit 3fbd4bc4. The backports that fix bug #1633128 for xenial, in particular the backport of upstream commit a9a62c93 ("dma-mapping: introduce the DMA_ATTR_NO_WARN attribute"), introduce a regression. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
- 23 Nov, 2016 14 commits
-
-
Luis Henriques authored
Ignore: yes Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit 813a6f60. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns"" BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit 412b16ef. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit dc0d66cb. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts"" BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit aad49181. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit 392767a8. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit 5a10b5bd. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit 2036ce60. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit ac7f3f73. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit ca52383a. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
Revert "(namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns"" BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit 70c252de. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit e56ac922. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
Luis Henriques authored
BugLink: https://bugs.launchpad.net/bugs/1644165 This reverts commit ec41f5ac. The kernel fix for bug #1634964 breaks LXD userspace, in particular the following commits: ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs LXD 2.0.6 will include changes to support these kernel changes, but it isn't available yet on xenial, so for now we just revert these commits. Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-