[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
** Changed in: linux (Ubuntu Disco) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: Fix Released Status in linux source package in Disco: Won't Fix Status in linux source package in Eoan: Fix Released Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, ); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
This bug was fixed in the package linux - 5.4.0-18.22 --- linux (5.4.0-18.22) focal; urgency=medium * focal/linux: 5.4.0-18.22 -proposed tracker (LP: #1866488) * Packaging resync (LP: #1786013) - [Packaging] resync getabis - [Packaging] update helper scripts * Add sysfs attribute to show remapped NVMe (LP: #1863621) - SAUCE: ata: ahci: Add sysfs attribute to show remapped NVMe device count * [20.04 FEAT] Compression improvements in Linux kernel (LP: #1830208) - lib/zlib: add s390 hardware support for kernel zlib_deflate - s390/boot: rename HEAP_SIZE due to name collision - lib/zlib: add s390 hardware support for kernel zlib_inflate - s390/boot: add dfltcc= kernel command line parameter - lib/zlib: add zlib_deflate_dfltcc_enabled() function - btrfs: use larger zlib buffer for s390 hardware compression - [Config] Introducing s390x specific kernel config option CONFIG_ZLIB_DFLTCC * [UBUNTU 20.04] s390x/pci: increase CONFIG_PCI_NR_FUNCTIONS to 512 in kernel config (LP: #1866056) - [Config] Increase CONFIG_PCI_NR_FUNCTIONS from 64 to 512 starting with focal on s390x * CONFIG_IP_MROUTE_MULTIPLE_TABLES is not set (LP: #1865332) - [Config] CONFIG_IP_MROUTE_MULTIPLE_TABLES=y * Dell XPS 13 9300 Intel 1650S wifi [34f0:1651] fails to load firmware (LP: #1865962) - iwlwifi: remove IWL_DEVICE_22560/IWL_DEVICE_FAMILY_22560 - iwlwifi: 22000: fix some indentation - iwlwifi: pcie: rx: use rxq queue_size instead of constant - iwlwifi: allocate more receive buffers for HE devices - iwlwifi: remove some outdated iwl22000 configurations - iwlwifi: assume the driver_data is a trans_cfg, but allow full cfg * [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled (LP: #1861521) - Revert "USUNTU: SAUCE: drm/i915: Force DPCD backlight mode on Dell Precision 4K sku" - Revert "UBUNTU: SAUCE: drm/i915: Force DPCD backlight mode on X1 Extreme 2nd Gen 4K AMOLED panel" - SAUCE: drm/dp: Introduce EDID-based quirks - SAUCE: drm/i915: Force DPCD backlight mode on X1 Extreme 2nd Gen 4K AMOLED panel - SAUCE: drm/i915: Force DPCD backlight mode for some Dell CML 2020 panels * [20.04 FEAT] Enable proper kprobes on ftrace support (LP: #1865858) - s390/ftrace: save traced function caller - s390: support KPROBES_ON_FTRACE * alsa/sof: load different firmware on different platforms (LP: #1857409) - ASoC: SOF: Intel: hda: use fallback for firmware name - ASoC: Intel: acpi-match: split CNL tables in three - ASoC: SOF: Intel: Fix CFL and CML FW nocodec binary names. * [UBUNTU 20.04] Enable CONFIG_NET_SWITCHDEV in kernel config for s390x starting with focal (LP: #1865452) - [Config] Enable CONFIG_NET_SWITCHDEV in kernel config for s390x starting with focal * Focal update: v5.4.24 upstream stable release (LP: #1866333) - io_uring: grab ->fs as part of async offload - EDAC: skx_common: downgrade message importance on missing PCI device - net: dsa: b53: Ensure the default VID is untagged - net: fib_rules: Correctly set table field when table number exceeds 8 bits - net: macb: ensure interface is not suspended on at91rm9200 - net: mscc: fix in frame extraction - net: phy: restore mdio regs in the iproc mdio driver - net: sched: correct flower port blocking - net/tls: Fix to avoid gettig invalid tls record - nfc: pn544: Fix occasional HW initialization failure - qede: Fix race between rdma destroy workqueue and link change event - Revert "net: dev: introduce support for sch BYPASS for lockless qdisc" - udp: rehash on disconnect - sctp: move the format error check out of __sctp_sf_do_9_1_abort - bnxt_en: Improve device shutdown method. - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs. - bonding: add missing netdev_update_lockdep_key() - net: export netdev_next_lower_dev_rcu() - bonding: fix lockdep warning in bond_get_stats() - ipv6: Fix route replacement with dev-only route - ipv6: Fix nlmsg_flags when splitting a multipath route - ipmi:ssif: Handle a possible NULL pointer reference - drm/msm: Set dma maximum segment size for mdss - sched/core: Don't skip remote tick for idle CPUs - timers/nohz: Update NOHZ load in remote tick - sched/fair: Prevent unlimited runtime on throttled group - dax: pass NOWAIT flag to iomap_apply - mac80211: consider more elements in parsing CRC - cfg80211: check wiphy driver existence for drvinfo report - s390/zcrypt: fix card and queue total counter wrap - qmi_wwan: re-add DW5821e pre-production variant - qmi_wwan: unconditionally reject 2 ep interfaces - NFSv4: Fix races between open and dentry revalidation - perf/smmuv3: Use platform_get_irq_optional() for wired interrupt - perf/x86/intel: Add Elkhart Lake support - perf/x86/cstate: Add Tremont
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
This bug was fixed in the package linux - 5.3.0-42.34 --- linux (5.3.0-42.34) eoan; urgency=medium * eoan/linux: 5.3.0-42.34 -proposed tracker (LP: #1865111) * CVE-2020-2732 - KVM: nVMX: Don't emulate instructions in guest mode - KVM: nVMX: Refactor IO bitmap checks into helper function - KVM: nVMX: Check IO instruction VM-exit conditions linux (5.3.0-41.33) eoan; urgency=medium * eoan/linux: 5.3.0-41.33 -proposed tracker (LP: #1863294) * CVE-2019-3016 - x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit - x86/kvm: Introduce kvm_(un)map_gfn() - x86/kvm: Cache gfn to pfn translation - x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed - x86/KVM: Clean up host's steal time structure * Reduce s2idle power consumption when ethernet cable is connected on e1000e (LP: #1859126) - e1000e: Add support for S0ix * alsa/sof: let legacy hda driver and sof driver co-exist (LP: #1837828) - ASoC: Intel: Skylake: move NHLT header to common directory - ALSA: hda: move parts of NHLT code to new module - ALSA: hda: intel-nhlt: handle NHLT VENDOR_DEFINED DMIC geometry - ASoC: Intel: Skylake: use common NHLT module - ALSA: hda/intel: stop probe if DMICS are detected on Skylake+ platforms - [Config] Enable SND_HDA_INTEL_DETECT_DMIC * USB key cannot be detected by hotplug on Sunix USB Type-A 3.1 Gen 2 card [1b21:2142] (LP: #1858988) - SAUCE: PCI: Avoid ASMedia XHCI USB PME# from D0 defect * ipsec interfaces: fix sending with bpf_redirect() / AF_PACKET sockets (LP: #1860969) - vti[6]: fix packet tx through bpf_redirect() - xfrm interface: fix packet tx through bpf_redirect() * peripheral devices on Dell WD19TB cannot be detected after suspend resume (LP: #1859407) - PCI: irq: Introduce rearm_wake_irq() - ACPICA: Return u32 from acpi_dispatch_gpe() - ACPI: EC: Return bool from acpi_ec_dispatch_gpe() - ACPI: PM: Set s2idle_wakeup earlier and clear it later - PM: sleep: Simplify suspend-to-idle control flow - ACPI: EC: Rework flushing of pending work * Dell XPS 13 (7390) Display Flickering - 19.10 (LP: #1849947) - SAUCE: drm/i915: Disable PSR by default on all platforms * Root can lift kernel lockdown via USB/IP (LP: #1861238) - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel lockdown" * [CML-H] Add intel_thermal_pch driver support Comet Lake -H (LP: #1853219) - thermal: intel: intel_pch_thermal: Add Comet Lake (CML) platform support * Eoan update: upstream stable patchset 2020-02-07 (LP: #1862429) - ARM: dts: meson8: fix the size of the PMU registers - clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs - dt-bindings: reset: meson8b: fix duplicate reset IDs - ARM: dts: imx6q-dhcom: fix rtc compatible - clk: Don't try to enable critical clocks if prepare failed - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use - iio: buffer: align the size of scan bytes to size of the largest element - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx - USB: serial: option: Add support for Quectel RM500Q - USB: serial: opticon: fix control-message timeouts - USB: serial: option: add support for Quectel RM500Q in QDL mode - USB: serial: suppress driver bind attributes - USB: serial: ch341: handle unbound port at reset_resume - USB: serial: io_edgeport: handle unbound ports on URB completion - USB: serial: io_edgeport: add missing active-port sanity check - USB: serial: keyspan: handle unbound ports - USB: serial: quatech2: handle unbound ports - scsi: fnic: fix invalid stack access - scsi: mptfusion: Fix double fetch bug in ioctl - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 - ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1 - ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection - ALSA: dice: fix fallback from protocol extension into limited functionality - ALSA: seq: Fix racy access for queue timer in proc read - ALSA: usb-audio: fix sync-ep altsetting sanity check - arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator - Fix built-in early-load Intel microcode alignment - block: fix an integer overflow in logical block size - ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number - ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() - usb: core: hub: Improved device recognition on remote wakeup - x86/resctrl: Fix an imbalance in domain_remove_cpu() - x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained - x86/efistub: Disable paging at mixed mode entry - drm/i915: Add missing include file - x86/resctrl: Fix potential memory leak - perf hists: Fix variable name's inconsistency in hists__for_each() macro - perf report: Fix incorrectly added dimensions
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: Fix Committed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, ); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: Fix Committed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, ); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
** Changed in: linux (Ubuntu Disco) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Eoan) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: Fix Committed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, ); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
** Changed in: linux (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: Fix Committed Status in linux source package in Disco: In Progress Status in linux source package in Eoan: In Progress Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, ); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink
** Also affects: linux (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Disco) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Disco) Status: New => In Progress ** Changed in: linux (Ubuntu Eoan) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: In Progress Status in linux source package in Disco: In Progress Status in linux source package in Eoan: In Progress Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, ); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp