From bdf98513a53cb21f0617008bd109e20aa411da66 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Feb 2023 15:15:12 +0100 Subject: [PATCH] 5.10-stable patches added patches: aio-fix-mremap-after-fork-null-deref.patch netfilter-nft_tproxy-restrict-to-prerouting-hook.patch ovl-remove-privs-in-ovl_copyfile.patch ovl-remove-privs-in-ovl_fallocate.patch s390-signal-fix-endless-loop-in-do_signal.patch --- ...aio-fix-mremap-after-fork-null-deref.patch | 49 +++++++++++++++ ...t_tproxy-restrict-to-prerouting-hook.patch | 45 ++++++++++++++ .../ovl-remove-privs-in-ovl_copyfile.patch | 62 +++++++++++++++++++ .../ovl-remove-privs-in-ovl_fallocate.patch | 54 ++++++++++++++++ ...signal-fix-endless-loop-in-do_signal.patch | 46 ++++++++++++++ queue-5.10/series | 5 ++ 6 files changed, 261 insertions(+) create mode 100644 queue-5.10/aio-fix-mremap-after-fork-null-deref.patch create mode 100644 queue-5.10/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch create mode 100644 queue-5.10/ovl-remove-privs-in-ovl_copyfile.patch create mode 100644 queue-5.10/ovl-remove-privs-in-ovl_fallocate.patch create mode 100644 queue-5.10/s390-signal-fix-endless-loop-in-do_signal.patch diff --git a/queue-5.10/aio-fix-mremap-after-fork-null-deref.patch b/queue-5.10/aio-fix-mremap-after-fork-null-deref.patch new file mode 100644 index 00000000000..21a318b6b49 --- /dev/null +++ b/queue-5.10/aio-fix-mremap-after-fork-null-deref.patch @@ -0,0 +1,49 @@ +From 81e9d6f8647650a7bead74c5f926e29970e834d1 Mon Sep 17 00:00:00 2001 +From: Seth Jenkins +Date: Tue, 31 Jan 2023 12:25:55 -0500 +Subject: aio: fix mremap after fork null-deref + +From: Seth Jenkins + +commit 81e9d6f8647650a7bead74c5f926e29970e834d1 upstream. + +Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced +a null-deref if mremap is called on an old aio mapping after fork as +mm->ioctx_table will be set to NULL. + +[jmoyer@redhat.com: fix 80 column issue] +Link: https://lkml.kernel.org/r/x49sffq4nvg.fsf@segfault.boston.devel.redhat.com +Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring") +Signed-off-by: Seth Jenkins +Signed-off-by: Jeff Moyer +Cc: Alexander Viro +Cc: Benjamin LaHaise +Cc: Jann Horn +Cc: Pavel Emelyanov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/aio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -335,6 +335,9 @@ static int aio_ring_mremap(struct vm_are + spin_lock(&mm->ioctx_lock); + rcu_read_lock(); + table = rcu_dereference(mm->ioctx_table); ++ if (!table) ++ goto out_unlock; ++ + for (i = 0; i < table->nr; i++) { + struct kioctx *ctx; + +@@ -348,6 +351,7 @@ static int aio_ring_mremap(struct vm_are + } + } + ++out_unlock: + rcu_read_unlock(); + spin_unlock(&mm->ioctx_lock); + return res; diff --git a/queue-5.10/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch b/queue-5.10/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch new file mode 100644 index 00000000000..086a0cf421b --- /dev/null +++ b/queue-5.10/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch @@ -0,0 +1,45 @@ +From 18bbc3213383a82b05383827f4b1b882e3f0a5a5 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 20 Aug 2022 17:54:06 +0200 +Subject: netfilter: nft_tproxy: restrict to prerouting hook + +From: Florian Westphal + +commit 18bbc3213383a82b05383827f4b1b882e3f0a5a5 upstream. + +TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this. +This fixes a crash (null dereference) when using tproxy from e.g. output. + +Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") +Reported-by: Shell Chen +Signed-off-by: Florian Westphal +Signed-off-by: Qingfang DENG +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_tproxy.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/netfilter/nft_tproxy.c ++++ b/net/netfilter/nft_tproxy.c +@@ -289,6 +289,13 @@ static int nft_tproxy_dump(struct sk_buf + return 0; + } + ++static int nft_tproxy_validate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nft_data **data) ++{ ++ return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING); ++} ++ + static struct nft_expr_type nft_tproxy_type; + static const struct nft_expr_ops nft_tproxy_ops = { + .type = &nft_tproxy_type, +@@ -296,6 +303,7 @@ static const struct nft_expr_ops nft_tpr + .eval = nft_tproxy_eval, + .init = nft_tproxy_init, + .dump = nft_tproxy_dump, ++ .validate = nft_tproxy_validate, + }; + + static struct nft_expr_type nft_tproxy_type __read_mostly = { diff --git a/queue-5.10/ovl-remove-privs-in-ovl_copyfile.patch b/queue-5.10/ovl-remove-privs-in-ovl_copyfile.patch new file mode 100644 index 00000000000..402709a0efc --- /dev/null +++ b/queue-5.10/ovl-remove-privs-in-ovl_copyfile.patch @@ -0,0 +1,62 @@ +From b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Mon, 17 Oct 2022 17:06:38 +0200 +Subject: ovl: remove privs in ovl_copyfile() + +From: Amir Goldstein + +commit b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 upstream. + +Underlying fs doesn't remove privs because copy_range/remap_range are +called with privileged mounter credentials. + +This fixes some failures in fstest generic/673. + +Fixes: 8ede205541ff ("ovl: add reflink/copyfile/dedup support") +Acked-by: Miklos Szeredi +Signed-off-by: Amir Goldstein +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/file.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -687,14 +687,23 @@ static loff_t ovl_copyfile(struct file * + const struct cred *old_cred; + loff_t ret; + ++ inode_lock(inode_out); ++ if (op != OVL_DEDUPE) { ++ /* Update mode */ ++ ovl_copyattr(ovl_inode_real(inode_out), inode_out); ++ ret = file_remove_privs(file_out); ++ if (ret) ++ goto out_unlock; ++ } ++ + ret = ovl_real_fdget(file_out, &real_out); + if (ret) +- return ret; ++ goto out_unlock; + + ret = ovl_real_fdget(file_in, &real_in); + if (ret) { + fdput(real_out); +- return ret; ++ goto out_unlock; + } + + old_cred = ovl_override_creds(file_inode(file_out)->i_sb); +@@ -723,6 +732,9 @@ static loff_t ovl_copyfile(struct file * + fdput(real_in); + fdput(real_out); + ++out_unlock: ++ inode_unlock(inode_out); ++ + return ret; + } + diff --git a/queue-5.10/ovl-remove-privs-in-ovl_fallocate.patch b/queue-5.10/ovl-remove-privs-in-ovl_fallocate.patch new file mode 100644 index 00000000000..e6d72f761bd --- /dev/null +++ b/queue-5.10/ovl-remove-privs-in-ovl_fallocate.patch @@ -0,0 +1,54 @@ +From 23a8ce16419a3066829ad4a8b7032a75817af65b Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Mon, 17 Oct 2022 17:06:39 +0200 +Subject: ovl: remove privs in ovl_fallocate() + +From: Amir Goldstein + +commit 23a8ce16419a3066829ad4a8b7032a75817af65b upstream. + +Underlying fs doesn't remove privs because fallocate is called with +privileged mounter credentials. + +This fixes some failure in fstests generic/683..687. + +Fixes: aab8848cee5e ("ovl: add ovl_fallocate()") +Acked-by: Miklos Szeredi +Signed-off-by: Amir Goldstein +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/file.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -531,9 +531,16 @@ static long ovl_fallocate(struct file *f + const struct cred *old_cred; + int ret; + ++ inode_lock(inode); ++ /* Update mode */ ++ ovl_copyattr(ovl_inode_real(inode), inode); ++ ret = file_remove_privs(file); ++ if (ret) ++ goto out_unlock; ++ + ret = ovl_real_fdget(file, &real); + if (ret) +- return ret; ++ goto out_unlock; + + old_cred = ovl_override_creds(file_inode(file)->i_sb); + ret = vfs_fallocate(real.file, mode, offset, len); +@@ -544,6 +551,9 @@ static long ovl_fallocate(struct file *f + + fdput(real); + ++out_unlock: ++ inode_unlock(inode); ++ + return ret; + } + diff --git a/queue-5.10/s390-signal-fix-endless-loop-in-do_signal.patch b/queue-5.10/s390-signal-fix-endless-loop-in-do_signal.patch new file mode 100644 index 00000000000..0dc6b90afc3 --- /dev/null +++ b/queue-5.10/s390-signal-fix-endless-loop-in-do_signal.patch @@ -0,0 +1,46 @@ +From sumanthk@linux.ibm.com Fri Feb 17 15:04:16 2023 +From: Sumanth Korikkar +Date: Wed, 15 Feb 2023 15:13:24 +0100 +Subject: [PATCH v2 1/1] s390/signal: fix endless loop in do_signal +To: stable@vger.kernel.org, gregkh@linuxfoundation.org, debian-s390@lists.debian.org, debian-kernel@lists.debian.org +Cc: svens@linux.ibm.com, hca@linux.ibm.com, gor@linux.ibm.com, sumanthk@linux.ibm.com, Ulrich.Weigand@de.ibm.com, dipak.zope1@ibm.com +Message-ID: <20230215141324.1239245-1-sumanthk@linux.ibm.com> + +From: Sumanth Korikkar + +No upstream commit exists: the problem addressed here is that 'commit +75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL")' was backported +to 5.10. This commit is broken, but nobody noticed upstream, since +shortly after s390 converted to generic entry with 'commit 56e62a737028 +("s390: convert to generic entry")', which implicitly fixed the problem +outlined below. + +Thread flag is set to TIF_NOTIFY_SIGNAL for io_uring work. The io work +user or syscall calls do_signal when either one of the TIF_SIGPENDING or +TIF_NOTIFY_SIGNAL flag is set. However, do_signal does consider only +TIF_SIGPENDING signal and ignores TIF_NOTIFY_SIGNAL condition. This +means get_signal is never invoked for TIF_NOTIFY_SIGNAL and hence the +flag is not cleared, which results in an endless do_signal loop. + +Reference: 'commit 788d0824269b ("io_uring: import 5.15-stable io_uring")' +Fixes: 75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL") +Cc: stable@vger.kernel.org # 5.10.162 +Acked-by: Heiko Carstens +Acked-by: Sven Schnelle +Signed-off-by: Sumanth Korikkar +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/signal.c ++++ b/arch/s390/kernel/signal.c +@@ -472,7 +472,7 @@ void do_signal(struct pt_regs *regs) + current->thread.system_call = + test_pt_regs_flag(regs, PIF_SYSCALL) ? regs->int_code : 0; + +- if (test_thread_flag(TIF_SIGPENDING) && get_signal(&ksig)) { ++ if (get_signal(&ksig)) { + /* Whee! Actually deliver the signal. */ + if (current->thread.system_call) { + regs->int_code = current->thread.system_call; diff --git a/queue-5.10/series b/queue-5.10/series index 953587e5d86..bd1ec10c850 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -13,3 +13,8 @@ nvmem-core-add-error-handling-for-dev_set_name.patch nvmem-core-remove-nvmem_config-wp_gpio.patch nvmem-core-fix-cleanup-after-dev_set_name.patch nvmem-core-fix-registration-vs-use-race.patch +aio-fix-mremap-after-fork-null-deref.patch +s390-signal-fix-endless-loop-in-do_signal.patch +ovl-remove-privs-in-ovl_copyfile.patch +ovl-remove-privs-in-ovl_fallocate.patch +netfilter-nft_tproxy-restrict-to-prerouting-hook.patch -- 2.47.2