From 017cc0e332d53bf7cc24d6dcc0547a0bbd09587e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 11 Mar 2013 13:49:40 -0700 Subject: [PATCH] 3.8-stable patches added patches: cifs-fix-missing-of-oplock_read-value-in-smb30_values-structure.patch e1000e-fix-pci-device-enable-counter-balance.patch efivarfs-return-accurate-error-code-in-efivarfs_fill_super.patch efivars-efivarfs_valid_name-should-handle-pstore-syntax.patch mac80211-fix-crash-due-to-un-canceled-work-items.patch mm-mempolicy.c-fix-wrong-sp_node-insertion.patch tg3-update-link_up-flag-for-phylib-devices.patch userns-stop-oopsing-in-key_change_session_keyring.patch --- ...read-value-in-smb30_values-structure.patch | 25 ++++++ ...ix-pci-device-enable-counter-balance.patch | 39 ++++++++ ...te-error-code-in-efivarfs_fill_super.patch | 88 +++++++++++++++++++ ...lid_name-should-handle-pstore-syntax.patch | 61 +++++++++++++ ...-crash-due-to-un-canceled-work-items.patch | 67 ++++++++++++++ ...policy.c-fix-wrong-sp_node-insertion.patch | 38 ++++++++ queue-3.8/series | 8 ++ ...date-link_up-flag-for-phylib-devices.patch | 81 +++++++++++++++++ ...opsing-in-key_change_session_keyring.patch | 84 ++++++++++++++++++ 9 files changed, 491 insertions(+) create mode 100644 queue-3.8/cifs-fix-missing-of-oplock_read-value-in-smb30_values-structure.patch create mode 100644 queue-3.8/e1000e-fix-pci-device-enable-counter-balance.patch create mode 100644 queue-3.8/efivarfs-return-accurate-error-code-in-efivarfs_fill_super.patch create mode 100644 queue-3.8/efivars-efivarfs_valid_name-should-handle-pstore-syntax.patch create mode 100644 queue-3.8/mac80211-fix-crash-due-to-un-canceled-work-items.patch create mode 100644 queue-3.8/mm-mempolicy.c-fix-wrong-sp_node-insertion.patch create mode 100644 queue-3.8/tg3-update-link_up-flag-for-phylib-devices.patch create mode 100644 queue-3.8/userns-stop-oopsing-in-key_change_session_keyring.patch diff --git a/queue-3.8/cifs-fix-missing-of-oplock_read-value-in-smb30_values-structure.patch b/queue-3.8/cifs-fix-missing-of-oplock_read-value-in-smb30_values-structure.patch new file mode 100644 index 00000000000..9380e62c0db --- /dev/null +++ b/queue-3.8/cifs-fix-missing-of-oplock_read-value-in-smb30_values-structure.patch @@ -0,0 +1,25 @@ +From 067785c40e52089993757afa28988c05f3cb2694 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Wed, 6 Mar 2013 19:38:36 +0400 +Subject: CIFS: Fix missing of oplock_read value in smb30_values structure + +From: Pavel Shilovsky + +commit 067785c40e52089993757afa28988c05f3cb2694 upstream. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -744,4 +744,5 @@ struct smb_version_values smb30_values = + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, + .cap_large_files = SMB2_LARGE_FILES, ++ .oplock_read = SMB2_OPLOCK_LEVEL_II, + }; diff --git a/queue-3.8/e1000e-fix-pci-device-enable-counter-balance.patch b/queue-3.8/e1000e-fix-pci-device-enable-counter-balance.patch new file mode 100644 index 00000000000..c7671e5c55e --- /dev/null +++ b/queue-3.8/e1000e-fix-pci-device-enable-counter-balance.patch @@ -0,0 +1,39 @@ +From 4e0855dff094b0d56d6b5b271e0ce7851cc1e063 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Tue, 5 Mar 2013 09:42:59 +0000 +Subject: e1000e: fix pci-device enable-counter balance + +From: Konstantin Khlebnikov + +commit 4e0855dff094b0d56d6b5b271e0ce7851cc1e063 upstream. + +This patch removes redundant and unbalanced pci_disable_device() from +__e1000_shutdown(). pci_clear_master() is enough, device can go into +suspended state with elevated enable_cnt. + +Bug was introduced in commit 23606cf5d1192c2b17912cb2ef6e62f9b11de133 +("e1000e / PCI / PM: Add basic runtime PM support (rev. 4)") in v2.6.35 + +Signed-off-by: Konstantin Khlebnikov +Cc: Bruce Allan +Acked-by: Rafael J. Wysocki +Tested-by: Borislav Petkov +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5549,7 +5549,7 @@ static int __e1000_shutdown(struct pci_d + */ + e1000e_release_hw_control(adapter); + +- pci_disable_device(pdev); ++ pci_clear_master(pdev); + + return 0; + } diff --git a/queue-3.8/efivarfs-return-accurate-error-code-in-efivarfs_fill_super.patch b/queue-3.8/efivarfs-return-accurate-error-code-in-efivarfs_fill_super.patch new file mode 100644 index 00000000000..37193c69c68 --- /dev/null +++ b/queue-3.8/efivarfs-return-accurate-error-code-in-efivarfs_fill_super.patch @@ -0,0 +1,88 @@ +From feff5dc4f98330d8152b521acc2e18c16712e6c8 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Tue, 5 Mar 2013 12:46:30 +0000 +Subject: efivarfs: return accurate error code in efivarfs_fill_super() + +From: Matt Fleming + +commit feff5dc4f98330d8152b521acc2e18c16712e6c8 upstream. + +Joseph was hitting a failure case when mounting efivarfs which +resulted in an incorrect error message, + + $ sudo mount -v /sys/firmware/efi/efivars mount: Cannot allocate memory + +triggered when efivarfs_valid_name() returned -EINVAL. + +Make sure we pass accurate return values up the stack if +efivarfs_fill_super() fails to build inodes for EFI variables. + +Reported-by: Joseph Yasi +Reported-by: Lingzhu Xiang +Cc: Josh Boyer +Cc: Jeremy Kerr +Cc: Matthew Garrett +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efivars.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -1110,15 +1110,22 @@ static struct dentry_operations efivarfs + + static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name) + { ++ struct dentry *d; + struct qstr q; ++ int err; + + q.name = name; + q.len = strlen(name); + +- if (efivarfs_d_hash(NULL, NULL, &q)) +- return NULL; ++ err = efivarfs_d_hash(NULL, NULL, &q); ++ if (err) ++ return ERR_PTR(err); ++ ++ d = d_alloc(parent, &q); ++ if (d) ++ return d; + +- return d_alloc(parent, &q); ++ return ERR_PTR(-ENOMEM); + } + + static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) +@@ -1128,6 +1135,7 @@ static int efivarfs_fill_super(struct su + struct efivar_entry *entry, *n; + struct efivars *efivars = &__efivars; + char *name; ++ int err = -ENOMEM; + + efivarfs_sb = sb; + +@@ -1178,8 +1186,10 @@ static int efivarfs_fill_super(struct su + goto fail_name; + + dentry = efivarfs_alloc_dentry(root, name); +- if (!dentry) ++ if (IS_ERR(dentry)) { ++ err = PTR_ERR(dentry); + goto fail_inode; ++ } + + /* copied by the above to local storage in the dentry. */ + kfree(name); +@@ -1206,7 +1216,7 @@ fail_inode: + fail_name: + kfree(name); + fail: +- return -ENOMEM; ++ return err; + } + + static struct dentry *efivarfs_mount(struct file_system_type *fs_type, diff --git a/queue-3.8/efivars-efivarfs_valid_name-should-handle-pstore-syntax.patch b/queue-3.8/efivars-efivarfs_valid_name-should-handle-pstore-syntax.patch new file mode 100644 index 00000000000..a8f793a3b08 --- /dev/null +++ b/queue-3.8/efivars-efivarfs_valid_name-should-handle-pstore-syntax.patch @@ -0,0 +1,61 @@ +From 123abd76edf56c02a76b46d3d673897177ef067b Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Tue, 5 Mar 2013 07:40:16 +0000 +Subject: efivars: efivarfs_valid_name() should handle pstore syntax + +From: Matt Fleming + +commit 123abd76edf56c02a76b46d3d673897177ef067b upstream. + +Stricter validation was introduced with commit da27a24383b2b +("efivarfs: guid part of filenames are case-insensitive") and commit +47f531e8ba3b ("efivarfs: Validate filenames much more aggressively"), +which is necessary for the guid portion of efivarfs filenames, but we +don't need to be so strict with the first part, the variable name. The +UEFI specification doesn't impose any constraints on variable names +other than they be a NULL-terminated string. + +The above commits caused a regression that resulted in users seeing +the following message, + + $ sudo mount -v /sys/firmware/efi/efivars mount: Cannot allocate memory + +whenever pstore EFI variables were present in the variable store, +since their variable names failed to pass the following check, + + /* GUID should be right after the first '-' */ + if (s - 1 != strchr(str, '-')) + +as a typical pstore filename is of the form, dump-type0-10-1-. +The fix is trivial since the guid portion of the filename is GUID_LEN +bytes, we can use (len - GUID_LEN) to ensure the '-' character is +where we expect it to be. + +(The bogus ENOMEM error value will be fixed in a separate patch.) + +Reported-by: Joseph Yasi +Tested-by: Joseph Yasi +Reported-by: Lingzhu Xiang +Cc: Josh Boyer +Cc: Jeremy Kerr +Cc: Matthew Garrett +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efivars.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -921,8 +921,8 @@ static bool efivarfs_valid_name(const ch + if (len < GUID_LEN + 2) + return false; + +- /* GUID should be right after the first '-' */ +- if (s - 1 != strchr(str, '-')) ++ /* GUID must be preceded by a '-' */ ++ if (*(s - 1) != '-') + return false; + + /* diff --git a/queue-3.8/mac80211-fix-crash-due-to-un-canceled-work-items.patch b/queue-3.8/mac80211-fix-crash-due-to-un-canceled-work-items.patch new file mode 100644 index 00000000000..0c325833232 --- /dev/null +++ b/queue-3.8/mac80211-fix-crash-due-to-un-canceled-work-items.patch @@ -0,0 +1,67 @@ +From 499218595a2e8296b7492af32fcca141b7b8184a Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Wed, 20 Feb 2013 09:41:09 -0800 +Subject: mac80211: Fix crash due to un-canceled work-items + +From: Ben Greear + +commit 499218595a2e8296b7492af32fcca141b7b8184a upstream. + +Some mlme work structs are not cancelled on disassociation +nor interface deletion, which leads to them running after +the memory has been freed + +There is not a clean way to cancel these in the disassociation +logic because they must be canceled outside of the ifmgd->mtx +lock, so just cancel them in mgd_stop logic that tears down +the station. + +This fixes the crashes we see in 3.7.9+. The crash stack +trace itself isn't so helpful, but this warning gives +more useful info: + +WARNING: at /home/greearb/git/linux-3.7.dev.y/lib/debugobjects.c:261 debug_print_object+0x7c/0x8d() +ODEBUG: free active (active state 0) object type: work_struct hint: ieee80211_sta_monitor_work+0x0/0x14 [mac80211] +Modules linked in: [...] +Pid: 14743, comm: iw Tainted: G C O 3.7.9+ #11 +Call Trace: + [] warn_slowpath_common+0x80/0x98 + [] warn_slowpath_fmt+0x41/0x43 + [] debug_print_object+0x7c/0x8d + [] debug_check_no_obj_freed+0x95/0x1c3 + [] slab_free_hook+0x70/0x79 + [] kfree+0x62/0xb7 + [] netdev_release+0x39/0x3e + [] device_release+0x52/0x8a + [] kobject_release+0x121/0x158 + [] kobject_put+0x4c/0x50 + [] netdev_run_todo+0x25c/0x27e + +Signed-off-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4072,6 +4072,17 @@ void ieee80211_mgd_stop(struct ieee80211 + { + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + ++ /* ++ * Make sure some work items will not run after this, ++ * they will not do anything but might not have been ++ * cancelled when disconnecting. ++ */ ++ cancel_work_sync(&ifmgd->monitor_work); ++ cancel_work_sync(&ifmgd->beacon_connection_loss_work); ++ cancel_work_sync(&ifmgd->request_smps_work); ++ cancel_work_sync(&ifmgd->csa_connection_drop_work); ++ cancel_work_sync(&ifmgd->chswitch_work); ++ + mutex_lock(&ifmgd->mtx); + if (ifmgd->assoc_data) + ieee80211_destroy_assoc_data(sdata, false); diff --git a/queue-3.8/mm-mempolicy.c-fix-wrong-sp_node-insertion.patch b/queue-3.8/mm-mempolicy.c-fix-wrong-sp_node-insertion.patch new file mode 100644 index 00000000000..9bb0df9e8e6 --- /dev/null +++ b/queue-3.8/mm-mempolicy.c-fix-wrong-sp_node-insertion.patch @@ -0,0 +1,38 @@ +From 5ca3957510b9fc2a14d3647db518014842f9a2b4 Mon Sep 17 00:00:00 2001 +From: Hillf Danton +Date: Fri, 8 Mar 2013 12:43:28 -0800 +Subject: mm/mempolicy.c: fix wrong sp_node insertion + +From: Hillf Danton + +commit 5ca3957510b9fc2a14d3647db518014842f9a2b4 upstream. + +n->end is accessed in sp_insert(). Thus it should be update +before calling sp_insert(). This mistake may make kernel panic. + +Signed-off-by: Hillf Danton +Signed-off-by: KOSAKI Motohiro +Cc: Sasha Levin +Cc: Hugh Dickins +Cc: Mel Gorman +Cc: Dave Jones +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2386,8 +2386,8 @@ restart: + *mpol_new = *n->policy; + atomic_set(&mpol_new->refcnt, 1); + sp_node_init(n_new, n->end, end, mpol_new); +- sp_insert(sp, n_new); + n->end = start; ++ sp_insert(sp, n_new); + n_new = NULL; + mpol_new = NULL; + break; diff --git a/queue-3.8/series b/queue-3.8/series index ed7042d9207..8aceb3826ca 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -63,3 +63,11 @@ vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch proc-use-nd_jump_link-in-proc_ns_follow_link.patch tile-work-around-bug-in-the-generic-sys_llseek.patch random-fix-locking-dependency-with-the-tasklist_lock.patch +mm-mempolicy.c-fix-wrong-sp_node-insertion.patch +cifs-fix-missing-of-oplock_read-value-in-smb30_values-structure.patch +mac80211-fix-crash-due-to-un-canceled-work-items.patch +e1000e-fix-pci-device-enable-counter-balance.patch +tg3-update-link_up-flag-for-phylib-devices.patch +efivars-efivarfs_valid_name-should-handle-pstore-syntax.patch +efivarfs-return-accurate-error-code-in-efivarfs_fill_super.patch +userns-stop-oopsing-in-key_change_session_keyring.patch diff --git a/queue-3.8/tg3-update-link_up-flag-for-phylib-devices.patch b/queue-3.8/tg3-update-link_up-flag-for-phylib-devices.patch new file mode 100644 index 00000000000..8b44757ac68 --- /dev/null +++ b/queue-3.8/tg3-update-link_up-flag-for-phylib-devices.patch @@ -0,0 +1,81 @@ +From 84421b99cedc3443e76d2a594f3c815d5cb9a8e1 Mon Sep 17 00:00:00 2001 +From: Nithin Sujir +Date: Fri, 8 Mar 2013 08:01:24 +0000 +Subject: tg3: Update link_up flag for phylib devices + +From: Nithin Sujir + +commit 84421b99cedc3443e76d2a594f3c815d5cb9a8e1 upstream. + +Commit f4a46d1f46a8fece34edd2023e054072b02e110d introduced a bug where +the ifconfig stats would remain 0 for phylib devices. This is due to +tp->link_up flag never becoming true causing tg3_periodic_fetch_stats() +to return. + +The link_up flag was being updated in tg3_test_and_report_link_chg() +after setting up the phy. This function however, is not called for +phylib devices since the driver does not do the phy setup. + +This patch moves the link_up flag update into the common +tg3_link_report() function that gets called for phylib devices as well +for non phylib devices when the link state changes. + +To avoid updating link_up twice, we replace tg3_carrier_...() calls that +are followed by tg3_link_report(), with netif_carrier_...(). We can then +remove the unused tg3_carrier_on() function. + +Reported-by: OGAWA Hirofumi +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -1843,6 +1843,8 @@ static void tg3_link_report(struct tg3 * + + tg3_ump_link_report(tp); + } ++ ++ tp->link_up = netif_carrier_ok(tp->dev); + } + + static u16 tg3_advert_flowctrl_1000X(u8 flow_ctrl) +@@ -2496,12 +2498,6 @@ static int tg3_phy_reset_5703_4_5(struct + return err; + } + +-static void tg3_carrier_on(struct tg3 *tp) +-{ +- netif_carrier_on(tp->dev); +- tp->link_up = true; +-} +- + static void tg3_carrier_off(struct tg3 *tp) + { + netif_carrier_off(tp->dev); +@@ -2527,7 +2523,7 @@ static int tg3_phy_reset(struct tg3 *tp) + return -EBUSY; + + if (netif_running(tp->dev) && tp->link_up) { +- tg3_carrier_off(tp); ++ netif_carrier_off(tp->dev); + tg3_link_report(tp); + } + +@@ -4225,9 +4221,9 @@ static bool tg3_test_and_report_link_chg + { + if (curr_link_up != tp->link_up) { + if (curr_link_up) { +- tg3_carrier_on(tp); ++ netif_carrier_on(tp->dev); + } else { +- tg3_carrier_off(tp); ++ netif_carrier_off(tp->dev); + if (tp->phy_flags & TG3_PHYFLG_MII_SERDES) + tp->phy_flags &= ~TG3_PHYFLG_PARALLEL_DETECT; + } diff --git a/queue-3.8/userns-stop-oopsing-in-key_change_session_keyring.patch b/queue-3.8/userns-stop-oopsing-in-key_change_session_keyring.patch new file mode 100644 index 00000000000..51405862b6a --- /dev/null +++ b/queue-3.8/userns-stop-oopsing-in-key_change_session_keyring.patch @@ -0,0 +1,84 @@ +From ba0e3427b03c3d1550239779eca5c1c5a53a2152 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 2 Mar 2013 19:14:03 -0800 +Subject: userns: Stop oopsing in key_change_session_keyring + +From: "Eric W. Biederman" + +commit ba0e3427b03c3d1550239779eca5c1c5a53a2152 upstream. + +Dave Jones writes: +> Just hit this on Linus' current tree. +> +> [ 89.621770] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8 +> [ 89.623111] IP: [] commit_creds+0x250/0x2f0 +> [ 89.624062] PGD 122bfd067 PUD 122bfe067 PMD 0 +> [ 89.624901] Oops: 0000 [#1] PREEMPT SMP +> [ 89.625678] Modules linked in: caif_socket caif netrom bridge hidp 8021q garp stp mrp rose llc2 af_rxrpc phonet af_key binfmt_misc bnep l2tp_ppp can_bcm l2tp_core pppoe pppox can_raw scsi_transport_iscsi ppp_generic slhc nfnetlink can ipt_ULOG ax25 decnet irda nfc rds x25 crc_ccitt appletalk atm ipx p8023 psnap p8022 llc lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables btusb bluetooth snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_pcm vhost_net snd_page_alloc snd_timer tun macvtap usb_debug snd rfkill microcode macvlan edac_core pcspkr serio_raw kvm_amd soundcore kvm r8169 mii +> [ 89.637846] CPU 2 +> [ 89.638175] Pid: 782, comm: trinity-main Not tainted 3.8.0+ #63 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H +> [ 89.639850] RIP: 0010:[] [] commit_creds+0x250/0x2f0 +> [ 89.641161] RSP: 0018:ffff880115657eb8 EFLAGS: 00010207 +> [ 89.641984] RAX: 00000000000003e8 RBX: ffff88012688b000 RCX: 0000000000000000 +> [ 89.643069] RDX: 0000000000000000 RSI: ffffffff81c32960 RDI: ffff880105839600 +> [ 89.644167] RBP: ffff880115657ed8 R08: 0000000000000000 R09: 0000000000000000 +> [ 89.645254] R10: 0000000000000001 R11: 0000000000000246 R12: ffff880105839600 +> [ 89.646340] R13: ffff88011beea490 R14: ffff88011beea490 R15: 0000000000000000 +> [ 89.647431] FS: 00007f3ac063b740(0000) GS:ffff88012b200000(0000) knlGS:0000000000000000 +> [ 89.648660] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +> [ 89.649548] CR2: 00000000000000c8 CR3: 0000000122bfc000 CR4: 00000000000007e0 +> [ 89.650635] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> [ 89.651723] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +> [ 89.652812] Process trinity-main (pid: 782, threadinfo ffff880115656000, task ffff88011beea490) +> [ 89.654128] Stack: +> [ 89.654433] 0000000000000000 ffff8801058396a0 ffff880105839600 ffff88011beeaa78 +> [ 89.655769] ffff880115657ef8 ffffffff812c7d9b ffffffff82079be0 0000000000000000 +> [ 89.657073] ffff880115657f28 ffffffff8106c665 0000000000000002 ffff880115657f58 +> [ 89.658399] Call Trace: +> [ 89.658822] [] key_change_session_keyring+0xfb/0x140 +> [ 89.659845] [] task_work_run+0xa5/0xd0 +> [ 89.660698] [] do_notify_resume+0x71/0xb0 +> [ 89.661581] [] int_signal+0x12/0x17 +> [ 89.662385] Code: 24 90 00 00 00 48 8b b3 90 00 00 00 49 8b 4c 24 40 48 39 f2 75 08 e9 83 00 00 00 48 89 ca 48 81 fa 60 29 c3 81 0f 84 41 fe ff ff <48> 8b 8a c8 00 00 00 48 39 ce 75 e4 3b 82 d0 00 00 00 0f 84 4b +> [ 89.667778] RIP [] commit_creds+0x250/0x2f0 +> [ 89.668733] RSP +> [ 89.669301] CR2: 00000000000000c8 +> +> My fastest trinity induced oops yet! +> +> +> Appears to be.. +> +> if ((set_ns == subset_ns->parent) && +> 850: 48 8b 8a c8 00 00 00 mov 0xc8(%rdx),%rcx +> +> from the inlined cred_cap_issubset + +By historical accident we have been reading trying to set new->user_ns +from new->user_ns. Which is totally silly as new->user_ns is NULL (as +is every other field in new except session_keyring at that point). + +The intent is clearly to copy all of the fields from old to new so copy +old->user_ns into into new->user_ns. + +Reported-by: Dave Jones +Tested-by: Dave Jones +Acked-by: Serge Hallyn +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/process_keys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -839,7 +839,7 @@ void key_change_session_keyring(struct c + new-> sgid = old-> sgid; + new->fsgid = old->fsgid; + new->user = get_uid(old->user); +- new->user_ns = get_user_ns(new->user_ns); ++ new->user_ns = get_user_ns(old->user_ns); + new->group_info = get_group_info(old->group_info); + + new->securebits = old->securebits; -- 2.47.3