diff --git a/fix-unprotected-access-to-task-credentials-in-whatid.patch b/fix-unprotected-access-to-task-credentials-in-whatid.patch new file mode 100644 index 0000000..2fd8b53 --- /dev/null +++ b/fix-unprotected-access-to-task-credentials-in-whatid.patch @@ -0,0 +1,98 @@ +From 2779f26ab085071a8a55d3cf31f31a7d3c3bfcd1 Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman +Date: Tue, 17 Aug 2010 23:56:55 +0100 +Subject: Fix unprotected access to task credentials in waitid() + +Using a program like the following: + + #include + #include + #include + #include + + int main() { + id_t id; + siginfo_t infop; + pid_t res; + + id = fork(); + if (id == 0) { sleep(1); exit(0); } + kill(id, SIGSTOP); + alarm(1); + waitid(P_PID, id, &infop, WCONTINUED); + return 0; + } + +to call waitid() on a stopped process results in access to the child task's +credentials without the RCU read lock being held - which may be replaced in the +meantime - eliciting the following warning: + + =================================================== + [ INFO: suspicious rcu_dereference_check() usage. ] + --------------------------------------------------- + kernel/exit.c:1460 invoked rcu_dereference_check() without protection! + + other info that might help us debug this: + + rcu_scheduler_active = 1, debug_locks = 1 + 2 locks held by waitid02/22252: + #0: (tasklist_lock){.?.?..}, at: [] do_wait+0xc5/0x310 + #1: (&(&sighand->siglock)->rlock){-.-...}, at: [] + wait_consider_task+0x19a/0xbe0 + + stack backtrace: + Pid: 22252, comm: waitid02 Not tainted 2.6.35-323cd+ #3 + Call Trace: + [] lockdep_rcu_dereference+0xa4/0xc0 + [] wait_consider_task+0xaf1/0xbe0 + [] do_wait+0xf5/0x310 + [] sys_waitid+0x86/0x1f0 + [] ? child_wait_callback+0x0/0x70 + [] system_call_fastpath+0x16/0x1b + +This is fixed by holding the RCU read lock in wait_task_continued() to ensure +that the task's current credentials aren't destroyed between us reading the +cred pointer and us reading the UID from those credentials. + +Furthermore, protect wait_task_stopped() in the same way. + +We don't need to keep holding the RCU read lock once we've read the UID from +the credentials as holding the RCU read lock doesn't stop the target task from +changing its creds under us - so the credentials may be outdated immediately +after we've read the pointer, lock or no lock. + +Signed-off-by: Daniel J Blueman +Signed-off-by: David Howells +Acked-by: Paul E. McKenney +Acked-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +--- + kernel/exit.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index ceffc67..ac90425 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1383,8 +1383,7 @@ static int wait_task_stopped(struct wait_opts *wo, + if (!unlikely(wo->wo_flags & WNOWAIT)) + *p_code = 0; + +- /* don't need the RCU readlock here as we're holding a spinlock */ +- uid = __task_cred(p)->uid; ++ uid = task_uid(p); + unlock_sig: + spin_unlock_irq(&p->sighand->siglock); + if (!exit_code) +@@ -1457,7 +1456,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) + } + if (!unlikely(wo->wo_flags & WNOWAIT)) + p->signal->flags &= ~SIGNAL_STOP_CONTINUED; +- uid = __task_cred(p)->uid; ++ uid = task_uid(p); + spin_unlock_irq(&p->sighand->siglock); + + pid = task_pid_vnr(p); +-- +1.7.3 + diff --git a/kernel.spec b/kernel.spec index 78e86dd..a272ee9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -724,6 +724,7 @@ Patch12080: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch # rhbz #622149 Patch12085: fix-rcu_deref_check-warning.patch Patch12086: linux-2.6-cgroups-rcu.patch +Patch12087: fix-unprotected-access-to-task-credentials-in-whatid.patch # rhbz #513530 Patch12090: dell-wmi-add-support-for-eject-key-studio-1555.patch @@ -1364,6 +1365,7 @@ ApplyPatch kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch # bz 622149 ApplyPatch fix-rcu_deref_check-warning.patch ApplyPatch linux-2.6-cgroups-rcu.patch +ApplyPatch fix-unprotected-access-to-task-credentials-in-whatid.patch # bz 513530 ApplyPatch dell-wmi-add-support-for-eject-key-studio-1555.patch @@ -1984,6 +1986,10 @@ fi %changelog * Thu Sep 23 2010 Kyle McMartin 2.6.35.5-31 +- Slay another rcu_dereference_check warning pointed out by + rmcgrath@. + +* Thu Sep 23 2010 Kyle McMartin - Enable -debug flavours and switch default image to release builds. - Bump NR_CPUS on i686 to 64.