From d7784ee45221ac8cedf6d53b6179fb8e5880bc29 Mon Sep 17 00:00:00 2001 From: Jim Somerville Date: Fri, 23 Aug 2019 16:34:48 -0400 Subject: [PATCH] Fix kernel memory leaks in ipvs and ext4 These leaks were observed in the RT kernel but the fixes are not RT specific. We deemed it prudent to also include the fixes in the std kernel as well. See the specific patches for details. Change-Id: I00e6d06a82e289806e5d51008ea1597735b2ad0f Closes-Bug: 1836638 Signed-off-by: Jim Somerville --- kernel/kernel-rt/centos/build_srpm.data | 2 +- .../centos/meta_patches/Compile-issues.patch | 34 ++++---- .../Kernel-source-patches-for-TiC.patch | 25 ++++-- .../ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch | 57 +++++++++++++ ...e-leaked-posix-acl-in-ext4_acl_chmod.patch | 67 ++++++++++++++++ ...leaked-posix-acl-in-ext4_xattr_set_a.patch | 79 +++++++++++++++++++ kernel/kernel-std/centos/build_srpm.data | 2 +- .../centos/meta_patches/Compile-issues.patch | 32 ++++---- .../Kernel-source-patches-for-TiC.patch | 23 ++++-- .../ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch | 57 +++++++++++++ ...e-leaked-posix-acl-in-ext4_acl_chmod.patch | 67 ++++++++++++++++ ...leaked-posix-acl-in-ext4_xattr_set_a.patch | 79 +++++++++++++++++++ 12 files changed, 478 insertions(+), 46 deletions(-) create mode 100644 kernel/kernel-rt/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch create mode 100644 kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch create mode 100644 kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch create mode 100644 kernel/kernel-std/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch create mode 100644 kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch create mode 100644 kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch diff --git a/kernel/kernel-rt/centos/build_srpm.data b/kernel/kernel-rt/centos/build_srpm.data index c06f85d68..dab446664 100644 --- a/kernel/kernel-rt/centos/build_srpm.data +++ b/kernel/kernel-rt/centos/build_srpm.data @@ -1,4 +1,4 @@ COPY_LIST="files/*" -TIS_PATCH_VER=1 +TIS_PATCH_VER=2 BUILD_IS_BIG=11 BUILD_IS_SLOW=12 diff --git a/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch b/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch index e0ef4222a..0b34b1659 100644 --- a/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch +++ b/kernel/kernel-rt/centos/meta_patches/Compile-issues.patch @@ -1,33 +1,37 @@ -From d83caf51542ff89ffc70377d8a04d697d8fe09e3 Mon Sep 17 00:00:00 2001 +From d85ae09a0e333ba2c0b2630a1d4768655cacf481 Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com> +References: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com> From: Bin Yang Date: Wed, 31 Jul 2019 14:23:20 +0800 -Subject: [PATCH 3/3] Compile issues +Subject: [PATCH 2/2] Compile issues Signed-off-by: Bin Yang +Signed-off-by: Jim Somerville --- SPECS/kernel-rt.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec -index e94ec2f..e6e71e4 100644 +index f7aad95..29d3878 100644 --- a/SPECS/kernel-rt.spec +++ b/SPECS/kernel-rt.spec -@@ -420,6 +420,11 @@ Patch1028: turn-off-write-same-in-smartqpi-driver.patch - Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch - Patch1030: robustify-CFS-bandwidth-timer-locking.patch - Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch -+Patch1032: fix-compilation-issues.patch +@@ -424,6 +424,11 @@ Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch + Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch + Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch + Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch ++Patch1035: fix-compilation-issues.patch +# Fix CentOS 7.6 upgrade compile error -+Patch1033: fix-CentOS-7.6-upgrade-compile-error.patch ++Patch1036: fix-CentOS-7.6-upgrade-compile-error.patch +# Compile fix for disabling CONFIG_MEMCG_KMEM -+Patch1034: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch ++Patch1037: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root -@@ -784,6 +789,9 @@ ApplyPatch turn-off-write-same-in-smartqpi-driver.patch - ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch - ApplyPatch robustify-CFS-bandwidth-timer-locking.patch - ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch +@@ -791,6 +796,9 @@ ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch + ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch + ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch + ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch +ApplyPatch fix-compilation-issues.patch +ApplyPatch fix-CentOS-7.6-upgrade-compile-error.patch +ApplyPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch @@ -35,5 +39,5 @@ index e94ec2f..e6e71e4 100644 # move off upstream version mechanism if [ -e localversion-rt ]; then -- -2.7.4 +1.8.3.1 diff --git a/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch b/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch index 18ff5cdd2..49d0757ea 100644 --- a/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch +++ b/kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch @@ -1,18 +1,20 @@ -From 2c23df3f032c68046a309e5b9f1d321438905e85 Mon Sep 17 00:00:00 2001 +From 5d869ea9407975726a95d046391cd640b726ca93 Mon Sep 17 00:00:00 2001 +Message-Id: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com> From: Bin Yang Date: Mon, 29 Jul 2019 11:48:49 -0400 -Subject: [PATCH 2/3] Kernel source patches for TiC +Subject: [PATCH 1/2] Kernel source patches for TiC Signed-off-by: Bin Yang +Signed-off-by: Jim Somerville --- - SPECS/kernel-rt.spec | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 66 insertions(+) + SPECS/kernel-rt.spec | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 73 insertions(+) diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec -index efc89cd..e94ec2f 100644 +index adffde2..f7aad95 100644 --- a/SPECS/kernel-rt.spec +++ b/SPECS/kernel-rt.spec -@@ -386,6 +386,40 @@ Source1000: modprobe-dccp-blacklist.conf +@@ -386,6 +386,44 @@ Source1000: modprobe-dccp-blacklist.conf # Empty final patch file to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -50,10 +52,14 @@ index efc89cd..e94ec2f 100644 +Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch +Patch1030: robustify-CFS-bandwidth-timer-locking.patch +Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch ++# Fix three potential kernel memory leaks ++Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch ++Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch ++Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root -@@ -718,6 +752,38 @@ cp %{SOURCE38} . +@@ -718,6 +756,41 @@ cp %{SOURCE38} . ## Apply Patches here ApplyPatch linux-kernel-test.patch @@ -89,9 +95,12 @@ index efc89cd..e94ec2f 100644 +ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch +ApplyPatch robustify-CFS-bandwidth-timer-locking.patch +ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch ++ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch ++ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch ++ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch # move off upstream version mechanism if [ -e localversion-rt ]; then -- -2.7.4 +1.8.3.1 diff --git a/kernel/kernel-rt/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch b/kernel/kernel-rt/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch new file mode 100644 index 000000000..63d1c4854 --- /dev/null +++ b/kernel/kernel-rt/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch @@ -0,0 +1,57 @@ +From fdb837fb87ff4907436dfab16709b64d6c3488fd Mon Sep 17 00:00:00 2001 +Message-Id: +From: Tommi Rantala +Date: Thu, 7 May 2015 15:12:21 +0300 +Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c + +[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ] + +Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns, +ip_vs_ctl local vars moved to ipvs struct."): + +unreferenced object 0xffff88005785b800 (size 2048): + comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s) + hex dump (first 32 bytes): + bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff .........x.N.... + 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] __kmalloc_track_caller+0x244/0x430 + [] kmemdup+0x20/0x50 + [] ip_vs_control_net_init+0x1f7/0x510 + [] __ip_vs_init+0x100/0x250 + [] ops_init+0x41/0x190 + [] setup_net+0x93/0x150 + [] copy_net_ns+0x82/0x140 + [] create_new_namespaces+0xfd/0x190 + [] unshare_nsproxy_namespaces+0x5a/0xc0 + [] SyS_unshare+0x173/0x310 + [] system_call_fastpath+0x12/0x6f + [] 0xffffffffffffffff + +Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.") +Signed-off-by: Tommi Rantala +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Jim Somerville +--- + net/netfilter/ipvs/ip_vs_ctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 02409f3..3738b84 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) + cancel_delayed_work_sync(&ipvs->defense_work); + cancel_work_sync(&ipvs->defense_work.work); + unregister_net_sysctl_table(ipvs->sysctl_hdr); ++ ++ if (!net_eq(net, &init_net)) ++ kfree(ipvs->sysctl_tbl); + } + + #else +-- +1.8.3.1 + diff --git a/kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch b/kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch new file mode 100644 index 000000000..812fe67b5 --- /dev/null +++ b/kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch @@ -0,0 +1,67 @@ +From a16765613c5cb9b6cb86bc92d21030be124b2dde Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: +From: Stanislav Kinsburskiy +Date: Fri, 9 Feb 2018 11:52:14 +0300 +Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod + +[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ] + +Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected. +I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1. + +Posix acl is used to convert of an extended attribute, provided by user to ext4 +attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request. +IOW, this object is allocated, used for convertion, not stored anywhere and +must be freed. + +However posix_acl_update_mode() can zerofy the pointer to support +ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing +new temporary pointer with the same value instead of acl pointer. + +In scope of https://jira.sw.ru/browse/PSBM-81384 + +RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020 + +Signed-off-by: Stanislav Kinsburskiy +Acked-by: Dmitry Monakhov +Signed-off-by: Jim Somerville +--- + fs/ext4/acl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c +index 917e819..fce029f 100644 +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -297,7 +297,7 @@ cleanup: + int + ext4_acl_chmod(struct inode *inode) + { +- struct posix_acl *acl; ++ struct posix_acl *acl, *real_acl; + handle_t *handle; + int retries = 0; + int error; +@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode) + error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); + if (error) + return error; ++ ++ real_acl = acl; + retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, + ext4_jbd2_credits_xattr(inode)); +@@ -341,7 +343,7 @@ out_stop: + ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry; + out: +- posix_acl_release(acl); ++ posix_acl_release(real_acl); + return error; + } + +-- +1.8.3.1 + diff --git a/kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch b/kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch new file mode 100644 index 000000000..40a28df1e --- /dev/null +++ b/kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch @@ -0,0 +1,79 @@ +From 916c45d11310d03a4a76bd80a40f0c6a767ba39e Mon Sep 17 00:00:00 2001 +Message-Id: <916c45d11310d03a4a76bd80a40f0c6a767ba39e.1566590430.git.Jim.Somerville@windriver.com> +In-Reply-To: +References: +From: Stanislav Kinsburskiy +Date: Fri, 9 Feb 2018 11:52:15 +0300 +Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl + +[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ] + +Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted. +I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1. + +Posix acl is used to convert of an extended attribute, provided by user to ext4 +attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request. + +IOW, this object is allocated, used for convertion, not stored anywhere and +must be freed. + +However posix_acl_update_mode() can zerofy the pointer to support +ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing +new temporary pointer with the same value instead of acl pointer. + +https://jira.sw.ru/browse/PSBM-81384 + +RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020 + +v2: Added affected kernel version + RHEL bug URL + +Signed-off-by: Stanislav Kinsburskiy +Acked-by: Dmitry Monakhov +Signed-off-by: Jim Somerville +--- + fs/ext4/acl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c +index fce029f..046b338 100644 +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value, + { + struct inode *inode = dentry->d_inode; + handle_t *handle; +- struct posix_acl *acl; ++ struct posix_acl *acl, *real_acl; + int error, retries = 0; + int update_mode = 0; + umode_t mode = inode->i_mode; +@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value, + return -EPERM; + + if (value) { +- acl = posix_acl_from_xattr(&init_user_ns, value, size); ++ acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); + else if (acl) { +@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value, + goto release_and_out; + } + } else +- acl = NULL; ++ acl = real_acl = NULL; + + retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, +@@ -454,7 +454,7 @@ out_stop: + goto retry; + + release_and_out: +- posix_acl_release(acl); ++ posix_acl_release(real_acl); + return error; + } + +-- +1.8.3.1 + diff --git a/kernel/kernel-std/centos/build_srpm.data b/kernel/kernel-std/centos/build_srpm.data index c06f85d68..dab446664 100644 --- a/kernel/kernel-std/centos/build_srpm.data +++ b/kernel/kernel-std/centos/build_srpm.data @@ -1,4 +1,4 @@ COPY_LIST="files/*" -TIS_PATCH_VER=1 +TIS_PATCH_VER=2 BUILD_IS_BIG=11 BUILD_IS_SLOW=12 diff --git a/kernel/kernel-std/centos/meta_patches/Compile-issues.patch b/kernel/kernel-std/centos/meta_patches/Compile-issues.patch index 68d89242f..9be5d8310 100644 --- a/kernel/kernel-std/centos/meta_patches/Compile-issues.patch +++ b/kernel/kernel-std/centos/meta_patches/Compile-issues.patch @@ -1,34 +1,38 @@ -From a38da63c3677f78c33b3896699788bd5eb77116e Mon Sep 17 00:00:00 2001 +From f9a5a49c9daac827d94cd562c0c6f100388fd798 Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: From: "zhao.shuai" Date: Tue, 6 Aug 2019 16:18:04 +0800 -Subject: [PATCH 3/3] Compile issues +Subject: [PATCH 2/2] Compile issues Signed-off-by: zhao.shuai +Signed-off-by: Jim Somerville --- SPECS/kernel.spec | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec -index 418cdd0..a5de0aa 100644 +index d5df4a4..1d765ed 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec -@@ -491,6 +491,12 @@ Patch40025: dpt_i2o-fix-build-warning.patch - Patch40026: turn-off-write-same-in-smartqpi-driver.patch - # Fix use-after-free in eventpoll_release_file - Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch +@@ -495,6 +495,12 @@ Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch + Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch + Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch + Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch +# Fix assorted compilation issues -+Patch40028: fix-compilation-issues.patch ++Patch40031: fix-compilation-issues.patch +# Fix CentOS 7.6 upgrade compile error -+Patch40029: fix-CentOS-7.6-upgrade-compile-error.patch ++Patch40032: fix-CentOS-7.6-upgrade-compile-error.patch +# Compile fix for disabling CONFIG_MEMCG_KMEM -+Patch40030: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch ++Patch40033: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch BuildRoot: %{_tmppath}/kernel-%{KVRA}-root -@@ -862,6 +868,9 @@ ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch - ApplyOptionalPatch dpt_i2o-fix-build-warning.patch - ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch - ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch +@@ -869,6 +875,9 @@ ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch + ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch + ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch + ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch +ApplyOptionalPatch fix-compilation-issues.patch +ApplyOptionalPatch fix-CentOS-7.6-upgrade-compile-error.patch +ApplyOptionalPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch diff --git a/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch b/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch index 77681ffef..9a4bb4b5a 100644 --- a/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch +++ b/kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch @@ -1,18 +1,20 @@ -From e9f7eeea6002b26912b6434c324ac19c2987afe8 Mon Sep 17 00:00:00 2001 +From ac67546ccbecd3ee18145be31d87d7253048adda Mon Sep 17 00:00:00 2001 +Message-Id: From: "zhao.shuai" Date: Mon, 5 Aug 2019 17:55:01 +0800 -Subject: [PATCH 2/3] Kernel-source-patches-for-TiC +Subject: [PATCH 1/2] Kernel-source-patches-for-TiC Signed-off-by: zhao.shuai +Signed-off-by: Jim Somerville --- - SPECS/kernel.spec | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 61 insertions(+) + SPECS/kernel.spec | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 68 insertions(+) diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec -index e42177e..418cdd0 100644 +index e42177e..d5df4a4 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec -@@ -460,6 +460,38 @@ Patch1002: debrand-rh-i686-cpu.patch +@@ -460,6 +460,42 @@ Patch1002: debrand-rh-i686-cpu.patch Source30000: kernel-3.10.0-x86_64.config.tis_extra Source30001: ima_signing_key.pub @@ -47,11 +49,15 @@ index e42177e..418cdd0 100644 +Patch40026: turn-off-write-same-in-smartqpi-driver.patch +# Fix use-after-free in eventpoll_release_file +Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch ++# Fix three potential kernel memory leaks ++Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch ++Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch ++Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch + BuildRoot: %{_tmppath}/kernel-%{KVRA}-root %description -@@ -802,6 +834,35 @@ ApplyOptionalPatch debrand-single-cpu.patch +@@ -802,6 +838,38 @@ ApplyOptionalPatch debrand-single-cpu.patch ApplyOptionalPatch debrand-rh_taint.patch ApplyOptionalPatch debrand-rh-i686-cpu.patch @@ -83,6 +89,9 @@ index e42177e..418cdd0 100644 +ApplyOptionalPatch dpt_i2o-fix-build-warning.patch +ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch +ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch ++ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch ++ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch ++ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch + # Any further pre-build tree manipulations happen here. diff --git a/kernel/kernel-std/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch b/kernel/kernel-std/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch new file mode 100644 index 000000000..a309355f8 --- /dev/null +++ b/kernel/kernel-std/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch @@ -0,0 +1,57 @@ +From e3887b1e84e274be02f992e034e0dba1f53925b6 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Tommi Rantala +Date: Thu, 7 May 2015 15:12:21 +0300 +Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c + +[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ] + +Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns, +ip_vs_ctl local vars moved to ipvs struct."): + +unreferenced object 0xffff88005785b800 (size 2048): + comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s) + hex dump (first 32 bytes): + bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff .........x.N.... + 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] __kmalloc_track_caller+0x244/0x430 + [] kmemdup+0x20/0x50 + [] ip_vs_control_net_init+0x1f7/0x510 + [] __ip_vs_init+0x100/0x250 + [] ops_init+0x41/0x190 + [] setup_net+0x93/0x150 + [] copy_net_ns+0x82/0x140 + [] create_new_namespaces+0xfd/0x190 + [] unshare_nsproxy_namespaces+0x5a/0xc0 + [] SyS_unshare+0x173/0x310 + [] system_call_fastpath+0x12/0x6f + [] 0xffffffffffffffff + +Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.") +Signed-off-by: Tommi Rantala +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Jim Somerville +--- + net/netfilter/ipvs/ip_vs_ctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 02409f3..3738b84 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) + cancel_delayed_work_sync(&ipvs->defense_work); + cancel_work_sync(&ipvs->defense_work.work); + unregister_net_sysctl_table(ipvs->sysctl_hdr); ++ ++ if (!net_eq(net, &init_net)) ++ kfree(ipvs->sysctl_tbl); + } + + #else +-- +1.8.3.1 + diff --git a/kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch b/kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch new file mode 100644 index 000000000..e8a5e3a0c --- /dev/null +++ b/kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch @@ -0,0 +1,67 @@ +From 598c88638d4f46a38bf3d0669bc042c1ea1e4605 Mon Sep 17 00:00:00 2001 +Message-Id: <598c88638d4f46a38bf3d0669bc042c1ea1e4605.1566585829.git.Jim.Somerville@windriver.com> +In-Reply-To: +References: +From: Stanislav Kinsburskiy +Date: Fri, 9 Feb 2018 11:52:14 +0300 +Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod + +[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ] + +Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected. +I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1. + +Posix acl is used to convert of an extended attribute, provided by user to ext4 +attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request. +IOW, this object is allocated, used for convertion, not stored anywhere and +must be freed. + +However posix_acl_update_mode() can zerofy the pointer to support +ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing +new temporary pointer with the same value instead of acl pointer. + +In scope of https://jira.sw.ru/browse/PSBM-81384 + +RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020 + +Signed-off-by: Stanislav Kinsburskiy +Acked-by: Dmitry Monakhov +Signed-off-by: Jim Somerville +--- + fs/ext4/acl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c +index 917e819..fce029f 100644 +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -297,7 +297,7 @@ cleanup: + int + ext4_acl_chmod(struct inode *inode) + { +- struct posix_acl *acl; ++ struct posix_acl *acl, *real_acl; + handle_t *handle; + int retries = 0; + int error; +@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode) + error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); + if (error) + return error; ++ ++ real_acl = acl; + retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, + ext4_jbd2_credits_xattr(inode)); +@@ -341,7 +343,7 @@ out_stop: + ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry; + out: +- posix_acl_release(acl); ++ posix_acl_release(real_acl); + return error; + } + +-- +1.8.3.1 + diff --git a/kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch b/kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch new file mode 100644 index 000000000..0e880f5ba --- /dev/null +++ b/kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch @@ -0,0 +1,79 @@ +From 190fe153e1def764a02d7cb3438f5bc7c0402e48 Mon Sep 17 00:00:00 2001 +Message-Id: <190fe153e1def764a02d7cb3438f5bc7c0402e48.1566585829.git.Jim.Somerville@windriver.com> +In-Reply-To: +References: +From: Stanislav Kinsburskiy +Date: Fri, 9 Feb 2018 11:52:15 +0300 +Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl + +[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ] + +Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted. +I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1. + +Posix acl is used to convert of an extended attribute, provided by user to ext4 +attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request. + +IOW, this object is allocated, used for convertion, not stored anywhere and +must be freed. + +However posix_acl_update_mode() can zerofy the pointer to support +ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing +new temporary pointer with the same value instead of acl pointer. + +https://jira.sw.ru/browse/PSBM-81384 + +RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020 + +v2: Added affected kernel version + RHEL bug URL + +Signed-off-by: Stanislav Kinsburskiy +Acked-by: Dmitry Monakhov +Signed-off-by: Jim Somerville +--- + fs/ext4/acl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c +index fce029f..046b338 100644 +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value, + { + struct inode *inode = dentry->d_inode; + handle_t *handle; +- struct posix_acl *acl; ++ struct posix_acl *acl, *real_acl; + int error, retries = 0; + int update_mode = 0; + umode_t mode = inode->i_mode; +@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value, + return -EPERM; + + if (value) { +- acl = posix_acl_from_xattr(&init_user_ns, value, size); ++ acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); + else if (acl) { +@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value, + goto release_and_out; + } + } else +- acl = NULL; ++ acl = real_acl = NULL; + + retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, +@@ -454,7 +454,7 @@ out_stop: + goto retry; + + release_and_out: +- posix_acl_release(acl); ++ posix_acl_release(real_acl); + return error; + } + +-- +1.8.3.1 +