--- /dev/null
+From c70d9d809fdeecedb96972457ee45c49a232d97f Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 22 May 2017 15:40:12 -0500
+Subject: ptrace: Properly initialize ptracer_cred on fork
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit c70d9d809fdeecedb96972457ee45c49a232d97f upstream.
+
+When I introduced ptracer_cred I failed to consider the weirdness of
+fork where the task_struct copies the old value by default. This
+winds up leaving ptracer_cred set even when a process forks and
+the child process does not wind up being ptraced.
+
+Because ptracer_cred is not set on non-ptraced processes whose
+parents were ptraced this has broken the ability of the enlightenment
+window manager to start setuid children.
+
+Fix this by properly initializing ptracer_cred in ptrace_init_task
+
+This must be done with a little bit of care to preserve the current value
+of ptracer_cred when ptrace carries through fork. Re-reading the
+ptracer_cred from the ptracing process at this point is inconsistent
+with how PT_PTRACE_CAP has been maintained all of these years.
+
+Tested-by: Takashi Iwai <tiwai@suse.de>
+Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ptrace.h | 7 +++++--
+ kernel/ptrace.c | 20 +++++++++++++-------
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -53,7 +53,8 @@ extern int ptrace_request(struct task_st
+ unsigned long addr, unsigned long data);
+ extern void ptrace_notify(int exit_code);
+ extern void __ptrace_link(struct task_struct *child,
+- struct task_struct *new_parent);
++ struct task_struct *new_parent,
++ const struct cred *ptracer_cred);
+ extern void __ptrace_unlink(struct task_struct *child);
+ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead);
+ #define PTRACE_MODE_READ 0x01
+@@ -205,7 +206,7 @@ static inline void ptrace_init_task(stru
+
+ if (unlikely(ptrace) && current->ptrace) {
+ child->ptrace = current->ptrace;
+- __ptrace_link(child, current->parent);
++ __ptrace_link(child, current->parent, current->ptracer_cred);
+
+ if (child->ptrace & PT_SEIZED)
+ task_set_jobctl_pending(child, JOBCTL_TRAP_STOP);
+@@ -214,6 +215,8 @@ static inline void ptrace_init_task(stru
+
+ set_tsk_thread_flag(child, TIF_SIGPENDING);
+ }
++ else
++ child->ptracer_cred = NULL;
+ }
+
+ /**
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -57,19 +57,25 @@ int ptrace_access_vm(struct task_struct
+ }
+
+
++void __ptrace_link(struct task_struct *child, struct task_struct *new_parent,
++ const struct cred *ptracer_cred)
++{
++ BUG_ON(!list_empty(&child->ptrace_entry));
++ list_add(&child->ptrace_entry, &new_parent->ptraced);
++ child->parent = new_parent;
++ child->ptracer_cred = get_cred(ptracer_cred);
++}
++
+ /*
+ * ptrace a task: make the debugger its new parent and
+ * move it to the ptrace list.
+ *
+ * Must be called with the tasklist lock write-held.
+ */
+-void __ptrace_link(struct task_struct *child, struct task_struct *new_parent)
++static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ {
+- BUG_ON(!list_empty(&child->ptrace_entry));
+- list_add(&child->ptrace_entry, &new_parent->ptraced);
+- child->parent = new_parent;
+ rcu_read_lock();
+- child->ptracer_cred = get_cred(__task_cred(new_parent));
++ __ptrace_link(child, new_parent, __task_cred(new_parent));
+ rcu_read_unlock();
+ }
+
+@@ -383,7 +389,7 @@ static int ptrace_attach(struct task_str
+ flags |= PT_SEIZED;
+ task->ptrace = flags;
+
+- __ptrace_link(task, current);
++ ptrace_link(task, current);
+
+ /* SEIZE doesn't trap tracee on attach */
+ if (!seize)
+@@ -456,7 +462,7 @@ static int ptrace_traceme(void)
+ */
+ if (!ret && !(current->real_parent->flags & PF_EXITING)) {
+ current->ptrace = PT_PTRACED;
+- __ptrace_link(current, current->real_parent);
++ ptrace_link(current, current->real_parent);
+ }
+ }
+ write_unlock_irq(&tasklist_lock);
--- /dev/null
+From 1e948479b3d63e3ac0ecca13cbf4921c7d17c168 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 26 Apr 2017 12:24:21 +0200
+Subject: serial: ifx6x60: fix use-after-free on module unload
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1e948479b3d63e3ac0ecca13cbf4921c7d17c168 upstream.
+
+Make sure to deregister the SPI driver before releasing the tty driver
+to avoid use-after-free in the SPI remove callback where the tty
+devices are deregistered.
+
+Fixes: 72d4724ea54c ("serial: ifx6x60: Add modem power off function in the platform reboot process")
+Cc: Jun Chen <jun.d.chen@intel.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/ifx6x60.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/ifx6x60.c
++++ b/drivers/tty/serial/ifx6x60.c
+@@ -1381,9 +1381,9 @@ static struct spi_driver ifx_spi_driver
+ static void __exit ifx_spi_exit(void)
+ {
+ /* unregister */
++ spi_unregister_driver(&ifx_spi_driver);
+ tty_unregister_driver(tty_drv);
+ put_tty_driver(tty_drv);
+- spi_unregister_driver(&ifx_spi_driver);
+ unregister_reboot_notifier(&ifx_modem_reboot_notifier_block);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
