From 853388e615b6fb4fbec7fded3eb2652fe0120527 Mon Sep 17 00:00:00 2001 From: Bin Yang Date: Wed, 31 Jul 2019 14:12:05 +0800 Subject: [PATCH] epoll: fix use-after-free in eventpoll_release_file back port upstream patch https://github.com/torvalds/linux/commit/ebe06187bf2aec10d537ce4595e416035367d703 the epi is removed from list by list_del_rcu(&epi->fllink); under list_for_each_entry_rcu() without rcu_read_lock. if the rcu grace-period thread free epi before next list_for_each loop, the content of epi will be corrupted. Change-Id: I75dbf8ada5ca4734761efe260ca6d6f85886b180 Closes-Bug: 1837430 Suggested-by: daniel.badea@windriver.com Signed-off-by: Bin Yang --- kernel/kernel-rt/centos/build_srpm.data | 2 +- .../centos/meta_patches/Compile-issues.patch | 28 +++++----- .../Kernel-source-patches-for-TiC.patch | 20 +++---- ...after-free-in-eventpoll_release_file.patch | 52 +++++++++++++++++++ kernel/kernel-std/centos/build_srpm.data | 2 +- .../centos/meta_patches/Compile-issues.patch | 30 +++++------ .../Kernel-source-patches-for-TiC.patch | 23 ++++---- ...after-free-in-eventpoll_release_file.patch | 52 +++++++++++++++++++ 8 files changed, 159 insertions(+), 50 deletions(-) create mode 100644 kernel/kernel-rt/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch create mode 100644 kernel/kernel-std/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch diff --git a/kernel/kernel-rt/centos/build_srpm.data b/kernel/kernel-rt/centos/build_srpm.data index 2ed119b61..b0daa29a3 100644 --- a/kernel/kernel-rt/centos/build_srpm.data +++ b/kernel/kernel-rt/centos/build_srpm.data @@ -1,4 +1,4 @@ COPY_LIST="files/*" -TIS_PATCH_VER=3 +TIS_PATCH_VER=4 BUILD_IS_BIG=11 BUILD_IS_SLOW=12 diff --git a/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch b/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch index b409d56b3..e0ef4222a 100644 --- a/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch +++ b/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch @@ -1,33 +1,33 @@ -From 6fe892d415b3d728d223069eacb6f291fc38d86d Mon Sep 17 00:00:00 2001 -From: Alex Kozyrev -Date: Mon, 29 Jul 2019 11:48:51 -0400 -Subject: [PATCH 1/1] Compile issues +From d83caf51542ff89ffc70377d8a04d697d8fe09e3 Mon Sep 17 00:00:00 2001 +From: Bin Yang +Date: Wed, 31 Jul 2019 14:23:20 +0800 +Subject: [PATCH 3/3] Compile issues -Signed-off-by: Alex Kozyrev +Signed-off-by: Bin Yang --- SPECS/kernel-rt.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec -index 3b7985c..5025db7 100644 +index e94ec2f..e6e71e4 100644 --- a/SPECS/kernel-rt.spec +++ b/SPECS/kernel-rt.spec -@@ -418,6 +418,11 @@ # DRBD was choking on write same - Patch1028: turn-off-write-same-in-smartqpi-driver.patch +@@ -420,6 +420,11 @@ Patch1028: turn-off-write-same-in-smartqpi-driver.patch Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch Patch1030: robustify-CFS-bandwidth-timer-locking.patch -+Patch1031: fix-compilation-issues.patch + Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch ++Patch1032: fix-compilation-issues.patch +# Fix CentOS 7.6 upgrade compile error -+Patch1032: fix-CentOS-7.6-upgrade-compile-error.patch ++Patch1033: fix-CentOS-7.6-upgrade-compile-error.patch +# Compile fix for disabling CONFIG_MEMCG_KMEM -+Patch1033: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch ++Patch1034: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root -@@ -781,6 +786,9 @@ ApplyPatch dpt_i2o-fix-build-warning.patch - ApplyPatch turn-off-write-same-in-smartqpi-driver.patch +@@ -784,6 +789,9 @@ ApplyPatch turn-off-write-same-in-smartqpi-driver.patch ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch ApplyPatch robustify-CFS-bandwidth-timer-locking.patch + ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch +ApplyPatch fix-compilation-issues.patch +ApplyPatch fix-CentOS-7.6-upgrade-compile-error.patch +ApplyPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch @@ -35,5 +35,5 @@ index 3b7985c..5025db7 100644 # move off upstream version mechanism if [ -e localversion-rt ]; then -- -1.8.3.1 +2.7.4 diff --git a/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch b/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch index bd64abf84..18ff5cdd2 100644 --- a/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch +++ b/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch @@ -1,18 +1,18 @@ -From 6a04eb3881ccb3c592b4b47d36bde90f1e33c598 Mon Sep 17 00:00:00 2001 -From: Alex Kozyrev +From 2c23df3f032c68046a309e5b9f1d321438905e85 Mon Sep 17 00:00:00 2001 +From: Bin Yang Date: Mon, 29 Jul 2019 11:48:49 -0400 Subject: [PATCH 2/3] Kernel source patches for TiC -Signed-off-by: Alex Kozyrev +Signed-off-by: Bin Yang --- - SPECS/kernel-rt.spec | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 64 insertions(+) + SPECS/kernel-rt.spec | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 66 insertions(+) diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec -index 905ae52..15114e6 100644 +index efc89cd..e94ec2f 100644 --- a/SPECS/kernel-rt.spec +++ b/SPECS/kernel-rt.spec -@@ -386,6 +386,39 @@ Source1000: modprobe-dccp-blacklist.conf +@@ -386,6 +386,40 @@ Source1000: modprobe-dccp-blacklist.conf # Empty final patch file to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -49,10 +49,11 @@ index 905ae52..15114e6 100644 +Patch1028: turn-off-write-same-in-smartqpi-driver.patch +Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch +Patch1030: robustify-CFS-bandwidth-timer-locking.patch ++Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root -@@ -718,6 +751,37 @@ cp %{SOURCE38} . +@@ -718,6 +752,38 @@ cp %{SOURCE38} . ## Apply Patches here ApplyPatch linux-kernel-test.patch @@ -87,9 +88,10 @@ index 905ae52..15114e6 100644 +ApplyPatch turn-off-write-same-in-smartqpi-driver.patch +ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch +ApplyPatch robustify-CFS-bandwidth-timer-locking.patch ++ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch # move off upstream version mechanism if [ -e localversion-rt ]; then -- -1.8.3.1 +2.7.4 diff --git a/kernel/kernel-rt/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch b/kernel/kernel-rt/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch new file mode 100644 index 000000000..ddfd114b2 --- /dev/null +++ b/kernel/kernel-rt/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch @@ -0,0 +1,52 @@ +From ebe06187bf2aec10d537ce4595e416035367d703 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Tue, 17 Jun 2014 06:58:05 +0400 +Subject: [PATCH] epoll: fix use-after-free in eventpoll_release_file + +This fixes use-after-free of epi->fllink.next inside list loop macro. +This loop actually releases elements in the body. The list is +rcu-protected but here we cannot hold rcu_read_lock because we need to +lock mutex inside. + +The obvious solution is to use list_for_each_entry_safe(). RCU-ness +isn't essential because nobody can change this list under us, it's final +fput for this file. + +The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL +using rcu") + +Signed-off-by: Konstantin Khlebnikov +Reported-by: Cyrill Gorcunov +Cc: Stable # 3.13+ +Cc: Sasha Levin +Cc: Jason Baron +Signed-off-by: Linus Torvalds +--- + fs/eventpoll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index b73e062..b10b48c 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -910,7 +910,7 @@ static const struct file_operations eventpoll_fops = { + void eventpoll_release_file(struct file *file) + { + struct eventpoll *ep; +- struct epitem *epi; ++ struct epitem *epi, *next; + + /* + * We don't want to get "file->f_lock" because it is not +@@ -926,7 +926,7 @@ void eventpoll_release_file(struct file *file) + * Besides, ep_remove() acquires the lock, so we can't hold it here. + */ + mutex_lock(&epmutex); +- list_for_each_entry_rcu(epi, &file->f_ep_links, fllink) { ++ list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) { + ep = epi->ep; + mutex_lock_nested(&ep->mtx, 0); + ep_remove(ep, epi); +-- +2.7.4 + diff --git a/kernel/kernel-std/centos/build_srpm.data b/kernel/kernel-std/centos/build_srpm.data index dab446664..2ed119b61 100644 --- a/kernel/kernel-std/centos/build_srpm.data +++ b/kernel/kernel-std/centos/build_srpm.data @@ -1,4 +1,4 @@ COPY_LIST="files/*" -TIS_PATCH_VER=2 +TIS_PATCH_VER=3 BUILD_IS_BIG=11 BUILD_IS_SLOW=12 diff --git a/kernel/kernel-std/centos/meta_patches/Compile-issues.patch b/kernel/kernel-std/centos/meta_patches/Compile-issues.patch index b46a1a3e5..268920ea7 100644 --- a/kernel/kernel-std/centos/meta_patches/Compile-issues.patch +++ b/kernel/kernel-std/centos/meta_patches/Compile-issues.patch @@ -1,34 +1,34 @@ -From 6b9579fcfb774f20f114ebc621a925d35d3aa034 Mon Sep 17 00:00:00 2001 -From: Bart Wensley -Date: Tue, 9 Jul 2019 06:36:33 -0500 -Subject: [PATCH 1/1] Compile issues +From e49a8758922e1f23c4e77dd19cf4eb1f80263763 Mon Sep 17 00:00:00 2001 +From: Bin Yang +Date: Wed, 31 Jul 2019 10:50:03 +0800 +Subject: [PATCH 3/3] Compile issues -Signed-off-by: Bart Wensley +Signed-off-by: Bin Yang --- SPECS/kernel.spec | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec -index 3f774c2..b69967d 100644 +index 9149019..b8fb9f9 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec -@@ -489,6 +489,12 @@ Patch40024: aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch - Patch40025: dpt_i2o-fix-build-warning.patch - # DRBD was choking on write same +@@ -491,6 +491,12 @@ Patch40025: dpt_i2o-fix-build-warning.patch Patch40026: turn-off-write-same-in-smartqpi-driver.patch + # Fix use-after-free in eventpoll_release_file + Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch +# Fix assorted compilation issues -+Patch40027: fix-compilation-issues.patch ++Patch40028: fix-compilation-issues.patch +# Fix CentOS 7.6 upgrade compile error -+Patch40028: fix-CentOS-7.6-upgrade-compile-error.patch ++Patch40029: fix-CentOS-7.6-upgrade-compile-error.patch +# Compile fix for disabling CONFIG_MEMCG_KMEM -+Patch40029: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch ++Patch40030: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch BuildRoot: %{_tmppath}/kernel-%{KVRA}-root -@@ -859,6 +865,9 @@ ApplyOptionalPatch US103091-IMA-System-Configuration.patch - ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch +@@ -862,6 +868,9 @@ ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch ApplyOptionalPatch dpt_i2o-fix-build-warning.patch ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch + ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch +ApplyOptionalPatch fix-compilation-issues.patch +ApplyOptionalPatch fix-CentOS-7.6-upgrade-compile-error.patch +ApplyOptionalPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch @@ -36,5 +36,5 @@ index 3f774c2..b69967d 100644 # Any further pre-build tree manipulations happen here. -- -1.8.3.1 +2.7.4 diff --git a/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch b/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch index 935f059a8..c42f38405 100644 --- a/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch +++ b/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch @@ -1,18 +1,18 @@ -From d9d90b72c19c1d063272d2b84bd76c52514bf6ac Mon Sep 17 00:00:00 2001 -From: Jim Somerville -Date: Fri, 20 Apr 2018 16:13:47 -0400 -Subject: [PATCH 2/5] Kernel source patches for TiC +From 7191a6f784f12e295e508f105da4cfde518a64e7 Mon Sep 17 00:00:00 2001 +From: Bin Yang +Date: Wed, 31 Jul 2019 10:49:20 +0800 +Subject: [PATCH 2/3] Kernel source patches for TiC -Signed-off-by: Jim Somerville +Signed-off-by: Bin Yang --- - SPECS/kernel.spec | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 58 insertions(+) + SPECS/kernel.spec | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec -index eef356a..f1a0092 100644 +index 5b93a98..9149019 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec -@@ -460,6 +460,36 @@ Patch1002: debrand-rh-i686-cpu.patch +@@ -460,6 +460,38 @@ Patch1002: debrand-rh-i686-cpu.patch Source30000: kernel-3.10.0-x86_64.config.tis_extra Source30001: ima_signing_key.pub @@ -45,11 +45,13 @@ index eef356a..f1a0092 100644 +Patch40025: dpt_i2o-fix-build-warning.patch +# DRBD was choking on write same +Patch40026: turn-off-write-same-in-smartqpi-driver.patch ++# Fix use-after-free in eventpoll_release_file ++Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch + BuildRoot: %{_tmppath}/kernel-%{KVRA}-root %description -@@ -802,6 +832,34 @@ ApplyOptionalPatch debrand-single-cpu.patch +@@ -802,6 +834,35 @@ ApplyOptionalPatch debrand-single-cpu.patch ApplyOptionalPatch debrand-rh_taint.patch ApplyOptionalPatch debrand-rh-i686-cpu.patch @@ -80,6 +82,7 @@ index eef356a..f1a0092 100644 +ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch +ApplyOptionalPatch dpt_i2o-fix-build-warning.patch +ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch ++ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch + # Any further pre-build tree manipulations happen here. diff --git a/kernel/kernel-std/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch b/kernel/kernel-std/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch new file mode 100644 index 000000000..ddfd114b2 --- /dev/null +++ b/kernel/kernel-std/centos/patches/epoll-fix-use-after-free-in-eventpoll_release_file.patch @@ -0,0 +1,52 @@ +From ebe06187bf2aec10d537ce4595e416035367d703 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Tue, 17 Jun 2014 06:58:05 +0400 +Subject: [PATCH] epoll: fix use-after-free in eventpoll_release_file + +This fixes use-after-free of epi->fllink.next inside list loop macro. +This loop actually releases elements in the body. The list is +rcu-protected but here we cannot hold rcu_read_lock because we need to +lock mutex inside. + +The obvious solution is to use list_for_each_entry_safe(). RCU-ness +isn't essential because nobody can change this list under us, it's final +fput for this file. + +The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL +using rcu") + +Signed-off-by: Konstantin Khlebnikov +Reported-by: Cyrill Gorcunov +Cc: Stable # 3.13+ +Cc: Sasha Levin +Cc: Jason Baron +Signed-off-by: Linus Torvalds +--- + fs/eventpoll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index b73e062..b10b48c 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -910,7 +910,7 @@ static const struct file_operations eventpoll_fops = { + void eventpoll_release_file(struct file *file) + { + struct eventpoll *ep; +- struct epitem *epi; ++ struct epitem *epi, *next; + + /* + * We don't want to get "file->f_lock" because it is not +@@ -926,7 +926,7 @@ void eventpoll_release_file(struct file *file) + * Besides, ep_remove() acquires the lock, so we can't hold it here. + */ + mutex_lock(&epmutex); +- list_for_each_entry_rcu(epi, &file->f_ep_links, fllink) { ++ list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) { + ep = epi->ep; + mutex_lock_nested(&ep->mtx, 0); + ep_remove(ep, epi); +-- +2.7.4 +