Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1272172 - Using request_key() or keyctl request2 to get a kernel causes the key garbage collector to crash
Summary: Using request_key() or keyctl request2 to get a kernel causes the key garbage...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-15 16:04 UTC by David Howells
Modified: 2016-11-08 16:16 UTC (History)
9 users (show)

Fixed In Version: kernel-4.1.12-101.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-13 02:51:33 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description David Howells 2015-10-15 16:04:16 UTC
Description of problem:

This command sequence:

    i=`keyctl add user a a @s`
    keyctl request2 keyring foo bar @t
    keyctl unlink $i @s

Will cause the keyrings garbage collector to crash because the keyring_destroy() function sees the cached error code in the key as a pointer to its name, resulting in an oops that looks like the following.  Note the value in RAX that is -ENOKEY as a 32-bit value.

BUG: unable to handle kernel paging request at 00000000ffffff8a
IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
PGD 0 
Oops: 0002 [#1] SMP 
Modules linked in:
CPU: 0 PID: 1201 Comm: kworker/0:2 Tainted: G        W       4.3.0-rc2-fsdevel #456
Hardware name:                  /DG965RY, BIOS MQ96510J.86A.0816.2006.0716.2308 07/16/2006
Workqueue: events key_garbage_collector
task: ffff88003bfc6200 ti: ffff88003e2f0000 task.ti: ffff88003e2f0000
RIP: 0010:[<ffffffff8126e051>]  [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
FS:  0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
Stack:
 ffff88003bf1a908 ffff88003e2f3d58 ffffffff8126c756 00000000561fc960
 7fffffffffffffff ffff88003e2f3da0 ffffffff8126ca71 ffff88003bf1a400
 ffff88003e1fd4c0 ffff88003e2f3cd0 ffffffff81a73720 ffff88003da14f80
Call Trace:
 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
 [<ffffffff810648ad>] kthread+0xf3/0xfb
 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2


Version-Release number of selected component (if applicable):

Anything since v2.6.39-rc1.

Comment 1 Josh Boyer 2015-10-19 12:40:39 UTC
I've added the two patches David has authored to fix this issue to all branches in Fedora git.

Comment 4 Josh Boyer 2015-10-20 12:52:58 UTC
Yep, the ones that David pointed to in comment #3.

Comment 5 Fedora Update System 2015-10-28 14:06:50 UTC
kernel-4.1.12-100.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-fe9a93653f

Comment 6 Fedora Update System 2015-10-28 19:12:44 UTC
kernel-4.1.12-101.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0253d1f070

Comment 7 Fedora Update System 2015-11-02 02:54:57 UTC
kernel-4.1.12-101.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update kernel'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0253d1f070

Comment 8 Fedora Update System 2015-11-13 02:51:02 UTC
kernel-4.1.12-101.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.