--- /dev/null
+From 81e9d6f8647650a7bead74c5f926e29970e834d1 Mon Sep 17 00:00:00 2001
+From: Seth Jenkins <sethjenkins@google.com>
+Date: Tue, 31 Jan 2023 12:25:55 -0500
+Subject: aio: fix mremap after fork null-deref
+
+From: Seth Jenkins <sethjenkins@google.com>
+
+commit 81e9d6f8647650a7bead74c5f926e29970e834d1 upstream.
+
+Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced
+a null-deref if mremap is called on an old aio mapping after fork as
+mm->ioctx_table will be set to NULL.
+
+[jmoyer@redhat.com: fix 80 column issue]
+Link: https://lkml.kernel.org/r/x49sffq4nvg.fsf@segfault.boston.devel.redhat.com
+Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring")
+Signed-off-by: Seth Jenkins <sethjenkins@google.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/aio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -335,6 +335,9 @@ static int aio_ring_mremap(struct vm_are
+ spin_lock(&mm->ioctx_lock);
+ rcu_read_lock();
+ table = rcu_dereference(mm->ioctx_table);
++ if (!table)
++ goto out_unlock;
++
+ for (i = 0; i < table->nr; i++) {
+ struct kioctx *ctx;
+
+@@ -348,6 +351,7 @@ static int aio_ring_mremap(struct vm_are
+ }
+ }
+
++out_unlock:
+ rcu_read_unlock();
+ spin_unlock(&mm->ioctx_lock);
+ return res;
--- /dev/null
+From 18bbc3213383a82b05383827f4b1b882e3f0a5a5 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 20 Aug 2022 17:54:06 +0200
+Subject: netfilter: nft_tproxy: restrict to prerouting hook
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 18bbc3213383a82b05383827f4b1b882e3f0a5a5 upstream.
+
+TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.
+This fixes a crash (null dereference) when using tproxy from e.g. output.
+
+Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
+Reported-by: Shell Chen <xierch@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Qingfang DENG <dqfext@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tproxy.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/netfilter/nft_tproxy.c
++++ b/net/netfilter/nft_tproxy.c
+@@ -289,6 +289,13 @@ static int nft_tproxy_dump(struct sk_buf
+ return 0;
+ }
+
++static int nft_tproxy_validate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr,
++ const struct nft_data **data)
++{
++ return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
++}
++
+ static struct nft_expr_type nft_tproxy_type;
+ static const struct nft_expr_ops nft_tproxy_ops = {
+ .type = &nft_tproxy_type,
+@@ -296,6 +303,7 @@ static const struct nft_expr_ops nft_tpr
+ .eval = nft_tproxy_eval,
+ .init = nft_tproxy_init,
+ .dump = nft_tproxy_dump,
++ .validate = nft_tproxy_validate,
+ };
+
+ static struct nft_expr_type nft_tproxy_type __read_mostly = {
--- /dev/null
+From b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 17 Oct 2022 17:06:38 +0200
+Subject: ovl: remove privs in ovl_copyfile()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 upstream.
+
+Underlying fs doesn't remove privs because copy_range/remap_range are
+called with privileged mounter credentials.
+
+This fixes some failures in fstest generic/673.
+
+Fixes: 8ede205541ff ("ovl: add reflink/copyfile/dedup support")
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/file.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -687,14 +687,23 @@ static loff_t ovl_copyfile(struct file *
+ const struct cred *old_cred;
+ loff_t ret;
+
++ inode_lock(inode_out);
++ if (op != OVL_DEDUPE) {
++ /* Update mode */
++ ovl_copyattr(ovl_inode_real(inode_out), inode_out);
++ ret = file_remove_privs(file_out);
++ if (ret)
++ goto out_unlock;
++ }
++
+ ret = ovl_real_fdget(file_out, &real_out);
+ if (ret)
+- return ret;
++ goto out_unlock;
+
+ ret = ovl_real_fdget(file_in, &real_in);
+ if (ret) {
+ fdput(real_out);
+- return ret;
++ goto out_unlock;
+ }
+
+ old_cred = ovl_override_creds(file_inode(file_out)->i_sb);
+@@ -723,6 +732,9 @@ static loff_t ovl_copyfile(struct file *
+ fdput(real_in);
+ fdput(real_out);
+
++out_unlock:
++ inode_unlock(inode_out);
++
+ return ret;
+ }
+
--- /dev/null
+From 23a8ce16419a3066829ad4a8b7032a75817af65b Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 17 Oct 2022 17:06:39 +0200
+Subject: ovl: remove privs in ovl_fallocate()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 23a8ce16419a3066829ad4a8b7032a75817af65b upstream.
+
+Underlying fs doesn't remove privs because fallocate is called with
+privileged mounter credentials.
+
+This fixes some failure in fstests generic/683..687.
+
+Fixes: aab8848cee5e ("ovl: add ovl_fallocate()")
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/file.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -531,9 +531,16 @@ static long ovl_fallocate(struct file *f
+ const struct cred *old_cred;
+ int ret;
+
++ inode_lock(inode);
++ /* Update mode */
++ ovl_copyattr(ovl_inode_real(inode), inode);
++ ret = file_remove_privs(file);
++ if (ret)
++ goto out_unlock;
++
+ ret = ovl_real_fdget(file, &real);
+ if (ret)
+- return ret;
++ goto out_unlock;
+
+ old_cred = ovl_override_creds(file_inode(file)->i_sb);
+ ret = vfs_fallocate(real.file, mode, offset, len);
+@@ -544,6 +551,9 @@ static long ovl_fallocate(struct file *f
+
+ fdput(real);
+
++out_unlock:
++ inode_unlock(inode);
++
+ return ret;
+ }
+
--- /dev/null
+From sumanthk@linux.ibm.com Fri Feb 17 15:04:16 2023
+From: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Date: Wed, 15 Feb 2023 15:13:24 +0100
+Subject: [PATCH v2 1/1] s390/signal: fix endless loop in do_signal
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org, debian-s390@lists.debian.org, debian-kernel@lists.debian.org
+Cc: svens@linux.ibm.com, hca@linux.ibm.com, gor@linux.ibm.com, sumanthk@linux.ibm.com, Ulrich.Weigand@de.ibm.com, dipak.zope1@ibm.com
+Message-ID: <20230215141324.1239245-1-sumanthk@linux.ibm.com>
+
+From: Sumanth Korikkar <sumanthk@linux.ibm.com>
+
+No upstream commit exists: the problem addressed here is that 'commit
+75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL")' was backported
+to 5.10. This commit is broken, but nobody noticed upstream, since
+shortly after s390 converted to generic entry with 'commit 56e62a737028
+("s390: convert to generic entry")', which implicitly fixed the problem
+outlined below.
+
+Thread flag is set to TIF_NOTIFY_SIGNAL for io_uring work. The io work
+user or syscall calls do_signal when either one of the TIF_SIGPENDING or
+TIF_NOTIFY_SIGNAL flag is set. However, do_signal does consider only
+TIF_SIGPENDING signal and ignores TIF_NOTIFY_SIGNAL condition. This
+means get_signal is never invoked for TIF_NOTIFY_SIGNAL and hence the
+flag is not cleared, which results in an endless do_signal loop.
+
+Reference: 'commit 788d0824269b ("io_uring: import 5.15-stable io_uring")'
+Fixes: 75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL")
+Cc: stable@vger.kernel.org # 5.10.162
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Acked-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/signal.c
++++ b/arch/s390/kernel/signal.c
+@@ -472,7 +472,7 @@ void do_signal(struct pt_regs *regs)
+ current->thread.system_call =
+ test_pt_regs_flag(regs, PIF_SYSCALL) ? regs->int_code : 0;
+
+- if (test_thread_flag(TIF_SIGPENDING) && get_signal(&ksig)) {
++ if (get_signal(&ksig)) {
+ /* Whee! Actually deliver the signal. */
+ if (current->thread.system_call) {
+ regs->int_code = current->thread.system_call;
nvmem-core-remove-nvmem_config-wp_gpio.patch
nvmem-core-fix-cleanup-after-dev_set_name.patch
nvmem-core-fix-registration-vs-use-race.patch
+aio-fix-mremap-after-fork-null-deref.patch
+s390-signal-fix-endless-loop-in-do_signal.patch
+ovl-remove-privs-in-ovl_copyfile.patch
+ovl-remove-privs-in-ovl_fallocate.patch
+netfilter-nft_tproxy-restrict-to-prerouting-hook.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
