--- /dev/null
+From 5d6d3a301c4e749e04be6fcdcf4cb1ffa8bae524 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 12 Sep 2017 16:57:53 +0200
+Subject: fuse: allow server to run in different pid_ns
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 5d6d3a301c4e749e04be6fcdcf4cb1ffa8bae524 upstream.
+
+Commit 0b6e9ea041e6 ("fuse: Add support for pid namespaces") broke
+Sandstorm.io development tools, which have been sending FUSE file
+descriptors across PID namespace boundaries since early 2014.
+
+The above patch added a check that prevented I/O on the fuse device file
+descriptor if the pid namespace of the reader/writer was different from the
+pid namespace of the mounter. With this change passing the device file
+descriptor to a different pid namespace simply doesn't work. The check was
+added because pids are transferred to/from the fuse userspace server in the
+namespace registered at mount time.
+
+To fix this regression, remove the checks and do the following:
+
+1) the pid in the request header (the pid of the task that initiated the
+filesystem operation) is translated to the reader's pid namespace. If a
+mapping doesn't exist for this pid, then a zero pid is used. Note: even if
+a mapping would exist between the initiator task's pid namespace and the
+reader's pid namespace the pid will be zero if either mapping from
+initator's to mounter's namespace or mapping from mounter's to reader's
+namespace doesn't exist.
+
+2) The lk.pid value in setlk/setlkw requests and getlk reply is left alone.
+Userspace should not interpret this value anyway. Also allow the
+setlk/setlkw operations if the pid of the task cannot be represented in the
+mounter's namespace (pid being zero in that case).
+
+Reported-by: Kenton Varda <kenton@sandstorm.io>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 0b6e9ea041e6 ("fuse: Add support for pid namespaces")
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 13 +++++++------
+ fs/fuse/file.c | 3 ---
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1222,9 +1222,6 @@ static ssize_t fuse_dev_do_read(struct f
+ struct fuse_in *in;
+ unsigned reqsize;
+
+- if (task_active_pid_ns(current) != fc->pid_ns)
+- return -EIO;
+-
+ restart:
+ spin_lock(&fiq->waitq.lock);
+ err = -EAGAIN;
+@@ -1262,6 +1259,13 @@ static ssize_t fuse_dev_do_read(struct f
+
+ in = &req->in;
+ reqsize = in->h.len;
++
++ if (task_active_pid_ns(current) != fc->pid_ns) {
++ rcu_read_lock();
++ in->h.pid = pid_vnr(find_pid_ns(in->h.pid, fc->pid_ns));
++ rcu_read_unlock();
++ }
++
+ /* If request is too large, reply with an error and restart the read */
+ if (nbytes < reqsize) {
+ req->out.h.error = -EIO;
+@@ -1823,9 +1827,6 @@ static ssize_t fuse_dev_do_write(struct
+ struct fuse_req *req;
+ struct fuse_out_header oh;
+
+- if (task_active_pid_ns(current) != fc->pid_ns)
+- return -EIO;
+-
+ if (nbytes < sizeof(struct fuse_out_header))
+ return -EINVAL;
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -2180,9 +2180,6 @@ static int fuse_setlk(struct file *file,
+ if ((fl->fl_flags & FL_CLOSE_POSIX) == FL_CLOSE_POSIX)
+ return 0;
+
+- if (pid && pid_nr == 0)
+- return -EOVERFLOW;
+-
+ fuse_lk_fill(&args, file, fl, opcode, pid_nr, flock, &inarg);
+ err = fuse_simple_request(fc, &args);
+
--- /dev/null
+From a47f68d6a944113bdc8097db6f933c2e17c27bf9 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 13 Sep 2017 16:28:11 -0700
+Subject: idr: remove WARN_ON_ONCE() when trying to replace negative ID
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit a47f68d6a944113bdc8097db6f933c2e17c27bf9 upstream.
+
+IDR only supports non-negative IDs. There used to be a 'WARN_ON_ONCE(id <
+0)' in idr_replace(), but it was intentionally removed by commit
+2e1c9b286765 ("idr: remove WARN_ON_ONCE() on negative IDs").
+
+Then it was added back by commit 0a835c4f090a ("Reimplement IDR and IDA
+using the radix tree"). However it seems that adding it back was a
+mistake, given that some users such as drm_gem_handle_delete()
+(DRM_IOCTL_GEM_CLOSE) pass in a value from userspace to idr_replace(),
+allowing the WARN_ON_ONCE to be triggered. drm_gem_handle_delete()
+actually just wants idr_replace() to return an error code if the ID is
+not allocated, including in the case where the ID is invalid (negative).
+
+So once again remove the bogus WARN_ON_ONCE().
+
+This bug was found by syzkaller, which encountered the following
+warning:
+
+ WARNING: CPU: 3 PID: 3008 at lib/idr.c:157 idr_replace+0x1d8/0x240 lib/idr.c:157
+ Kernel panic - not syncing: panic_on_warn set ...
+
+ CPU: 3 PID: 3008 Comm: syzkaller218828 Not tainted 4.13.0-rc4-next-20170811 #2
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
+ do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
+ do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
+ do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:310
+ do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
+ invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:930
+ RIP: 0010:idr_replace+0x1d8/0x240 lib/idr.c:157
+ RSP: 0018:ffff8800394bf9f8 EFLAGS: 00010297
+ RAX: ffff88003c6c60c0 RBX: 1ffff10007297f43 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800394bfa78
+ RBP: ffff8800394bfae0 R08: ffffffff82856487 R09: 0000000000000000
+ R10: ffff8800394bf9a8 R11: ffff88006c8bae28 R12: ffffffffffffffff
+ R13: ffff8800394bfab8 R14: dffffc0000000000 R15: ffff8800394bfbc8
+ drm_gem_handle_delete+0x33/0xa0 drivers/gpu/drm/drm_gem.c:297
+ drm_gem_close_ioctl+0xa1/0xe0 drivers/gpu/drm/drm_gem.c:671
+ drm_ioctl_kernel+0x1e7/0x2e0 drivers/gpu/drm/drm_ioctl.c:729
+ drm_ioctl+0x72e/0xa50 drivers/gpu/drm/drm_ioctl.c:825
+ vfs_ioctl fs/ioctl.c:45 [inline]
+ do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
+ SYSC_ioctl fs/ioctl.c:700 [inline]
+ SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Here is a C reproducer:
+
+ #include <fcntl.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <sys/ioctl.h>
+ #include <drm/drm.h>
+
+ int main(void)
+ {
+ int cardfd = open("/dev/dri/card0", O_RDONLY);
+
+ ioctl(cardfd, DRM_IOCTL_GEM_CLOSE,
+ &(struct drm_gem_close) { .handle = -1 } );
+ }
+
+Link: http://lkml.kernel.org/r/20170906235306.20534-1-ebiggers3@gmail.com
+Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/idr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -154,7 +154,7 @@ void *idr_replace(struct idr *idr, void
+ void __rcu **slot = NULL;
+ void *entry;
+
+- if (WARN_ON_ONCE(id < 0))
++ if (id < 0)
+ return ERR_PTR(-EINVAL);
+ if (WARN_ON_ONCE(radix_tree_is_internal_node(ptr)))
+ return ERR_PTR(-EINVAL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
