From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dave Jones <davej@redhat.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [ 073/100] userns: Stop oopsing in key_change_session_keyring
Date: Tue, 12 Mar 2013 15:31:58 -0700 [thread overview]
Message-ID: <20130312223130.790544814@linuxfoundation.org> (raw)
In-Reply-To: <20130312223122.884099393@linuxfoundation.org>
3.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit ba0e3427b03c3d1550239779eca5c1c5a53a2152 upstream.
Dave Jones <davej@redhat.com> writes:
> Just hit this on Linus' current tree.
>
> [ 89.621770] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
> [ 89.623111] IP: [<ffffffff810784b0>] commit_creds+0x250/0x2f0
> [ 89.624062] PGD 122bfd067 PUD 122bfe067 PMD 0
> [ 89.624901] Oops: 0000 [#1] PREEMPT SMP
> [ 89.625678] Modules linked in: caif_socket caif netrom bridge hidp 8021q garp stp mrp rose llc2 af_rxrpc phonet af_key binfmt_misc bnep l2tp_ppp can_bcm l2tp_core pppoe pppox can_raw scsi_transport_iscsi ppp_generic slhc nfnetlink can ipt_ULOG ax25 decnet irda nfc rds x25 crc_ccitt appletalk atm ipx p8023 psnap p8022 llc lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables btusb bluetooth snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_pcm vhost_net snd_page_alloc snd_timer tun macvtap usb_debug snd rfkill microcode macvlan edac_core pcspkr serio_raw kvm_amd soundcore kvm r8169 mii
> [ 89.637846] CPU 2
> [ 89.638175] Pid: 782, comm: trinity-main Not tainted 3.8.0+ #63 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
> [ 89.639850] RIP: 0010:[<ffffffff810784b0>] [<ffffffff810784b0>] commit_creds+0x250/0x2f0
> [ 89.641161] RSP: 0018:ffff880115657eb8 EFLAGS: 00010207
> [ 89.641984] RAX: 00000000000003e8 RBX: ffff88012688b000 RCX: 0000000000000000
> [ 89.643069] RDX: 0000000000000000 RSI: ffffffff81c32960 RDI: ffff880105839600
> [ 89.644167] RBP: ffff880115657ed8 R08: 0000000000000000 R09: 0000000000000000
> [ 89.645254] R10: 0000000000000001 R11: 0000000000000246 R12: ffff880105839600
> [ 89.646340] R13: ffff88011beea490 R14: ffff88011beea490 R15: 0000000000000000
> [ 89.647431] FS: 00007f3ac063b740(0000) GS:ffff88012b200000(0000) knlGS:0000000000000000
> [ 89.648660] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [ 89.649548] CR2: 00000000000000c8 CR3: 0000000122bfc000 CR4: 00000000000007e0
> [ 89.650635] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 89.651723] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [ 89.652812] Process trinity-main (pid: 782, threadinfo ffff880115656000, task ffff88011beea490)
> [ 89.654128] Stack:
> [ 89.654433] 0000000000000000 ffff8801058396a0 ffff880105839600 ffff88011beeaa78
> [ 89.655769] ffff880115657ef8 ffffffff812c7d9b ffffffff82079be0 0000000000000000
> [ 89.657073] ffff880115657f28 ffffffff8106c665 0000000000000002 ffff880115657f58
> [ 89.658399] Call Trace:
> [ 89.658822] [<ffffffff812c7d9b>] key_change_session_keyring+0xfb/0x140
> [ 89.659845] [<ffffffff8106c665>] task_work_run+0xa5/0xd0
> [ 89.660698] [<ffffffff81002911>] do_notify_resume+0x71/0xb0
> [ 89.661581] [<ffffffff816c9a4a>] int_signal+0x12/0x17
> [ 89.662385] Code: 24 90 00 00 00 48 8b b3 90 00 00 00 49 8b 4c 24 40 48 39 f2 75 08 e9 83 00 00 00 48 89 ca 48 81 fa 60 29 c3 81 0f 84 41 fe ff ff <48> 8b 8a c8 00 00 00 48 39 ce 75 e4 3b 82 d0 00 00 00 0f 84 4b
> [ 89.667778] RIP [<ffffffff810784b0>] commit_creds+0x250/0x2f0
> [ 89.668733] RSP <ffff880115657eb8>
> [ 89.669301] CR2: 00000000000000c8
>
> My fastest trinity induced oops yet!
>
>
> Appears to be..
>
> if ((set_ns == subset_ns->parent) &&
> 850: 48 8b 8a c8 00 00 00 mov 0xc8(%rdx),%rcx
>
> from the inlined cred_cap_issubset
By historical accident we have been reading trying to set new->user_ns
from new->user_ns. Which is totally silly as new->user_ns is NULL (as
is every other field in new except session_keyring at that point).
The intent is clearly to copy all of the fields from old to new so copy
old->user_ns into into new->user_ns.
Reported-by: Dave Jones <davej@redhat.com>
Tested-by: Dave Jones <davej@redhat.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/process_keys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -839,7 +839,7 @@ void key_change_session_keyring(struct c
new-> sgid = old-> sgid;
new->fsgid = old->fsgid;
new->user = get_uid(old->user);
- new->user_ns = get_user_ns(new->user_ns);
+ new->user_ns = get_user_ns(old->user_ns);
new->group_info = get_group_info(old->group_info);
new->securebits = old->securebits;
next prev parent reply other threads:[~2013-03-12 22:31 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-12 22:30 [ 000/100] 3.8.3-stable review Greg Kroah-Hartman
2013-03-12 22:30 ` [ 001/100] ARM: VFP: fix emulation of second VFP instruction Greg Kroah-Hartman
2013-03-12 22:30 ` [ 002/100] ARM: fix scheduling while atomic warning in alignment handling code Greg Kroah-Hartman
2013-03-12 22:30 ` [ 003/100] ARM: 7653/2: do not scale loops_per_jiffy when using a constant delay clock Greg Kroah-Hartman
2013-03-12 22:30 ` [ 004/100] ARM: 7654/1: Preserve L_PTE_VALID in pte_modify() Greg Kroah-Hartman
2013-03-12 22:30 ` [ 005/100] USB: EHCI: revert "remove ASS/PSS polling timeout" Greg Kroah-Hartman
2013-03-12 22:30 ` [ 006/100] xenbus: fix compile failure on ARM with Xen enabled Greg Kroah-Hartman
2013-03-12 22:30 ` [ 007/100] xen/pat: Disable PAT using pat_enabled value Greg Kroah-Hartman
2013-03-12 22:30 ` [ 008/100] xen/pci: We dont do multiple MSIs Greg Kroah-Hartman
2013-03-12 22:30 ` [ 009/100] watchdog: da9055_wdt needs to select WATCHDOG_CORE Greg Kroah-Hartman
2013-03-12 22:30 ` [ 010/100] watchdog: sp5100_tco: Fix wrong indirect I/O access for getting value of reserved bits Greg Kroah-Hartman
2013-03-12 22:30 ` [ 011/100] watchdog: sp5100_tco: Write back the original value to reserved bits, instead of zero Greg Kroah-Hartman
2013-03-12 22:30 ` [ 012/100] sony-laptop: fully enable SNY controlled modems Greg Kroah-Hartman
2013-03-12 22:30 ` [ 013/100] SCSI: dc395x: uninitialized variable in device_alloc() Greg Kroah-Hartman
2013-03-12 22:30 ` [ 014/100] SCSI: storvsc: Initialize the sglist Greg Kroah-Hartman
2013-03-12 22:31 ` [ 015/100] target/pscsi: Fix page increment Greg Kroah-Hartman
2013-03-12 22:31 ` [ 016/100] iscsi-target: Fix immediate queue starvation regression with DATAIN Greg Kroah-Hartman
2013-03-12 22:31 ` [ 017/100] ext4: convert number of blocks to clusters properly Greg Kroah-Hartman
2013-03-12 22:31 ` [ 018/100] btrfs: Init io_lock after cloning btrfs device struct Greg Kroah-Hartman
2013-03-12 22:31 ` [ 019/100] Btrfs: copy everything if weve created an inline extent Greg Kroah-Hartman
2013-03-12 22:31 ` [ 020/100] Btrfs: delete inline extents when we find them during logging Greg Kroah-Hartman
2013-03-12 22:31 ` [ 021/100] cifs: ensure that cifs_get_root() only traverses directories Greg Kroah-Hartman
2013-03-12 22:31 ` [ 022/100] dm: fix truncated status strings Greg Kroah-Hartman
2013-03-12 22:31 ` [ 023/100] dm: do not replace bioset for request based dm Greg Kroah-Hartman
2013-03-12 22:31 ` [ 024/100] dm: fix limits initialization when there are no data devices Greg Kroah-Hartman
2013-03-12 22:31 ` [ 025/100] dm snapshot: add missing module aliases Greg Kroah-Hartman
2013-03-12 22:31 ` [ 026/100] NFS: Dont allow NFS silly-renamed files to be deleted, no signal Greg Kroah-Hartman
2013-03-12 22:31 ` [ 027/100] SUNRPC: Dont start the retransmission timer when out of socket space Greg Kroah-Hartman
2013-03-12 22:31 ` [ 028/100] pnfs: fix resend_to_mds for directio Greg Kroah-Hartman
2013-03-12 22:31 ` [ 029/100] NFSv4.1: Hold reference to layout hdr in layoutget Greg Kroah-Hartman
2013-03-14 1:22 ` Ben Hutchings
2013-03-12 22:31 ` [ 030/100] hw_random: make buffer usable in scatterlist Greg Kroah-Hartman
2013-03-12 22:31 ` [ 031/100] iwlwifi: always copy first 16 bytes of commands Greg Kroah-Hartman
2013-03-14 1:50 ` Ben Hutchings
2013-03-14 2:05 ` Ben Hutchings
2013-03-14 6:31 ` Berg, Johannes
2013-03-14 14:23 ` Ben Hutchings
2013-03-12 22:31 ` [ 032/100] mwifiex: correct sleep delay counter Greg Kroah-Hartman
2013-03-12 22:31 ` [ 033/100] libertas: fix crash for SD8688 Greg Kroah-Hartman
2013-03-12 22:31 ` [ 034/100] ath9k: fix RSSI dummy marker value Greg Kroah-Hartman
2013-03-12 22:31 ` [ 035/100] ath9k_htc: fix signal strength handling issues Greg Kroah-Hartman
2013-03-12 22:31 ` [ 036/100] ath9k_hw: improve reset reliability after errors Greg Kroah-Hartman
2013-03-12 22:31 ` [ 037/100] proc connector: reject unprivileged listener bumps Greg Kroah-Hartman
2013-03-12 22:31 ` [ 038/100] nohz: Make tick_nohz_irq_exit() irq safe Greg Kroah-Hartman
2013-03-12 22:31 ` [ 039/100] md: protect against crash upon fsync on ro array Greg Kroah-Hartman
2013-03-12 22:31 ` [ 040/100] md: fix two bugs when attempting to resize RAID0 array Greg Kroah-Hartman
2013-03-12 22:31 ` [ 041/100] md: raid0: fix error return from create_stripe_zones Greg Kroah-Hartman
2013-03-12 22:31 ` [ 042/100] md/raid1,raid10: fix deadlock with freeze_array() Greg Kroah-Hartman
2013-03-12 22:31 ` [ 043/100] hwmon: (sht15) Check return value of regulator_enable() Greg Kroah-Hartman
2013-03-12 22:31 ` [ 044/100] hwmon: (pmbus/ltc2978) Fix peak attribute handling Greg Kroah-Hartman
2013-03-12 22:31 ` [ 045/100] hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality Greg Kroah-Hartman
2013-03-12 22:31 ` [ 046/100] drm/radeon: dont set hpd, afmt interrupts when interrupts are disabled Greg Kroah-Hartman
2013-03-12 22:31 ` [ 047/100] drm/radeon: add primary dac adj quirk for R200 board Greg Kroah-Hartman
2013-03-12 22:31 ` [ 048/100] ARM: 7657/1: head: fix swapper and idmap population with LPAE and big-endian Greg Kroah-Hartman
2013-03-12 22:31 ` [ 049/100] ARM: 7658/1: mm: fix race updating mm->context.id on ASID rollover Greg Kroah-Hartman
2013-03-12 22:31 ` [ 050/100] ARM: 7659/1: mm: make mm->context.id an atomic64_t variable Greg Kroah-Hartman
2013-03-12 22:31 ` [ 051/100] ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit Greg Kroah-Hartman
2013-03-12 22:31 ` [ 052/100] drm/i915: Increase the RC6p threshold Greg Kroah-Hartman
2013-03-18 1:11 ` Ben Hutchings
2013-03-18 19:38 ` Greg Kroah-Hartman
[not found] ` <CADMs+9bmi2fNMV=9OaL-JvBJxu1=HWMYAVMm81v7rKDPnDyewA@mail.gmail.com>
2013-03-18 19:50 ` Greg Kroah-Hartman
2013-03-12 22:31 ` [ 053/100] drm/i915: Fix Haswell/CRW PCI IDs Greg Kroah-Hartman
2013-03-12 22:31 ` [ 054/100] drm/i915: reorder setup sequence to have irqs for output setup Greg Kroah-Hartman
2013-03-12 22:31 ` [ 055/100] drm/i915: enable irqs earlier when resuming Greg Kroah-Hartman
2013-03-12 22:31 ` [ 056/100] drm/i915: Turn off hsync and vsync on ADPA when disabling crt Greg Kroah-Hartman
2013-03-12 22:31 ` [ 057/100] ipc: fix potential oops when src msg > 4k w/ MSG_COPY Greg Kroah-Hartman
2013-03-12 22:31 ` [ 058/100] ipc: dont allocate a copy larger than max Greg Kroah-Hartman
2013-03-12 22:31 ` [ 059/100] dmi_scan: fix missing check for _DMI_ signature in smbios_present() Greg Kroah-Hartman
2013-03-12 22:31 ` [ 060/100] ALSA: ice1712: Initialize card->private_data properly Greg Kroah-Hartman
2013-03-12 22:31 ` [ 061/100] ALSA: vmaster: Fix slave change notification Greg Kroah-Hartman
2013-03-12 22:31 ` [ 062/100] vfs: dont BUG_ON() if following a /proc fd pseudo-symlink results in a symlink Greg Kroah-Hartman
2013-03-12 22:31 ` [ 063/100] proc: Use nd_jump_link in proc_ns_follow_link Greg Kroah-Hartman
2013-03-12 22:31 ` [ 064/100] tile: work around bug in the generic sys_llseek Greg Kroah-Hartman
2013-03-12 22:31 ` [ 065/100] random: fix locking dependency with the tasklist_lock Greg Kroah-Hartman
2013-03-12 22:31 ` [ 066/100] mm/mempolicy.c: fix wrong sp_node insertion Greg Kroah-Hartman
2013-03-12 22:31 ` [ 067/100] CIFS: Fix missing of oplock_read value in smb30_values structure Greg Kroah-Hartman
2013-03-12 22:31 ` [ 068/100] mac80211: Fix crash due to un-canceled work-items Greg Kroah-Hartman
2013-03-12 22:31 ` [ 069/100] e1000e: fix pci-device enable-counter balance Greg Kroah-Hartman
2013-03-13 7:52 ` Konstantin Khlebnikov
2013-03-13 8:28 ` Konstantin Khlebnikov
2013-03-12 22:31 ` [ 070/100] tg3: Update link_up flag for phylib devices Greg Kroah-Hartman
2013-03-12 22:31 ` [ 071/100] efivars: efivarfs_valid_name() should handle pstore syntax Greg Kroah-Hartman
2013-03-12 22:31 ` [ 072/100] efivarfs: return accurate error code in efivarfs_fill_super() Greg Kroah-Hartman
2013-03-12 22:31 ` Greg Kroah-Hartman [this message]
2013-03-12 22:31 ` [ 074/100] x86: pvclock kvm: align allocation size to page size Greg Kroah-Hartman
2013-03-12 22:32 ` [ 075/100] HID: logitech-dj: do not directly call hid_output_raw_report() during probe Greg Kroah-Hartman
2013-03-12 22:32 ` [ 076/100] Btrfs: account for orphan inodes properly during cleanup Greg Kroah-Hartman
2013-03-12 22:32 ` [ 077/100] Btrfs: cleanup orphan reservation if truncate fails Greg Kroah-Hartman
2013-03-12 22:32 ` [ 078/100] x86/kvm: Fix pvclock vsyscall fixmap Greg Kroah-Hartman
2013-03-12 22:32 ` [ 079/100] mfd: rtsx: Optimize card detect flow Greg Kroah-Hartman
2013-03-12 22:32 ` [ 080/100] mfd: rtsx: Fix issue that booting OS with SD card inserted Greg Kroah-Hartman
2013-03-12 22:32 ` [ 081/100] crypto: user - fix info leaks in report API Greg Kroah-Hartman
2013-03-12 22:32 ` [ 082/100] acer-wmi: avoid the warning of devices may be used uninitialized Greg Kroah-Hartman
2013-03-12 22:32 ` [ 083/100] usbnet: smsc95xx: fix suspend failure Greg Kroah-Hartman
2013-03-12 22:32 ` [ 084/100] keys: fix race with concurrent install_user_keyrings() Greg Kroah-Hartman
2013-03-12 22:32 ` [ 085/100] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Greg Kroah-Hartman
2013-03-12 22:32 ` [ 086/100] vfs: fix pipe counter breakage Greg Kroah-Hartman
2013-03-12 22:32 ` [ 087/100] rtc: rtc-mv: Add support for clk to avoid lockups Greg Kroah-Hartman
2013-03-12 22:32 ` [ 088/100] gpio: mvebu: Add clk support to prevent lockup Greg Kroah-Hartman
2013-03-12 22:32 ` [ 089/100] ARM: mxs_defconfig: Make USB host functional again Greg Kroah-Hartman
2013-03-12 22:32 ` [ 090/100] ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency Greg Kroah-Hartman
2013-03-12 22:32 ` [ 091/100] powerpc: Apply early paca fixups to boot_paca and the boot cpus paca Greg Kroah-Hartman
2013-03-12 22:32 ` [ 092/100] ftrace: Update the kconfig for DYNAMIC_FTRACE Greg Kroah-Hartman
2013-03-12 22:32 ` [ 093/100] efivars: Disable external interrupt while holding efivars->lock Greg Kroah-Hartman
2013-03-12 22:32 ` [ 094/100] efi: be more paranoid about available space when creating variables Greg Kroah-Hartman
2013-03-12 22:32 ` [ 095/100] USB: Dont use EHCI port sempahore for USB 3.0 hubs Greg Kroah-Hartman
2013-03-12 22:32 ` [ 096/100] USB: Prepare for refactoring by adding extra udev checks Greg Kroah-Hartman
2013-03-12 22:32 ` [ 097/100] USB: Rip out recursive call on warm port reset Greg Kroah-Hartman
2013-03-12 22:32 ` [ 098/100] USB: Fix connected device switch to Inactive state Greg Kroah-Hartman
2013-03-12 22:32 ` [ 099/100] Revert "xen/blkback: Dont trust the handle from the frontend." Greg Kroah-Hartman
2013-03-12 22:32 ` [ 100/100] w1-gpio: fix section mismatch Greg Kroah-Hartman
2013-03-13 3:56 ` [ 000/100] 3.8.3-stable review Shuah Khan
2013-03-13 4:28 ` Greg Kroah-Hartman
2013-03-13 8:02 ` Andre Heider
2013-03-13 8:33 ` David Miller
2013-03-13 9:13 ` Andre Heider
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130312223130.790544814@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davej@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).