diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-01-09 08:08:41 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-01-09 08:08:41 +0100 |
commit | 93a8912463a2ffa7994fa2182b4a6b666d27bec0 (patch) | |
tree | 1456393e02fdfca85efaf6e0e093c8a7ad0824f1 | |
parent | ce518fc16d4ff3661aede5381642f014d2cc8986 (diff) | |
parent | d392559fe65a7053df7fb22b2960abd3a8bb3757 (diff) | |
download | kernel-4.4.0-0.rc8.git3.1.vanilla.knurd.1.fc24.tar.gz kernel-4.4.0-0.rc8.git3.1.vanilla.knurd.1.fc24.tar.xz kernel-4.4.0-0.rc8.git3.1.vanilla.knurd.1.fc24.zip |
Merge remote-tracking branch 'origin/master'kernel-4.4.0-0.rc8.git3.1.vanilla.knurd.1.fc24
-rw-r--r-- | config-generic | 6 | ||||
-rw-r--r-- | config-nodebug | 112 | ||||
-rw-r--r-- | config-x86-generic | 2 | ||||
-rw-r--r-- | drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch | 68 | ||||
-rw-r--r-- | drm-udl-Use-unlocked-gem-unreferencing.patch | 58 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 69 | ||||
-rw-r--r-- | ptrace-being-capable-wrt-a-process-requires-mapped-u.patch | 108 | ||||
-rw-r--r-- | sources | 1 |
9 files changed, 347 insertions, 79 deletions
diff --git a/config-generic b/config-generic index 48837af22..6c999c510 100644 --- a/config-generic +++ b/config-generic @@ -1799,13 +1799,13 @@ CONFIG_B43_PCMCIA=y CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y CONFIG_B43_PHY_G=y CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -5046,7 +5046,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set diff --git a/config-nodebug b/config-nodebug index 65e8accd1..1b93255c0 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set - -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_LOCK_TORTURE_TEST is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y + +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_LOCK_TORTURE_TEST=m +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUGGER is not set -# CONFIG_DEBUG_SG is not set -# CONFIG_DEBUG_PI_LIST is not set +CONFIG_DEBUG_SG=y +CONFIG_DEBUG_PI_LIST=y # CONFIG_PAGE_EXTENSION is not set # CONFIG_PAGE_OWNER is not set # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_X86_PTDUMP=y -# CONFIG_ARM64_PTDUMP is not set -# CONFIG_EFI_PGT_DUMP is not set +CONFIG_ARM64_PTDUMP=y +CONFIG_EFI_PGT_DUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y # CONFIG_XFS_WARN is not set -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y # CONFIG_RTLWIFI_DEBUG is not set -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set +CONFIG_DMADEVICES_DEBUG=y # CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_KGDB_KDB=y @@ -104,18 +104,18 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0 CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y # CONFIG_PERCPU_TEST is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_TEST_LIST_SORT=y # CONFIG_TEST_STRING_HELPERS is not set -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -126,4 +126,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set +CONFIG_X86_DEBUG_STATIC_CPU_HAS=y diff --git a/config-x86-generic b/config-x86-generic index a436377af..83254f3bc 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -368,7 +368,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch b/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch new file mode 100644 index 000000000..cd53bf71c --- /dev/null +++ b/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch @@ -0,0 +1,68 @@ +From 41ed5ee704b784a4fca02787311d59c243563013 Mon Sep 17 00:00:00 2001 +From: Jani Nikula <jani.nikula@intel.com> +Date: Thu, 7 Jan 2016 10:29:10 +0200 +Subject: [PATCH] drm/i915: shut up gen8+ SDE irq dmesg noise, again + +We still keep getting + +[ 4.249930] [drm:gen8_irq_handler [i915]] *ERROR* The master control interrupt lied (SDE)! + +This reverts + +commit 820da7ae46332fa709b171eb7ba57cbd023fa6df +Author: Jani Nikula <jani.nikula@intel.com> +Date: Wed Nov 25 16:47:23 2015 +0200 + + Revert "drm/i915: shut up gen8+ SDE irq dmesg noise" + +which in itself is a revert, so this is just doing + +commit 97e5ed1111dcc5300a0f59a55248cd243937a8ab +Author: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Fri Oct 23 10:56:12 2015 +0200 + + drm/i915: shut up gen8+ SDE irq dmesg noise + +all over again. I'll stop pretending I understand what's going on like I +did when I thought I'd fixed this for good in + +commit 6a39d7c986be4fd18eb019e9cdbf774ec36c9f77 +Author: Jani Nikula <jani.nikula@intel.com> +Date: Wed Nov 25 16:47:22 2015 +0200 + + drm/i915: fix the SDE irq dmesg warnings properly + +Reported-by: Chris Wilson <chris@chris-wilson.co.uk> +Reference: http://mid.gmane.org/20151213124945.GA5715@nuc-i3427.alporthouse.com +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084 +Cc: drm-intel-fixes@lists.freedesktop.org +Fixes: 820da7ae4633 ("Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"") +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_irq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c +index 0d228f909dcb..0f42a2782afc 100644 +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) + spt_irq_handler(dev, pch_iir); + else + cpt_irq_handler(dev, pch_iir); +- } else +- DRM_ERROR("The master control interrupt lied (SDE)!\n"); +- ++ } else { ++ /* ++ * Like on previous PCH there seems to be something ++ * fishy going on with forwarding PCH interrupts. ++ */ ++ DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n"); ++ } + } + + I915_WRITE_FW(GEN8_MASTER_IRQ, GEN8_MASTER_IRQ_CONTROL); +-- +2.5.0 + diff --git a/drm-udl-Use-unlocked-gem-unreferencing.patch b/drm-udl-Use-unlocked-gem-unreferencing.patch new file mode 100644 index 000000000..e2dbabe83 --- /dev/null +++ b/drm-udl-Use-unlocked-gem-unreferencing.patch @@ -0,0 +1,58 @@ +From patchwork Mon Nov 23 09:32:42 2015 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [09/29] drm/udl: Use unlocked gem unreferencing +From: Daniel Vetter <daniel.vetter@ffwll.ch> +X-Patchwork-Id: 65722 +Message-Id: <1448271183-20523-10-git-send-email-daniel.vetter@ffwll.ch> +To: DRI Development <dri-devel@lists.freedesktop.org> +Cc: Daniel Vetter <daniel.vetter@intel.com>, + Daniel Vetter <daniel.vetter@ffwll.ch>, + Intel Graphics Development <intel-gfx@lists.freedesktop.org>, + Dave Airlie <airlied@redhat.com> +Date: Mon, 23 Nov 2015 10:32:42 +0100 + +For drm_gem_object_unreference callers are required to hold +dev->struct_mutex, which these paths don't. Enforcing this requirement +has become a bit more strict with + +commit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663 +Author: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Thu Oct 15 09:36:25 2015 +0200 + + drm/gem: Check locking in drm_gem_object_unreference + +Cc: Dave Airlie <airlied@redhat.com> +Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> +--- + drivers/gpu/drm/udl/udl_fb.c | 2 +- + drivers/gpu/drm/udl/udl_gem.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index 200419d4d43c..18a2acbccb7d 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -538,7 +538,7 @@ static int udlfb_create(struct drm_fb_helper *helper, + out_destroy_fbi: + drm_fb_helper_release_fbi(helper); + out_gfree: +- drm_gem_object_unreference(&ufbdev->ufb.obj->base); ++ drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base); + out: + return ret; + } +diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c +index 2a0a784ab6ee..d7528e0d8442 100644 +--- a/drivers/gpu/drm/udl/udl_gem.c ++++ b/drivers/gpu/drm/udl/udl_gem.c +@@ -52,7 +52,7 @@ udl_gem_create(struct drm_file *file, + return ret; + } + +- drm_gem_object_unreference(&obj->base); ++ drm_gem_object_unreference_unlocked(&obj->base); + *handle_p = handle; + return 0; + } @@ -1 +1 @@ -24bc3ea5df2e1d89e9d50ecca57c210b87ad61d2 +02006f7a7a715af10974a30b7ad8e6ee340f954c diff --git a/kernel.spec b/kernel.spec index 4577f7304..ba36a2987 100644 --- a/kernel.spec +++ b/kernel.spec @@ -75,7 +75,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 8 # The git snapshot level -%define gitrev 0 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -130,7 +130,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_without_vanilla: 0} %{?!_without_vanilla: 1} @@ -615,23 +615,31 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch #rhbz 1288687 Patch572: alua_fix.patch +#CVE-2015-8709 rhbz 1295287 1295288 +Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch + +Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch + #rhbz 1275718 -Patch577: 0001-device-property-always-check-for-fwnode-type.patch -Patch578: 0002-device-property-rename-helper-functions.patch -Patch579: 0003-device-property-refactor-built-in-properties-support.patch -Patch580: 0004-device-property-keep-single-value-inplace.patch -Patch581: 0005-device-property-helper-macros-for-property-entry-cre.patch -Patch582: 0006-device-property-improve-readability-of-macros.patch -Patch583: 0007-device-property-return-EINVAL-when-property-isn-t-fo.patch -Patch584: 0008-device-property-Fallback-to-secondary-fwnode-if-prim.patch -Patch585: 0009-device-property-Take-a-copy-of-the-property-set.patch -Patch586: 0010-driver-core-platform-Add-support-for-built-in-device.patch -Patch587: 0011-driver-core-Do-not-overwrite-secondary-fwnode-with-N.patch -Patch588: 0012-mfd-core-propagate-device-properties-to-sub-devices-.patch -Patch589: 0013-mfd-intel-lpss-Add-support-for-passing-device-proper.patch -Patch590: 0014-mfd-intel-lpss-Pass-SDA-hold-time-to-I2C-host-contro.patch -Patch591: 0015-mfd-intel-lpss-Pass-HSUART-configuration-via-propert.patch -Patch592: 0016-i2c-designware-Convert-to-use-unified-device-propert.patch +Patch605: 0001-device-property-always-check-for-fwnode-type.patch +Patch606: 0002-device-property-rename-helper-functions.patch +Patch607: 0003-device-property-refactor-built-in-properties-support.patch +Patch608: 0004-device-property-keep-single-value-inplace.patch +Patch609: 0005-device-property-helper-macros-for-property-entry-cre.patch +Patch610: 0006-device-property-improve-readability-of-macros.patch +Patch611: 0007-device-property-return-EINVAL-when-property-isn-t-fo.patch +Patch612: 0008-device-property-Fallback-to-secondary-fwnode-if-prim.patch +Patch613: 0009-device-property-Take-a-copy-of-the-property-set.patch +Patch614: 0010-driver-core-platform-Add-support-for-built-in-device.patch +Patch615: 0011-driver-core-Do-not-overwrite-secondary-fwnode-with-N.patch +Patch616: 0012-mfd-core-propagate-device-properties-to-sub-devices-.patch +Patch617: 0013-mfd-intel-lpss-Add-support-for-passing-device-proper.patch +Patch618: 0014-mfd-intel-lpss-Pass-SDA-hold-time-to-I2C-host-contro.patch +Patch619: 0015-mfd-intel-lpss-Pass-HSUART-configuration-via-propert.patch +Patch620: 0016-i2c-designware-Convert-to-use-unified-device-propert.patch + +#rhbz 1295646 +Patch621: drm-udl-Use-unlocked-gem-unreferencing.patch # END OF PATCH DEFINITIONS @@ -2079,6 +2087,31 @@ fi # # %changelog +* Fri Jan 08 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git3.1 +- Linux v4.4-rc8-36-g02006f7a + +* Thu Jan 07 2016 Laura Abbott <labbott@redhat.com> +- Fix unlocked gem warning (rhbz 1295646) + +* Thu Jan 07 2016 Laura Abbott <labbott@redhat.com> +- Bring back patches for Lenovo Yoga touchpad (rhbz 1275718) + +* Thu Jan 07 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git2.1 +- Linux v4.4-rc8-26-gb06f3a1 + +* Thu Jan 07 2016 Josh Boyer <jwboyer@fedorparoject.org> +- Quiet i915 gen8 irq messages + +* Wed Jan 06 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git1.1 +- Linux v4.4-rc8-5-gee9a7d2 +- Reenable debugging options. + +* Tue Jan 05 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8709 ptrace: potential priv escalation with userns (rhbz 1295287 1295288) + +* Tue Jan 05 2016 Laura Abbott <labbott@redhat.com> +- Drop patches for Lenovo Yoga Touchpad (rhbz 1275718) + * Mon Jan 04 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git0.1 - Linux v4.4-rc8 - Disable debugging options. diff --git a/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch new file mode 100644 index 000000000..55c3ab9d1 --- /dev/null +++ b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch @@ -0,0 +1,108 @@ +From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jann@thejh.net> +Date: Sat, 26 Dec 2015 03:52:31 +0100 +Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids + +ptrace_has_cap() checks whether the current process should be +treated as having a certain capability for ptrace checks +against another process. Until now, this was equivalent to +has_ns_capability(current, target_ns, CAP_SYS_PTRACE). + +However, if a root-owned process wants to enter a user +namespace for some reason without knowing who owns it and +therefore can't change to the namespace owner's uid and gid +before entering, as soon as it has entered the namespace, +the namespace owner can attach to it via ptrace and thereby +gain access to its uid and gid. + +While it is possible for the entering process to switch to +the uid of a claimed namespace owner before entering, +causing the attempt to enter to fail if the claimed uid is +wrong, this doesn't solve the problem of determining an +appropriate gid. + +With this change, the entering process can first enter the +namespace and then safely inspect the namespace's +properties, e.g. through /proc/self/{uid_map,gid_map}, +assuming that the namespace owner doesn't have access to +uid 0. + +Changed in v2: The caller needs to be capable in the +namespace into which tcred's uids/gids can be mapped. + +Signed-off-by: Jann Horn <jann@thejh.net> +--- + kernel/ptrace.c | 33 ++++++++++++++++++++++++++++----- + 1 file changed, 28 insertions(+), 5 deletions(-) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 787320de68e0..407c382b45c8 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -20,6 +20,7 @@ + #include <linux/uio.h> + #include <linux/audit.h> + #include <linux/pid_namespace.h> ++#include <linux/user_namespace.h> + #include <linux/syscalls.h> + #include <linux/uaccess.h> + #include <linux/regset.h> +@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) + return ret; + } + +-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) ++static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode) + { ++ struct user_namespace *tns = tcred->user_ns; ++ ++ /* When a root-owned process enters a user namespace created by a ++ * malicious user, the user shouldn't be able to execute code under ++ * uid 0 by attaching to the root-owned process via ptrace. ++ * Therefore, similar to the capable_wrt_inode_uidgid() check, ++ * verify that all the uids and gids of the target process are ++ * mapped into a namespace below the current one in which the caller ++ * is capable. ++ * No fsuid/fsgid check because __ptrace_may_access doesn't do it ++ * either. ++ */ ++ while ( ++ !kuid_has_mapping(tns, tcred->euid) || ++ !kuid_has_mapping(tns, tcred->suid) || ++ !kuid_has_mapping(tns, tcred->uid) || ++ !kgid_has_mapping(tns, tcred->egid) || ++ !kgid_has_mapping(tns, tcred->sgid) || ++ !kgid_has_mapping(tns, tcred->gid)) { ++ tns = tns->parent; ++ } ++ + if (mode & PTRACE_MODE_NOAUDIT) +- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); ++ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE); + else +- return has_ns_capability(current, ns, CAP_SYS_PTRACE); ++ return has_ns_capability(current, tns, CAP_SYS_PTRACE); + } + + /* Returns 0 on success, -errno on denial. */ +@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + gid_eq(cred->gid, tcred->sgid) && + gid_eq(cred->gid, tcred->gid)) + goto ok; +- if (ptrace_has_cap(tcred->user_ns, mode)) ++ if (ptrace_has_cap(tcred, mode)) + goto ok; + rcu_read_unlock(); + return -EPERM; +@@ -252,7 +275,7 @@ ok: + dumpable = get_dumpable(task->mm); + rcu_read_lock(); + if (dumpable != SUID_DUMP_USER && +- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { ++ !ptrace_has_cap(__task_cred(task), mode)) { + rcu_read_unlock(); + return -EPERM; + } +-- +2.5.0 + @@ -1,3 +1,4 @@ 58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz 7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz 70fe8bc57b91cf35f400b176f10da6ec patch-4.4-rc8.xz +8f5c7fd9806b4aece5c02ca2c09b6d6c patch-4.4-rc8-git3.xz |