Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-09-22 12:42:50 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/fs
History
David Howells de09a9771a CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials 
It's possible for get_task_cred() as it currently stands to 'corrupt' a set of
credentials by incrementing their usage count after their replacement by the
task being accessed.

What happens is that get_task_cred() can race with commit_creds():

	TASK_1			TASK_2			RCU_CLEANER
	-->get_task_cred(TASK_2)
	rcu_read_lock()
	__cred = __task_cred(TASK_2)
				-->commit_creds()
				old_cred = TASK_2->real_cred
				TASK_2->real_cred = ...
				put_cred(old_cred)
				  call_rcu(old_cred)
		[__cred->usage == 0]
	get_cred(__cred)
		[__cred->usage == 1]
	rcu_read_unlock()
							-->put_cred_rcu()
							[__cred->usage == 1]
							panic()

However, since a tasks credentials are generally not changed very often, we can
reasonably make use of a loop involving reading the creds pointer and using
atomic_inc_not_zero() to attempt to increment it if it hasn't already hit zero.

If successful, we can safely return the credentials in the knowledge that, even
if the task we're accessing has released them, they haven't gone to the RCU
cleanup code.

We then change task_state() in procfs to use get_task_cred() rather than
calling get_cred() on the result of __task_cred(), as that suffers from the
same problem.

Without this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be
tripped when it is noticed that the usage count is not zero as it ought to be,
for example:

kernel BUG at kernel/cred.c:168!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/kernel/mm/ksm/run
CPU 0
Pid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex
745
RIP: 0010:[<ffffffff81069881>]  [<ffffffff81069881>] __put_cred+0xc/0x45
RSP: 0018:ffff88019e7e9eb8  EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff
RDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0
RBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0
R13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001
FS:  00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0)
Stack:
 ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45
<0> ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000
<0> ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246
Call Trace:
 [<ffffffff810698cd>] put_cred+0x13/0x15
 [<ffffffff81069b45>] commit_creds+0x16b/0x175
 [<ffffffff8106aace>] set_current_groups+0x47/0x4e
 [<ffffffff8106ac89>] sys_setgroups+0xf6/0x105
 [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b
Code: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00
48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 <0f> 0b eb fe 65 48 8b
04 25 00 cc 00 00 48 3b b8 58 04 00 00 75
RIP  [<ffffffff81069881>] __put_cred+0xc/0x45
 RSP <ffff88019e7e9eb8>
---[ end trace df391256a100ebdd ]---

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-07-29 15:16:17 -07:00
..
9p 9p: Pass the correct end of buffer to p9stat_read 2010-07-27 14:52:04 -05:00
adfs kill spurious reference to vmtruncate 2010-05-27 22:15:42 -04:00
affs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
afs writeback: remove writeback_inodes_wbc 2010-07-06 08:54:03 +02:00
autofs fs/: do not fallback to default_llseek() when readdir() uses BKL 2010-05-27 09:12:56 -07:00
autofs4 fs/autofs4: use memdup_user 2010-05-27 09:12:41 -07:00
befs
bfs rename the generic fsync implementations 2010-05-27 22:06:06 -04:00
btrfs Merge git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable 2010-07-19 19:33:02 -07:00
cachefiles CacheFiles: Fix error handling in cachefiles_determine_cache_security() 2010-05-12 18:23:58 -07:00
ceph ceph: use complete_all and wake_up_all 2010-07-27 13:11:17 -07:00
cifs CIFS: Fix a malicious redirect problem in the DNS lookup code 2010-07-22 09:42:40 -07:00
coda drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
configfs fix setattr error handling in sysfs, configfs 2010-06-04 17:16:29 -04:00
cramfs
debugfs Add x64 support to debugfs 2010-05-19 22:41:57 -04:00
devpts Simplify devpts_get_sb() failure exits 2010-05-21 18:31:12 -04:00
dlm dlm: fix ast ordering for user locks 2010-04-30 14:52:51 -05:00
ecryptfs ecryptfs: Bugfix for error related to ecryptfs_hash_buckets 2010-07-28 19:59:24 -07:00
efs
exofs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
exportfs
ext2 ext2: update ctime when changing the file's permission by setfacl 2010-06-25 01:20:37 +02:00
ext3 ext3: update ctime when changing the file's permission by setfacl 2010-06-25 01:20:37 +02:00
ext4 ext4: Fix remaining racy updates of EXT4_I(inode)->i_flags 2010-06-05 11:51:27 -04:00
fat fat: convert to use the new truncate convention. 2010-05-27 22:16:02 -04:00
freevxfs fs/: do not fallback to default_llseek() when readdir() uses BKL 2010-05-27 09:12:56 -07:00
fscache FS-Cache: Remove unneeded null checks 2010-06-01 13:32:11 -07:00
fuse Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse 2010-05-30 09:16:14 -07:00
gfs2 GFS2: Use kmalloc when possible for ->readdir() 2010-07-28 11:10:03 -07:00
hfs
hfsplus hfsplus: Push down BKL into ioctl function 2010-05-17 05:27:03 +02:00
hostfs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
hpfs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
hppfs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
hugetlbfs rename the generic fsync implementations 2010-05-27 22:06:06 -04:00
isofs fs/: do not fallback to default_llseek() when readdir() uses BKL 2010-05-27 09:12:56 -07:00
jbd ext3: Fix waiting on transaction during fsync 2010-05-21 19:30:41 +02:00
jbd2 jbd2/ocfs2: Fix block checksumming when a buffer is used in several transactions 2010-07-15 15:17:47 -07:00
jffs2 Fix up trivial spelling errors ('taht' -> 'that') 2010-07-21 09:25:42 -07:00
jfs Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-05-30 09:11:11 -07:00
lockd
logfs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
minix Minix: Clean up left over label 2010-06-04 17:16:30 -04:00
ncpfs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
nfs mm: add context argument to shrinker callback 2010-07-19 14:56:17 +10:00
nfs_common
nfsd Merge branch 'for-2.6.35' of git://linux-nfs.org/~bfields/linux 2010-06-09 12:43:04 -07:00
nilfs2 nilfs2: remove obsolete declarations of cache constructor and destructor 2010-05-31 20:50:29 +09:00
nls
notify Saner locking around deactivate_super() 2010-05-21 18:31:14 -04:00
ntfs drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
ocfs2 Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2 2010-07-18 10:09:25 -07:00
omfs rename the generic fsync implementations 2010-05-27 22:06:06 -04:00
openpromfs
partitions [S390] dasd: use correct label location for diag fba disks 2010-07-19 09:22:50 +02:00
proc CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials 2010-07-29 15:16:17 -07:00
qnx4 rename the generic fsync implementations 2010-05-27 22:06:06 -04:00
quota mm: add context argument to shrinker callback 2010-07-19 14:56:17 +10:00
ramfs fs: convert simple fs to new truncate 2010-05-27 22:15:47 -04:00
reiserfs Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-05-30 09:11:11 -07:00
romfs
smbfs kill spurious reference to vmtruncate 2010-05-27 22:15:42 -04:00
squashfs squashfs: fix name reading in squashfs_xattr_get 2010-05-23 08:27:42 +01:00
sysfs sysfs: allow creating symlinks from untagged to tagged directories 2010-07-26 12:02:41 -07:00
sysv sysvfs: fix NULL deref. when allocating new inode 2010-06-29 15:29:32 -07:00
ubifs mm: add context argument to shrinker callback 2010-07-19 14:56:17 +10:00
udf Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-05-30 09:11:11 -07:00
ufs Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-05-30 09:11:11 -07:00
xfs xfs: track AGs with reclaimable inodes in per-ag radix tree 2010-07-20 09:43:39 +10:00
aio.c get rid of the magic around f_count in aio 2010-05-27 22:03:07 -04:00
anon_inodes.c Revert "anon_inode: set S_IFREG on the anon_inode" 2010-05-27 22:03:05 -04:00
attr.c fs: introduce new truncate sequence 2010-05-27 22:15:33 -04:00
bad_inode.c drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
binfmt_aout.c
binfmt_elf.c
binfmt_elf_fdpic.c binfmt_elf_fdpic: Fix clear_user() error handling 2010-06-01 08:11:06 -07:00
binfmt_em86.c
binfmt_flat.c flat: tweak default stack alignment 2010-06-29 15:29:31 -07:00
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c
block_dev.c block: remove duplicate BUG_ON() in bd_finish_claiming() 2010-06-10 19:08:34 +02:00
buffer.c fs: introduce new truncate sequence 2010-05-27 22:15:33 -04:00
char_dev.c
compat.c fs/compat_rw_copy_check_uvector: add missing compat_ptr call 2010-06-04 15:21:44 -07:00
compat_binfmt_elf.c
compat_ioctl.c pktcdvd: improve BKL and compat_ioctl.c usage 2010-04-29 08:44:37 -07:00
dcache.c mm: add context argument to shrinker callback 2010-07-19 14:56:17 +10:00
dcookies.c
direct-io.c fs: introduce new truncate sequence 2010-05-27 22:15:33 -04:00
drop_caches.c new helper: iterate_supers() 2010-05-21 18:31:16 -04:00
eventfd.c
eventpoll.c sched, wait: Use wrapper functions 2010-05-11 17:43:58 +02:00
exec.c exit: avoid sig->count in de_thread/__exit_signal synchronization 2010-05-27 09:12:46 -07:00
fcntl.c fs/fcntl.c:kill_fasync_rcu() fa_lock must be IRQ-safe 2010-06-29 15:29:32 -07:00
fifo.c
file.c
file_table.c get rid of the magic around f_count in aio 2010-05-27 22:03:07 -04:00
filesystems.c
fs-writeback.c writeback: simplify the write back thread queue 2010-07-06 08:59:53 +02:00
fs_struct.c
generic_acl.c fs: xattr_handler table should be const 2010-05-21 18:31:18 -04:00
inode.c mm: add context argument to shrinker callback 2010-07-19 14:56:17 +10:00
internal.h Bury __put_super_and_need_restart() 2010-05-21 18:31:16 -04:00
ioctl.c Introduce freeze_super and thaw_super for the fsfreeze ioctl 2010-05-21 18:31:18 -04:00
ioprio.c
Kconfig
Kconfig.binfmt
libfs.c wrong type for 'magic' argument in simple_fill_super() 2010-06-04 17:16:28 -04:00
locks.c
Makefile Take statfs variants to fs/statfs.c 2010-05-21 18:31:17 -04:00
mbcache.c mm: add context argument to shrinker callback 2010-07-19 14:56:17 +10:00
mpage.c
namei.c VFS: fix recent breakage of FS_REVAL_DOT 2010-05-27 22:03:06 -04:00
namespace.c Merge branch 'next' into for-linus 2010-05-18 08:57:00 +10:00
nfsctl.c
no-block.c
open.c Take statfs variants to fs/statfs.c 2010-05-21 18:31:17 -04:00
pipe.c pipe: fix check in "set size" fcntl 2010-06-10 19:08:34 +02:00
pnode.c
pnode.h
posix_acl.c
read_write.c vfs: introduce noop_llseek() 2010-05-27 09:12:56 -07:00
read_write.h
readdir.c
select.c
seq_file.c
signalfd.c
splice.c splice: check f_mode for seekable file 2010-06-30 08:12:37 +02:00
stack.c
stat.c
statfs.c Take statfs variants to fs/statfs.c 2010-05-21 18:31:17 -04:00
super.c fs: fix superblock iteration race 2010-06-29 10:38:22 -07:00
sync.c Merge branch 'master' into for-linus 2010-06-01 12:42:12 +02:00
timerfd.c fs/timerfd.c: make use of wait_event_interruptible_locked_irq() 2010-05-20 13:21:42 -07:00
utimes.c
xattr.c fs: xattr_handler table should be const 2010-05-21 18:31:18 -04:00
xattr_acl.c