[Devel] [PATCH vz7 0/6] user_namespace uidhash use after free

2023-09-28 Thread Alexander Atanasov
The first patch in the series is essential - it is the one fixing the bug. Other patches accumulated while chasing the bug. For a detailed explanation see the commit messages of first patch. https://jira.vzint.dev/browse/PSBM-151029 Alexander Atanasov (3): ve/userns: remove all hashed entries b

[Devel] [PATCH vz7 2/6] userns: initiallize user_init_ns earlier

2023-09-28 Thread Alexander Atanasov
user_namespaces_init was converted from module_init to subsys_initcall which is called at later point. init_user_ns is used before that call in sget(...). So move the initialization of ucount_max into the declaration of init_user_ns. https://jira.vzint.dev/browse/PSBM-151029 Signed-off-by: Alexand

[Devel] [PATCH vz7 5/6] ipc: prevent lockup on alloc_msg and free_msg

2023-09-28 Thread Alexander Atanasov
From: Li Rongqing msgctl10 of ltp triggers the following lockup When CONFIG_KASAN is enabled on large memory SMP systems, the pages initialization can take a long time, if msgctl10 requests a huge block memory, and it will block rcu scheduler, so release cpu actively. After adding schedule() in

[Devel] [PATCH vz7 1/6] ve/userns: remove all hashed entries before freeing user_namespace

2023-09-28 Thread Alexander Atanasov
548df8b4b57b (ve/userns: associate user_struct with the user_namespace, 2017-03-13) introduced dynamically allocated per-userns uid hastable instead of using a global static hash table. The problem with that allocate hashtable is that life cycle of the two objects is different - both structes use

[Devel] [PATCH vz7 3/6] lists: convert list.h to use READ/WRITE_ONCE

2023-09-28 Thread Alexander Atanasov
This is based on different commits from newer kernel versions. https://jira.vzint.dev/browse/PSBM-151029 Signed-off-by: Alexander Atanasov --- include/linux/list.h | 51 +++- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/include/linux/lis

[Devel] [PATCH vz7 4/6] netfilter: compat: initialize all fields in xt_init

2023-09-28 Thread Alexander Atanasov
From: Francesco Ruggeri If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init time, the following panic can be caused by running % ebtables -t broute -F BROUTING from a 32-bit user level on a 64-bit kernel. This patch replaces kmalloc_array with kcalloc when allocating xt. [ 474

[Devel] [PATCH vz7 6/6] ipc/mqueue.c: only perform resource calculation if user valid

2023-09-28 Thread Alexander Atanasov
From: Kees Cook Andreas Christoforou reported: UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: 9 * 2305843009213693951 cannot be represented in type 'long int' ... Call Trace: mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 evict+0x472/0x8c0 fs/inode.c:

[Devel] [PATCH RHEL9] fs/fuse: fix broken 'fuse_invalidate_files()'

2023-09-28 Thread Kui Liu
Use correct lock to protect the kill_requests operation on all request queues. Test of the FUSE_S_FAIL_IMMEDIATELY bit needs to be done with corresponding lock to prevent new requests being added to a queue after it has been killed. Adjust the order of queues that kill_request operation is perform