Fix kernel memory leaks in ipvs and ext4

These leaks were observed in the RT kernel but the fixes
are not RT specific.  We deemed it prudent to also
include the fixes in the std kernel as well.

See the specific patches for details.

Change-Id: I00e6d06a82e289806e5d51008ea1597735b2ad0f
Closes-Bug: 1836638
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
This commit is contained in:
Jim Somerville 2019-08-23 16:34:48 -04:00
parent 43fda7f16a
commit d7784ee452
12 changed files with 478 additions and 46 deletions

View File

@ -1,4 +1,4 @@
COPY_LIST="files/*"
TIS_PATCH_VER=1
TIS_PATCH_VER=2
BUILD_IS_BIG=11
BUILD_IS_SLOW=12

View File

@ -1,33 +1,37 @@
From d83caf51542ff89ffc70377d8a04d697d8fe09e3 Mon Sep 17 00:00:00 2001
From d85ae09a0e333ba2c0b2630a1d4768655cacf481 Mon Sep 17 00:00:00 2001
Message-Id: <d85ae09a0e333ba2c0b2630a1d4768655cacf481.1566591106.git.Jim.Somerville@windriver.com>
In-Reply-To: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
References: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
From: Bin Yang <bin.yang@intel.com>
Date: Wed, 31 Jul 2019 14:23:20 +0800
Subject: [PATCH 3/3] Compile issues
Subject: [PATCH 2/2] Compile issues
Signed-off-by: Bin Yang <bin.yang@intel.com>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
SPECS/kernel-rt.spec | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
index e94ec2f..e6e71e4 100644
index f7aad95..29d3878 100644
--- a/SPECS/kernel-rt.spec
+++ b/SPECS/kernel-rt.spec
@@ -420,6 +420,11 @@ Patch1028: turn-off-write-same-in-smartqpi-driver.patch
Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
Patch1030: robustify-CFS-bandwidth-timer-locking.patch
Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+Patch1032: fix-compilation-issues.patch
@@ -424,6 +424,11 @@ Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
+Patch1035: fix-compilation-issues.patch
+# Fix CentOS 7.6 upgrade compile error
+Patch1033: fix-CentOS-7.6-upgrade-compile-error.patch
+Patch1036: fix-CentOS-7.6-upgrade-compile-error.patch
+# Compile fix for disabling CONFIG_MEMCG_KMEM
+Patch1034: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
+Patch1037: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -784,6 +789,9 @@ ApplyPatch turn-off-write-same-in-smartqpi-driver.patch
ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
@@ -791,6 +796,9 @@ ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
+ApplyPatch fix-compilation-issues.patch
+ApplyPatch fix-CentOS-7.6-upgrade-compile-error.patch
+ApplyPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
@ -35,5 +39,5 @@ index e94ec2f..e6e71e4 100644
# move off upstream version mechanism
if [ -e localversion-rt ]; then
--
2.7.4
1.8.3.1

View File

@ -1,18 +1,20 @@
From 2c23df3f032c68046a309e5b9f1d321438905e85 Mon Sep 17 00:00:00 2001
From 5d869ea9407975726a95d046391cd640b726ca93 Mon Sep 17 00:00:00 2001
Message-Id: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
From: Bin Yang <bin.yang@intel.com>
Date: Mon, 29 Jul 2019 11:48:49 -0400
Subject: [PATCH 2/3] Kernel source patches for TiC
Subject: [PATCH 1/2] Kernel source patches for TiC
Signed-off-by: Bin Yang <bin.yang@intel.com>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
SPECS/kernel-rt.spec | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
SPECS/kernel-rt.spec | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
index efc89cd..e94ec2f 100644
index adffde2..f7aad95 100644
--- a/SPECS/kernel-rt.spec
+++ b/SPECS/kernel-rt.spec
@@ -386,6 +386,40 @@ Source1000: modprobe-dccp-blacklist.conf
@@ -386,6 +386,44 @@ Source1000: modprobe-dccp-blacklist.conf
# Empty final patch file to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch
@ -50,10 +52,14 @@ index efc89cd..e94ec2f 100644
+Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
+Patch1030: robustify-CFS-bandwidth-timer-locking.patch
+Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+# Fix three potential kernel memory leaks
+Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -718,6 +752,38 @@ cp %{SOURCE38} .
@@ -718,6 +756,41 @@ cp %{SOURCE38} .
## Apply Patches here
ApplyPatch linux-kernel-test.patch
@ -89,9 +95,12 @@ index efc89cd..e94ec2f 100644
+ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
+ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
+ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
# move off upstream version mechanism
if [ -e localversion-rt ]; then
--
2.7.4
1.8.3.1

View File

@ -0,0 +1,57 @@
From fdb837fb87ff4907436dfab16709b64d6c3488fd Mon Sep 17 00:00:00 2001
Message-Id: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
From: Tommi Rantala <tt.rantala@gmail.com>
Date: Thu, 7 May 2015 15:12:21 +0300
Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c
[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ]
Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
ip_vs_ctl local vars moved to ipvs struct."):
unreferenced object 0xffff88005785b800 (size 2048):
comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
hex dump (first 32 bytes):
bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff .........x.N....
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
[<ffffffff811b88a0>] kmemdup+0x20/0x50
[<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
[<ffffffff8231d630>] __ip_vs_init+0x100/0x250
[<ffffffff822363a1>] ops_init+0x41/0x190
[<ffffffff82236583>] setup_net+0x93/0x150
[<ffffffff82236cc2>] copy_net_ns+0x82/0x140
[<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
[<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
[<ffffffff810833e3>] SyS_unshare+0x173/0x310
[<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
[<ffffffffffffffff>] 0xffffffffffffffff
Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 02409f3..3738b84 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
cancel_delayed_work_sync(&ipvs->defense_work);
cancel_work_sync(&ipvs->defense_work.work);
unregister_net_sysctl_table(ipvs->sysctl_hdr);
+
+ if (!net_eq(net, &init_net))
+ kfree(ipvs->sysctl_tbl);
}
#else
--
1.8.3.1

View File

@ -0,0 +1,67 @@
From a16765613c5cb9b6cb86bc92d21030be124b2dde Mon Sep 17 00:00:00 2001
Message-Id: <a16765613c5cb9b6cb86bc92d21030be124b2dde.1566590430.git.Jim.Somerville@windriver.com>
In-Reply-To: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
References: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Date: Fri, 9 Feb 2018 11:52:14 +0300
Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod
[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ]
Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected.
I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
Posix acl is used to convert of an extended attribute, provided by user to ext4
attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
IOW, this object is allocated, used for convertion, not stored anywhere and
must be freed.
However posix_acl_update_mode() can zerofy the pointer to support
ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
new temporary pointer with the same value instead of acl pointer.
In scope of https://jira.sw.ru/browse/PSBM-81384
RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
fs/ext4/acl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index 917e819..fce029f 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -297,7 +297,7 @@ cleanup:
int
ext4_acl_chmod(struct inode *inode)
{
- struct posix_acl *acl;
+ struct posix_acl *acl, *real_acl;
handle_t *handle;
int retries = 0;
int error;
@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode)
error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
if (error)
return error;
+
+ real_acl = acl;
retry:
handle = ext4_journal_start(inode, EXT4_HT_XATTR,
ext4_jbd2_credits_xattr(inode));
@@ -341,7 +343,7 @@ out_stop:
ext4_should_retry_alloc(inode->i_sb, &retries))
goto retry;
out:
- posix_acl_release(acl);
+ posix_acl_release(real_acl);
return error;
}
--
1.8.3.1

View File

@ -0,0 +1,79 @@
From 916c45d11310d03a4a76bd80a40f0c6a767ba39e Mon Sep 17 00:00:00 2001
Message-Id: <916c45d11310d03a4a76bd80a40f0c6a767ba39e.1566590430.git.Jim.Somerville@windriver.com>
In-Reply-To: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
References: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Date: Fri, 9 Feb 2018 11:52:15 +0300
Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl
[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ]
Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
Posix acl is used to convert of an extended attribute, provided by user to ext4
attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
IOW, this object is allocated, used for convertion, not stored anywhere and
must be freed.
However posix_acl_update_mode() can zerofy the pointer to support
ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
new temporary pointer with the same value instead of acl pointer.
https://jira.sw.ru/browse/PSBM-81384
RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
v2: Added affected kernel version + RHEL bug URL
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
fs/ext4/acl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index fce029f..046b338 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
{
struct inode *inode = dentry->d_inode;
handle_t *handle;
- struct posix_acl *acl;
+ struct posix_acl *acl, *real_acl;
int error, retries = 0;
int update_mode = 0;
umode_t mode = inode->i_mode;
@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
return -EPERM;
if (value) {
- acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
if (IS_ERR(acl))
return PTR_ERR(acl);
else if (acl) {
@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
goto release_and_out;
}
} else
- acl = NULL;
+ acl = real_acl = NULL;
retry:
handle = ext4_journal_start(inode, EXT4_HT_XATTR,
@@ -454,7 +454,7 @@ out_stop:
goto retry;
release_and_out:
- posix_acl_release(acl);
+ posix_acl_release(real_acl);
return error;
}
--
1.8.3.1

View File

@ -1,4 +1,4 @@
COPY_LIST="files/*"
TIS_PATCH_VER=1
TIS_PATCH_VER=2
BUILD_IS_BIG=11
BUILD_IS_SLOW=12

View File

@ -1,34 +1,38 @@
From a38da63c3677f78c33b3896699788bd5eb77116e Mon Sep 17 00:00:00 2001
From f9a5a49c9daac827d94cd562c0c6f100388fd798 Mon Sep 17 00:00:00 2001
Message-Id: <f9a5a49c9daac827d94cd562c0c6f100388fd798.1566587341.git.Jim.Somerville@windriver.com>
In-Reply-To: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
References: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
From: "zhao.shuai" <zhaos@neusoft.com>
Date: Tue, 6 Aug 2019 16:18:04 +0800
Subject: [PATCH 3/3] Compile issues
Subject: [PATCH 2/2] Compile issues
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
SPECS/kernel.spec | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 418cdd0..a5de0aa 100644
index d5df4a4..1d765ed 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -491,6 +491,12 @@ Patch40025: dpt_i2o-fix-build-warning.patch
Patch40026: turn-off-write-same-in-smartqpi-driver.patch
# Fix use-after-free in eventpoll_release_file
Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
@@ -495,6 +495,12 @@ Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
+# Fix assorted compilation issues
+Patch40028: fix-compilation-issues.patch
+Patch40031: fix-compilation-issues.patch
+# Fix CentOS 7.6 upgrade compile error
+Patch40029: fix-CentOS-7.6-upgrade-compile-error.patch
+Patch40032: fix-CentOS-7.6-upgrade-compile-error.patch
+# Compile fix for disabling CONFIG_MEMCG_KMEM
+Patch40030: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
+Patch40033: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
@@ -862,6 +868,9 @@ ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
@@ -869,6 +875,9 @@ ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
+ApplyOptionalPatch fix-compilation-issues.patch
+ApplyOptionalPatch fix-CentOS-7.6-upgrade-compile-error.patch
+ApplyOptionalPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch

View File

@ -1,18 +1,20 @@
From e9f7eeea6002b26912b6434c324ac19c2987afe8 Mon Sep 17 00:00:00 2001
From ac67546ccbecd3ee18145be31d87d7253048adda Mon Sep 17 00:00:00 2001
Message-Id: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
From: "zhao.shuai" <zhaos@neusoft.com>
Date: Mon, 5 Aug 2019 17:55:01 +0800
Subject: [PATCH 2/3] Kernel-source-patches-for-TiC
Subject: [PATCH 1/2] Kernel-source-patches-for-TiC
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
SPECS/kernel.spec | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
SPECS/kernel.spec | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index e42177e..418cdd0 100644
index e42177e..d5df4a4 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -460,6 +460,38 @@ Patch1002: debrand-rh-i686-cpu.patch
@@ -460,6 +460,42 @@ Patch1002: debrand-rh-i686-cpu.patch
Source30000: kernel-3.10.0-x86_64.config.tis_extra
Source30001: ima_signing_key.pub
@ -47,11 +49,15 @@ index e42177e..418cdd0 100644
+Patch40026: turn-off-write-same-in-smartqpi-driver.patch
+# Fix use-after-free in eventpoll_release_file
+Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+# Fix three potential kernel memory leaks
+Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
+
BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
%description
@@ -802,6 +834,35 @@ ApplyOptionalPatch debrand-single-cpu.patch
@@ -802,6 +838,38 @@ ApplyOptionalPatch debrand-single-cpu.patch
ApplyOptionalPatch debrand-rh_taint.patch
ApplyOptionalPatch debrand-rh-i686-cpu.patch
@ -83,6 +89,9 @@ index e42177e..418cdd0 100644
+ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
+ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
+ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
+
# Any further pre-build tree manipulations happen here.

View File

@ -0,0 +1,57 @@
From e3887b1e84e274be02f992e034e0dba1f53925b6 Mon Sep 17 00:00:00 2001
Message-Id: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
From: Tommi Rantala <tt.rantala@gmail.com>
Date: Thu, 7 May 2015 15:12:21 +0300
Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c
[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ]
Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
ip_vs_ctl local vars moved to ipvs struct."):
unreferenced object 0xffff88005785b800 (size 2048):
comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
hex dump (first 32 bytes):
bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff .........x.N....
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
[<ffffffff811b88a0>] kmemdup+0x20/0x50
[<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
[<ffffffff8231d630>] __ip_vs_init+0x100/0x250
[<ffffffff822363a1>] ops_init+0x41/0x190
[<ffffffff82236583>] setup_net+0x93/0x150
[<ffffffff82236cc2>] copy_net_ns+0x82/0x140
[<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
[<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
[<ffffffff810833e3>] SyS_unshare+0x173/0x310
[<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
[<ffffffffffffffff>] 0xffffffffffffffff
Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 02409f3..3738b84 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
cancel_delayed_work_sync(&ipvs->defense_work);
cancel_work_sync(&ipvs->defense_work.work);
unregister_net_sysctl_table(ipvs->sysctl_hdr);
+
+ if (!net_eq(net, &init_net))
+ kfree(ipvs->sysctl_tbl);
}
#else
--
1.8.3.1

View File

@ -0,0 +1,67 @@
From 598c88638d4f46a38bf3d0669bc042c1ea1e4605 Mon Sep 17 00:00:00 2001
Message-Id: <598c88638d4f46a38bf3d0669bc042c1ea1e4605.1566585829.git.Jim.Somerville@windriver.com>
In-Reply-To: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
References: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Date: Fri, 9 Feb 2018 11:52:14 +0300
Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod
[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ]
Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected.
I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
Posix acl is used to convert of an extended attribute, provided by user to ext4
attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
IOW, this object is allocated, used for convertion, not stored anywhere and
must be freed.
However posix_acl_update_mode() can zerofy the pointer to support
ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
new temporary pointer with the same value instead of acl pointer.
In scope of https://jira.sw.ru/browse/PSBM-81384
RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
fs/ext4/acl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index 917e819..fce029f 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -297,7 +297,7 @@ cleanup:
int
ext4_acl_chmod(struct inode *inode)
{
- struct posix_acl *acl;
+ struct posix_acl *acl, *real_acl;
handle_t *handle;
int retries = 0;
int error;
@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode)
error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
if (error)
return error;
+
+ real_acl = acl;
retry:
handle = ext4_journal_start(inode, EXT4_HT_XATTR,
ext4_jbd2_credits_xattr(inode));
@@ -341,7 +343,7 @@ out_stop:
ext4_should_retry_alloc(inode->i_sb, &retries))
goto retry;
out:
- posix_acl_release(acl);
+ posix_acl_release(real_acl);
return error;
}
--
1.8.3.1

View File

@ -0,0 +1,79 @@
From 190fe153e1def764a02d7cb3438f5bc7c0402e48 Mon Sep 17 00:00:00 2001
Message-Id: <190fe153e1def764a02d7cb3438f5bc7c0402e48.1566585829.git.Jim.Somerville@windriver.com>
In-Reply-To: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
References: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Date: Fri, 9 Feb 2018 11:52:15 +0300
Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl
[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ]
Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
Posix acl is used to convert of an extended attribute, provided by user to ext4
attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
IOW, this object is allocated, used for convertion, not stored anywhere and
must be freed.
However posix_acl_update_mode() can zerofy the pointer to support
ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
new temporary pointer with the same value instead of acl pointer.
https://jira.sw.ru/browse/PSBM-81384
RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
v2: Added affected kernel version + RHEL bug URL
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
fs/ext4/acl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index fce029f..046b338 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
{
struct inode *inode = dentry->d_inode;
handle_t *handle;
- struct posix_acl *acl;
+ struct posix_acl *acl, *real_acl;
int error, retries = 0;
int update_mode = 0;
umode_t mode = inode->i_mode;
@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
return -EPERM;
if (value) {
- acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
if (IS_ERR(acl))
return PTR_ERR(acl);
else if (acl) {
@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
goto release_and_out;
}
} else
- acl = NULL;
+ acl = real_acl = NULL;
retry:
handle = ext4_journal_start(inode, EXT4_HT_XATTR,
@@ -454,7 +454,7 @@ out_stop:
goto retry;
release_and_out:
- posix_acl_release(acl);
+ posix_acl_release(real_acl);
return error;
}
--
1.8.3.1