diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2013-12-13 16:49:27 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2013-12-13 16:49:27 -0500 |
commit | 54dc996fcb49d75e7de8550c1f5f8995026b900a (patch) | |
tree | c7a7369839cdbf87af647449390ea60458cdf310 | |
parent | d9d571f6b20acfa14b0b4ff07d37a0fb07a6cb07 (diff) | |
download | kernel-54dc996fcb49d75e7de8550c1f5f8995026b900a.tar.gz kernel-54dc996fcb49d75e7de8550c1f5f8995026b900a.tar.xz kernel-54dc996fcb49d75e7de8550c1f5f8995026b900a.zip |
More keys fixes from upstream to fix keyctl_get_persisent crash (rhbz 1043033)
-rw-r--r-- | kernel.spec | 7 | ||||
-rw-r--r-- | keys-fixes.patch | 174 |
2 files changed, 181 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index c81400328..306aeb582 100644 --- a/kernel.spec +++ b/kernel.spec @@ -634,6 +634,8 @@ Patch800: crash-driver.patch # crypto/ +Patch900: keys-fixes.patch + # secure boot Patch1000: secure-modules.patch Patch1001: modsign-uefi.patch @@ -1328,6 +1330,8 @@ ApplyPatch Revert-userns-Allow-unprivileged-users-to-create-use.patch # /dev/crash driver. ApplyPatch crash-driver.patch +ApplyPatch keys-fixes.patch + # crypto/ # secure boot @@ -2200,6 +2204,9 @@ fi # ||----w | # || || %changelog +* Fri Dec 13 2013 Josh Boyer <jwboyer@fedoraproject.org> +- More keys fixes from upstream to fix keyctl_get_persisent crash (rhbz 1043033) + * Fri Dec 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git4.1 - Linux v3.13-rc3-302-g8d27637 diff --git a/keys-fixes.patch b/keys-fixes.patch new file mode 100644 index 000000000..a28455223 --- /dev/null +++ b/keys-fixes.patch @@ -0,0 +1,174 @@ +Bugzilla: 1043033 +Upstream-status: submitted for 3.13 + +From d7ec435fdd03cfee70dba934ee384acc87bd6d00 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Fri, 13 Dec 2013 15:20:19 +0000 +Subject: [PATCH 1/3] X.509: Fix certificate gathering + +Fix the gathering of certificates from both the source tree and the build tree +to correctly calculate the pathnames of all the certificates. + +The problem was that if the default generated cert, signing_key.x509, didn't +exist then it would not have a path attached and if it did, it would have a +path attached. + +This means that the contents of kernel/.x509.list would change between the +first compilation in a directory and the second. After the second it would +remain stable because the signing_key.x509 file exists. + +The consequence was that the kernel would get relinked unconditionally on the +second recompilation. The second recompilation would also show something like +this: + + X.509 certificate list changed + CERTS kernel/x509_certificate_list + - Including cert /home/torvalds/v2.6/linux/signing_key.x509 + AS kernel/system_certificates.o + LD kernel/built-in.o + +which is why the relink would happen. + + +Unfortunately, it isn't a simple matter of just sticking a path on the front +of the filename of the certificate in the build directory as make can't then +work out how to build it. + +So the path has to be prepended to the name for sorting and duplicate +elimination and then removed for the make rule if it is in the build tree. + +Reported-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/Makefile | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/Makefile b/kernel/Makefile +index bbaf7d5..c23bb0b 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -137,9 +137,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE + ############################################################################### + ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) + X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) +-X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 +-X509_CERTIFICATES := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \ ++X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509 ++X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \ + $(or $(realpath $(CERT)),$(CERT)))) ++X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw)) + + ifeq ($(X509_CERTIFICATES),) + $(warning *** No X.509 certificates found ***) +-- +1.8.3.1 + + +From f46a3cbbebdaa5ca7b3ab23d7b81925dbe152bcb Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai <tkhai@yandex.ru> +Date: Tue, 10 Dec 2013 22:39:57 +0400 +Subject: [PATCH 2/3] KEYS: Remove files generated when + SYSTEM_TRUSTED_KEYRING=y + +Always remove generated SYSTEM_TRUSTED_KEYRING files while doing make mrproper. + +Signed-off-by: Kirill Tkhai <tkhai@yandex.ru> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/Makefile b/kernel/Makefile +index c23bb0b..bc010ee 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -165,9 +165,9 @@ $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list + targets += $(obj)/.x509.list + $(obj)/.x509.list: + @echo $(X509_CERTIFICATES) >$@ ++endif + + clean-files := x509_certificate_list .x509.list +-endif + + ifeq ($(CONFIG_MODULE_SIG),y) + ############################################################################### +-- +1.8.3.1 + + +From 6bd364d82920be726c2d678e7ba9e27112686e11 Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com> +Date: Fri, 13 Dec 2013 15:00:32 +0800 +Subject: [PATCH 3/3] KEYS: fix uninitialized persistent_keyring_register_sem + +We run into this bug: +[ 2736.063245] Unable to handle kernel paging request for data at address 0x00000000 +[ 2736.063293] Faulting instruction address: 0xc00000000037efb0 +[ 2736.063300] Oops: Kernel access of bad area, sig: 11 [#1] +[ 2736.063303] SMP NR_CPUS=2048 NUMA pSeries +[ 2736.063310] Modules linked in: sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6table_security ip6table_raw ip6t_REJECT iptable_nat nf_nat_ipv4 iptable_mangle iptable_security iptable_raw ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ebtable_filter ebtables ip6table_filter iptable_filter ip_tables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nf_nat nf_conntrack ip6_tables ibmveth pseries_rng nx_crypto nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc xfs libcrc32c dm_service_time sd_mod crc_t10dif crct10dif_common ibmvfc scsi_transport_fc scsi_tgt dm_mirror dm_region_hash dm_log dm_multipath dm_mod +[ 2736.063383] CPU: 1 PID: 7128 Comm: ssh Not tainted 3.10.0-48.el7.ppc64 #1 +[ 2736.063389] task: c000000131930120 ti: c0000001319a0000 task.ti: c0000001319a0000 +[ 2736.063394] NIP: c00000000037efb0 LR: c0000000006c40f8 CTR: 0000000000000000 +[ 2736.063399] REGS: c0000001319a3870 TRAP: 0300 Not tainted (3.10.0-48.el7.ppc64) +[ 2736.063403] MSR: 8000000000009032 <SF,EE,ME,IR,DR,RI> CR: 28824242 XER: 20000000 +[ 2736.063415] SOFTE: 0 +[ 2736.063418] CFAR: c00000000000908c +[ 2736.063421] DAR: 0000000000000000, DSISR: 40000000 +[ 2736.063425] +GPR00: c0000000006c40f8 c0000001319a3af0 c000000001074788 c0000001319a3bf0 +GPR04: 0000000000000000 0000000000000000 0000000000000020 000000000000000a +GPR08: fffffffe00000002 00000000ffff0000 0000000080000001 c000000000924888 +GPR12: 0000000028824248 c000000007e00400 00001fffffa0f998 0000000000000000 +GPR16: 0000000000000022 00001fffffa0f998 0000010022e92470 0000000000000000 +GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR24: 0000000000000000 c000000000f4a828 00003ffffe527108 0000000000000000 +GPR28: c000000000f4a730 c000000000f4a828 0000000000000000 c0000001319a3bf0 +[ 2736.063498] NIP [c00000000037efb0] .__list_add+0x30/0x110 +[ 2736.063504] LR [c0000000006c40f8] .rwsem_down_write_failed+0x78/0x264 +[ 2736.063508] PACATMSCRATCH [800000000280f032] +[ 2736.063511] Call Trace: +[ 2736.063516] [c0000001319a3af0] [c0000001319a3b80] 0xc0000001319a3b80 (unreliable) +[ 2736.063523] [c0000001319a3b80] [c0000000006c40f8] .rwsem_down_write_failed+0x78/0x264 +[ 2736.063530] [c0000001319a3c50] [c0000000006c1bb0] .down_write+0x70/0x78 +[ 2736.063536] [c0000001319a3cd0] [c0000000002e5ffc] .keyctl_get_persistent+0x20c/0x320 +[ 2736.063542] [c0000001319a3dc0] [c0000000002e2388] .SyS_keyctl+0x238/0x260 +[ 2736.063548] [c0000001319a3e30] [c000000000009e7c] syscall_exit+0x0/0x7c +[ 2736.063553] Instruction dump: +[ 2736.063556] 7c0802a6 fba1ffe8 fbc1fff0 fbe1fff8 7cbd2b78 7c9e2378 7c7f1b78 f8010010 +[ 2736.063566] f821ff71 e8a50008 7fa52040 40de00c0 <e8be0000> 7fbd2840 40de0094 7fbff040 +[ 2736.063579] ---[ end trace 2708241785538296 ]--- + +It's caused by uninitialized persistent_keyring_register_sem. + +The bug was introduced by commit f36f8c75, two typos are in that commit: +CONFIG_KEYS_KERBEROS_CACHE should be CONFIG_PERSISTENT_KEYRINGS and +krb_cache_register_sem should be persistent_keyring_register_sem. + +Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/user.c b/kernel/user.c +index a3a0dbf..c006131 100644 +--- a/kernel/user.c ++++ b/kernel/user.c +@@ -51,9 +51,9 @@ struct user_namespace init_user_ns = { + .owner = GLOBAL_ROOT_UID, + .group = GLOBAL_ROOT_GID, + .proc_inum = PROC_USER_INIT_INO, +-#ifdef CONFIG_KEYS_KERBEROS_CACHE +- .krb_cache_register_sem = +- __RWSEM_INITIALIZER(init_user_ns.krb_cache_register_sem), ++#ifdef CONFIG_PERSISTENT_KEYRINGS ++ .persistent_keyring_register_sem = ++ __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem), + #endif + }; + EXPORT_SYMBOL_GPL(init_user_ns); +-- +1.8.3.1 + |