android_kernel_google_msm

mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00

History

David Howells 9793b7bc42 KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring commit f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 upstream. The following sequence of commands: i=`keyctl add user a a @s` keyctl request2 keyring foo bar @t keyctl unlink $i @s tries to invoke an upcall to instantiate a keyring if one doesn't already exist by that name within the user's keyring set. However, if the upcall fails, the code sets keyring->type_data.reject_error to -ENOKEY or some other error code. When the key is garbage collected, the key destroy function is called unconditionally and keyring_destroy() uses list_empty() on keyring->type_data.link - which is in a union with reject_error. Subsequently, the kernel tries to unlink the keyring from the keyring names list - which oopses like this: BUG: unable to handle kernel paging request at 00000000ffffff8a IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88 ... Workqueue: events key_garbage_collector ... RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88 RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203 RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40 RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000 R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900 R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000 ... CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0 ... Call Trace: [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547 [<ffffffff8105fd17>] worker_thread+0x26e/0x361 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8 [<ffffffff810648ad>] kthread+0xf3/0xfb [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 Note the value in RAX. This is a 32-bit representation of -ENOKEY. The solution is to only call ->destroy() if the key was successfully instantiated. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> [lizf: Backported to 3.4: adjust indentation] Signed-off-by: Zefan Li <lizefan@huawei.com>		2016-03-21 09:17:55 +08:00
..
encrypted-keys	KEYS: Fix stale key registration at error path	2015-04-14 17:33:45 +08:00
compat.c	Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys	2013-03-14 11:29:51 -07:00
gc.c	KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring	2016-03-21 09:17:55 +08:00
internal.h	keys: add a "logon" key type	2012-01-17 22:39:40 -06:00
key.c	Created a function for setting timeouts on keys	2012-03-01 16:50:31 -05:00
keyctl.c	key: Fix resource leak	2013-03-28 12:12:27 -07:00
keyring.c	KEYS: Add missing smp_rmb() primitives to the keyring search code	2012-01-18 10:41:27 +11:00
Makefile	encrypted-keys: create encrypted-keys directory	2011-09-14 15:22:26 -04:00
permission.c	KEYS: Fix up comments in key management code	2011-01-21 14:59:30 -08:00
proc.c	KEYS: Improve /proc/keys	2011-03-17 11:59:32 +11:00
process_keys.c	keys: fix race with concurrent install_user_keyrings()	2013-03-14 11:29:51 -07:00
request_key.c	usermodehelper: kill umh_wait, renumber UMH_* constants	2012-03-23 16:58:41 -07:00
request_key_auth.c	KEYS: Don't return EAGAIN to keyctl_assume_authority()	2011-06-14 15:03:29 +10:00
sysctl.c	sysctl: Drop & in front of every proc_handler.	2009-11-18 08:37:40 -08:00
trusted.c	keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages	2012-01-18 10:41:29 +11:00
trusted.h	trusted-keys: rename trusted_defined files to trusted	2011-01-24 10:14:22 +11:00
user_defined.c	Merge git://git.samba.org/sfrench/cifs-2.6	2012-01-23 08:59:49 -08:00