FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[gregkh]

The patch below does not apply to the 5.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From b21d9c435f935014d3e3fa6914f2e4fbabb0e94d Mon Sep 17 00:00:00 2001
From: Amir Goldstein <amir73il@gmail.com>
Date: Sun, 26 May 2019 09:28:25 +0300
Subject: [PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls

They are the extended version of FS_IOC_FS[SG]ETFLAGS ioctls.
xfs_io -c "chattr <flags>" uses the new ioctls for setting flags.

This used to work in kernel pre v4.19, before stacked file ops
introduced the ovl_ioctl whitelist.

Reported-by: Dave Chinner <david@fromorbit.com>
Fixes: d1d04ef8572b ("ovl: stack file ops")
Cc: <stable@vger.kernel.org> # v4.19
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 540a8b845145..340a6ad45914 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -426,7 +426,8 @@ static unsigned int ovl_get_inode_flags(struct inode *inode)
 	return ovl_iflags;
 }
 
-static long ovl_ioctl_set_flags(struct file *file, unsigned long arg)
+static long ovl_ioctl_set_flags(struct file *file, unsigned int cmd,
+				unsigned long arg)
 {
 	long ret;
 	struct inode *inode = file_inode(file);
@@ -456,7 +457,7 @@ static long ovl_ioctl_set_flags(struct file *file, unsigned long arg)
 	if (ret)
 		goto unlock;
 
-	ret = ovl_real_ioctl(file, FS_IOC_SETFLAGS, arg);
+	ret = ovl_real_ioctl(file, cmd, arg);
 
 	ovl_copyflags(ovl_inode_real(inode), inode);
 unlock:
@@ -474,11 +475,13 @@ static long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 
 	switch (cmd) {
 	case FS_IOC_GETFLAGS:
+	case FS_IOC_FSGETXATTR:
 		ret = ovl_real_ioctl(file, cmd, arg);
 		break;
 
 	case FS_IOC_SETFLAGS:
-		ret = ovl_ioctl_set_flags(file, arg);
+	case FS_IOC_FSSETXATTR:
+		ret = ovl_ioctl_set_flags(file, cmd, arg);
 		break;
 
 	default:

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Amir Goldstein]

On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
>
>
> The patch below does not apply to the 5.1-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
>
> thanks,
>
> greg k-h
>

FYI, the failure to apply this patch would be resolved after you
picked up "ovl: check the capability before cred overridden" for
stable, please hold off from taking this patch just yet, because
it has a bug, whose fix wasn't picked upstream yet.

Thanks,
Amir.

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Amir Goldstein]

On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
>
> On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
> >
> >
> > The patch below does not apply to the 5.1-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> >
> > thanks,
> >
> > greg k-h
> >
>
> FYI, the failure to apply this patch would be resolved after you
> picked up "ovl: check the capability before cred overridden" for
> stable, please hold off from taking this patch just yet, because
> it has a bug, whose fix wasn't picked upstream yet.
>

Greg,

Please apply these patches to stable 4.19.
They fix a docker regression (project quotas feature).

b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls

They apply cleanly and tested on v4.19.53.

While at it, I also tested that the following patches apply cleanly and solve
relevant issues on v4.19.53, but they are not clear stable candidates.

1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases

2) Fix output of `modinfo overlay`:
253e74833911 ovl: fix typo in MODULE_PARM_DESC

3) Disallow bogus layer combinations.
syzbot has started to produce repros that create bogus layer combinations.
So far it has only been able to reproduce a WARN_ON, which has already
been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
other real bugs could be lurking if those setups are allowed.
We decided to detect and error on these setups on mount, to stop syzbot
(and attackers) from trying to attack overlayfs this way.
To stop syzbot from mutating this class of repros on stable kernel you
MAY apply these 3 patches, but in any case, I would wait a while to see
if more bugs are reported on master.
Although this solves a problem dating before 4.19, I have no plans
of backporting these patches further back.

146d62e5a586 ovl: detect overlapping layers
9179c21dc6ed ovl: don't fail with disconnected lower NFS
1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning

Thanks,
Amir.

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Sasha Levin]

On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
>On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
>>
>> On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
>> >
>> >
>> > The patch below does not apply to the 5.1-stable tree.
>> > If someone wants it applied there, or to any other stable or longterm
>> > tree, then please email the backport, including the original git commit
>> > id to <stable@vger.kernel.org>.
>> >
>> > thanks,
>> >
>> > greg k-h
>> >
>>
>> FYI, the failure to apply this patch would be resolved after you
>> picked up "ovl: check the capability before cred overridden" for
>> stable, please hold off from taking this patch just yet, because
>> it has a bug, whose fix wasn't picked upstream yet.
>>
>
>Greg,
>
>Please apply these patches to stable 4.19.
>They fix a docker regression (project quotas feature).
>
>b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
>941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
>
>They apply cleanly and tested on v4.19.53.

I've queued these for 4.19.

>While at it, I also tested that the following patches apply cleanly and solve
>relevant issues on v4.19.53, but they are not clear stable candidates.
>
>1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
>6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases

And this.

>2) Fix output of `modinfo overlay`:
>253e74833911 ovl: fix typo in MODULE_PARM_DESC

But not this one. Maybe we should be including these in stable trees
since the risk factor is low and it fixes something user-visible, but
our current rules object this this kind of patches so I've left it out.

>3) Disallow bogus layer combinations.
>syzbot has started to produce repros that create bogus layer combinations.
>So far it has only been able to reproduce a WARN_ON, which has already
>been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
>other real bugs could be lurking if those setups are allowed.
>We decided to detect and error on these setups on mount, to stop syzbot
>(and attackers) from trying to attack overlayfs this way.
>To stop syzbot from mutating this class of repros on stable kernel you
>MAY apply these 3 patches, but in any case, I would wait a while to see
>if more bugs are reported on master.
>Although this solves a problem dating before 4.19, I have no plans
>of backporting these patches further back.
>
>146d62e5a586 ovl: detect overlapping layers
>9179c21dc6ed ovl: don't fail with disconnected lower NFS
>1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning

I've queued these 3 for 4.19.

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Sasha Levin]

On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
>On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
>>
>> On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
>> >
>> >
>> > The patch below does not apply to the 5.1-stable tree.
>> > If someone wants it applied there, or to any other stable or longterm
>> > tree, then please email the backport, including the original git commit
>> > id to <stable@vger.kernel.org>.
>> >
>> > thanks,
>> >
>> > greg k-h
>> >
>>
>> FYI, the failure to apply this patch would be resolved after you
>> picked up "ovl: check the capability before cred overridden" for
>> stable, please hold off from taking this patch just yet, because
>> it has a bug, whose fix wasn't picked upstream yet.
>>
>
>Greg,
>
>Please apply these patches to stable 4.19.
>They fix a docker regression (project quotas feature).
>
>b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
>941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
>
>They apply cleanly and tested on v4.19.53.

I've queued these for 4.19.

>While at it, I also tested that the following patches apply cleanly and solve
>relevant issues on v4.19.53, but they are not clear stable candidates.
>
>1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
>6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases

And this.

>2) Fix output of `modinfo overlay`:
>253e74833911 ovl: fix typo in MODULE_PARM_DESC

But not this one. Maybe we should be including these in stable trees
since the risk factor is low and it fixes something user-visible, but
our current rules object this this kind of patches so I've left it out.

>3) Disallow bogus layer combinations.
>syzbot has started to produce repros that create bogus layer combinations.
>So far it has only been able to reproduce a WARN_ON, which has already
>been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
>other real bugs could be lurking if those setups are allowed.
>We decided to detect and error on these setups on mount, to stop syzbot
>(and attackers) from trying to attack overlayfs this way.
>To stop syzbot from mutating this class of repros on stable kernel you
>MAY apply these 3 patches, but in any case, I would wait a while to see
>if more bugs are reported on master.
>Although this solves a problem dating before 4.19, I have no plans
>of backporting these patches further back.
>
>146d62e5a586 ovl: detect overlapping layers
>9179c21dc6ed ovl: don't fail with disconnected lower NFS
>1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning

I've queued these 3 for 4.19.

--
Thanks,
Sasha

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Greg KH]

On Sat, Jun 22, 2019 at 09:03:45PM -0400, Sasha Levin wrote:
> On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
> > On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
> > > 
> > > On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
> > > >
> > > >
> > > > The patch below does not apply to the 5.1-stable tree.
> > > > If someone wants it applied there, or to any other stable or longterm
> > > > tree, then please email the backport, including the original git commit
> > > > id to <stable@vger.kernel.org>.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > > 
> > > FYI, the failure to apply this patch would be resolved after you
> > > picked up "ovl: check the capability before cred overridden" for
> > > stable, please hold off from taking this patch just yet, because
> > > it has a bug, whose fix wasn't picked upstream yet.
> > > 
> > 
> > Greg,
> > 
> > Please apply these patches to stable 4.19.
> > They fix a docker regression (project quotas feature).
> > 
> > b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
> > 941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
> > 
> > They apply cleanly and tested on v4.19.53.
> 
> I've queued these for 4.19.
> 
> > While at it, I also tested that the following patches apply cleanly and solve
> > relevant issues on v4.19.53, but they are not clear stable candidates.
> > 
> > 1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
> > 6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases
> 
> And this.
> 
> > 2) Fix output of `modinfo overlay`:
> > 253e74833911 ovl: fix typo in MODULE_PARM_DESC
> 
> But not this one. Maybe we should be including these in stable trees
> since the risk factor is low and it fixes something user-visible, but
> our current rules object this this kind of patches so I've left it out.
> 
> > 3) Disallow bogus layer combinations.
> > syzbot has started to produce repros that create bogus layer combinations.
> > So far it has only been able to reproduce a WARN_ON, which has already
> > been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
> > other real bugs could be lurking if those setups are allowed.
> > We decided to detect and error on these setups on mount, to stop syzbot
> > (and attackers) from trying to attack overlayfs this way.
> > To stop syzbot from mutating this class of repros on stable kernel you
> > MAY apply these 3 patches, but in any case, I would wait a while to see
> > if more bugs are reported on master.
> > Although this solves a problem dating before 4.19, I have no plans
> > of backporting these patches further back.
> > 
> > 146d62e5a586 ovl: detect overlapping layers
> > 9179c21dc6ed ovl: don't fail with disconnected lower NFS
> > 1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
> 
> I've queued these 3 for 4.19.

What about the ones that are needed for 5.1?

thanks,

greg k-h

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Sasha Levin]

On Sun, Jun 23, 2019 at 10:29:16PM +0200, Greg KH wrote:
>On Sat, Jun 22, 2019 at 09:03:45PM -0400, Sasha Levin wrote:
>> On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
>> > On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
>> > >
>> > > On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
>> > > >
>> > > >
>> > > > The patch below does not apply to the 5.1-stable tree.
>> > > > If someone wants it applied there, or to any other stable or longterm
>> > > > tree, then please email the backport, including the original git commit
>> > > > id to <stable@vger.kernel.org>.
>> > > >
>> > > > thanks,
>> > > >
>> > > > greg k-h
>> > > >
>> > >
>> > > FYI, the failure to apply this patch would be resolved after you
>> > > picked up "ovl: check the capability before cred overridden" for
>> > > stable, please hold off from taking this patch just yet, because
>> > > it has a bug, whose fix wasn't picked upstream yet.
>> > >
>> >
>> > Greg,
>> >
>> > Please apply these patches to stable 4.19.
>> > They fix a docker regression (project quotas feature).
>> >
>> > b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
>> > 941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
>> >
>> > They apply cleanly and tested on v4.19.53.
>>
>> I've queued these for 4.19.
>>
>> > While at it, I also tested that the following patches apply cleanly and solve
>> > relevant issues on v4.19.53, but they are not clear stable candidates.
>> >
>> > 1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
>> > 6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases
>>
>> And this.
>>
>> > 2) Fix output of `modinfo overlay`:
>> > 253e74833911 ovl: fix typo in MODULE_PARM_DESC
>>
>> But not this one. Maybe we should be including these in stable trees
>> since the risk factor is low and it fixes something user-visible, but
>> our current rules object this this kind of patches so I've left it out.
>>
>> > 3) Disallow bogus layer combinations.
>> > syzbot has started to produce repros that create bogus layer combinations.
>> > So far it has only been able to reproduce a WARN_ON, which has already
>> > been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
>> > other real bugs could be lurking if those setups are allowed.
>> > We decided to detect and error on these setups on mount, to stop syzbot
>> > (and attackers) from trying to attack overlayfs this way.
>> > To stop syzbot from mutating this class of repros on stable kernel you
>> > MAY apply these 3 patches, but in any case, I would wait a while to see
>> > if more bugs are reported on master.
>> > Although this solves a problem dating before 4.19, I have no plans
>> > of backporting these patches further back.
>> >
>> > 146d62e5a586 ovl: detect overlapping layers
>> > 9179c21dc6ed ovl: don't fail with disconnected lower NFS
>> > 1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
>>
>> I've queued these 3 for 4.19.
>
>What about the ones that are needed for 5.1?

Ah yes, I haven't realized that the syzkaller ones are needed for 5.1.
I'll queue them up.

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Sasha Levin]

On Sun, Jun 23, 2019 at 10:29:16PM +0200, Greg KH wrote:
>On Sat, Jun 22, 2019 at 09:03:45PM -0400, Sasha Levin wrote:
>> On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
>> > On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
>> > >
>> > > On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
>> > > >
>> > > >
>> > > > The patch below does not apply to the 5.1-stable tree.
>> > > > If someone wants it applied there, or to any other stable or longterm
>> > > > tree, then please email the backport, including the original git commit
>> > > > id to <stable@vger.kernel.org>.
>> > > >
>> > > > thanks,
>> > > >
>> > > > greg k-h
>> > > >
>> > >
>> > > FYI, the failure to apply this patch would be resolved after you
>> > > picked up "ovl: check the capability before cred overridden" for
>> > > stable, please hold off from taking this patch just yet, because
>> > > it has a bug, whose fix wasn't picked upstream yet.
>> > >
>> >
>> > Greg,
>> >
>> > Please apply these patches to stable 4.19.
>> > They fix a docker regression (project quotas feature).
>> >
>> > b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
>> > 941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
>> >
>> > They apply cleanly and tested on v4.19.53.
>>
>> I've queued these for 4.19.
>>
>> > While at it, I also tested that the following patches apply cleanly and solve
>> > relevant issues on v4.19.53, but they are not clear stable candidates.
>> >
>> > 1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
>> > 6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases
>>
>> And this.
>>
>> > 2) Fix output of `modinfo overlay`:
>> > 253e74833911 ovl: fix typo in MODULE_PARM_DESC
>>
>> But not this one. Maybe we should be including these in stable trees
>> since the risk factor is low and it fixes something user-visible, but
>> our current rules object this this kind of patches so I've left it out.
>>
>> > 3) Disallow bogus layer combinations.
>> > syzbot has started to produce repros that create bogus layer combinations.
>> > So far it has only been able to reproduce a WARN_ON, which has already
>> > been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
>> > other real bugs could be lurking if those setups are allowed.
>> > We decided to detect and error on these setups on mount, to stop syzbot
>> > (and attackers) from trying to attack overlayfs this way.
>> > To stop syzbot from mutating this class of repros on stable kernel you
>> > MAY apply these 3 patches, but in any case, I would wait a while to see
>> > if more bugs are reported on master.
>> > Although this solves a problem dating before 4.19, I have no plans
>> > of backporting these patches further back.
>> >
>> > 146d62e5a586 ovl: detect overlapping layers
>> > 9179c21dc6ed ovl: don't fail with disconnected lower NFS
>> > 1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
>>
>> I've queued these 3 for 4.19.
>
>What about the ones that are needed for 5.1?

Ah yes, I haven't realized that the syzkaller ones are needed for 5.1.
I'll queue them up.

--
Thanks,
Sasha

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Amir Goldstein]

On Mon, Jun 24, 2019 at 3:34 AM Sasha Levin <sashal@kernel.org> wrote:
>
> On Sun, Jun 23, 2019 at 10:29:16PM +0200, Greg KH wrote:
> >On Sat, Jun 22, 2019 at 09:03:45PM -0400, Sasha Levin wrote:
> >> On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
> >> > On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
> >> > >
> >> > > On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
> >> > > >
> >> > > >
> >> > > > The patch below does not apply to the 5.1-stable tree.
> >> > > > If someone wants it applied there, or to any other stable or longterm
> >> > > > tree, then please email the backport, including the original git commit
> >> > > > id to <stable@vger.kernel.org>.
> >> > > >
> >> > > > thanks,
> >> > > >
> >> > > > greg k-h
> >> > > >
> >> > >
> >> > > FYI, the failure to apply this patch would be resolved after you
> >> > > picked up "ovl: check the capability before cred overridden" for
> >> > > stable, please hold off from taking this patch just yet, because
> >> > > it has a bug, whose fix wasn't picked upstream yet.
> >> > >
> >> >
> >> > Greg,
> >> >
> >> > Please apply these patches to stable 4.19.
> >> > They fix a docker regression (project quotas feature).
> >> >
> >> > b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
> >> > 941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
> >> >
> >> > They apply cleanly and tested on v4.19.53.
> >>
> >> I've queued these for 4.19.
> >>
> >> > While at it, I also tested that the following patches apply cleanly and solve
> >> > relevant issues on v4.19.53, but they are not clear stable candidates.
> >> >
> >> > 1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
> >> > 6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases
> >>
> >> And this.
> >>
> >> > 2) Fix output of `modinfo overlay`:
> >> > 253e74833911 ovl: fix typo in MODULE_PARM_DESC
> >>
> >> But not this one. Maybe we should be including these in stable trees
> >> since the risk factor is low and it fixes something user-visible, but
> >> our current rules object this this kind of patches so I've left it out.
> >>
> >> > 3) Disallow bogus layer combinations.
> >> > syzbot has started to produce repros that create bogus layer combinations.
> >> > So far it has only been able to reproduce a WARN_ON, which has already
> >> > been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
> >> > other real bugs could be lurking if those setups are allowed.
> >> > We decided to detect and error on these setups on mount, to stop syzbot
> >> > (and attackers) from trying to attack overlayfs this way.
> >> > To stop syzbot from mutating this class of repros on stable kernel you
> >> > MAY apply these 3 patches, but in any case, I would wait a while to see
> >> > if more bugs are reported on master.
> >> > Although this solves a problem dating before 4.19, I have no plans
> >> > of backporting these patches further back.
> >> >
> >> > 146d62e5a586 ovl: detect overlapping layers
> >> > 9179c21dc6ed ovl: don't fail with disconnected lower NFS
> >> > 1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
> >>
> >> I've queued these 3 for 4.19.
> >
> >What about the ones that are needed for 5.1?
>
> Ah yes, I haven't realized that the syzkaller ones are needed for 5.1.
> I'll queue them up.
>

I don't think syzkaller ones are more relevant to 5.1 then the rest of
the patches applied to 4.19. If anything, its the other way around.
According to syzbot dashboard, it is being run on LTS kernels, not on
latest stable.

Please forgive me if my language caused confusion, when I said
"please apply to 4.19" I meant 4.19+.

Thanks,
Amir.

overlayfs regression in master and stable trees

[Amir Goldstein]

>
> >3) Disallow bogus layer combinations.
> >syzbot has started to produce repros that create bogus layer combinations.
> >So far it has only been able to reproduce a WARN_ON, which has already
> >been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
> >other real bugs could be lurking if those setups are allowed.
> >We decided to detect and error on these setups on mount, to stop syzbot
> >(and attackers) from trying to attack overlayfs this way.
> >To stop syzbot from mutating this class of repros on stable kernel you
> >MAY apply these 3 patches, but in any case, I would wait a while to see
> >if more bugs are reported on master.
> >Although this solves a problem dating before 4.19, I have no plans
> >of backporting these patches further back.
> >
> >146d62e5a586 ovl: detect overlapping layers
> >9179c21dc6ed ovl: don't fail with disconnected lower NFS
> >1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
>
> I've queued these 3 for 4.19.
>

FYI, an overlayfs regression has been reported:
https://github.com/containers/libpod/issues/3540

Caused by commit "ovl: detect overlapping layers"

I am working on a fix.
In retrospect, given my lengthy disclaimer above, it seems
that this patch should not have been applied to stable (yet).
I believe that this patch belongs to a class of fixed that
should soak in master for a while before being considered for
stable. On my part, I will not propose these sort of fixed in the future,
with or without a disclaimer until they have soaked in master.

Thanks,
Amir.

Re: overlayfs regression in master and stable trees

[Greg KH]

On Thu, Jul 11, 2019 at 05:14:48PM +0300, Amir Goldstein wrote:
> >
> > >3) Disallow bogus layer combinations.
> > >syzbot has started to produce repros that create bogus layer combinations.
> > >So far it has only been able to reproduce a WARN_ON, which has already
> > >been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
> > >other real bugs could be lurking if those setups are allowed.
> > >We decided to detect and error on these setups on mount, to stop syzbot
> > >(and attackers) from trying to attack overlayfs this way.
> > >To stop syzbot from mutating this class of repros on stable kernel you
> > >MAY apply these 3 patches, but in any case, I would wait a while to see
> > >if more bugs are reported on master.
> > >Although this solves a problem dating before 4.19, I have no plans
> > >of backporting these patches further back.
> > >
> > >146d62e5a586 ovl: detect overlapping layers
> > >9179c21dc6ed ovl: don't fail with disconnected lower NFS
> > >1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
> >
> > I've queued these 3 for 4.19.
> >
> 
> FYI, an overlayfs regression has been reported:
> https://github.com/containers/libpod/issues/3540
> 
> Caused by commit "ovl: detect overlapping layers"
> 
> I am working on a fix.
> In retrospect, given my lengthy disclaimer above, it seems
> that this patch should not have been applied to stable (yet).
> I believe that this patch belongs to a class of fixed that
> should soak in master for a while before being considered for
> stable. On my part, I will not propose these sort of fixed in the future,
> with or without a disclaimer until they have soaked in master.

That's fair enough, send the git ids to stable@vger when you feel they
have "soaked" long enough in the future.

thanks,

greg k-h

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Greg KH]

On Mon, Jun 24, 2019 at 07:52:11AM +0300, Amir Goldstein wrote:
> On Mon, Jun 24, 2019 at 3:34 AM Sasha Levin <sashal@kernel.org> wrote:
> >
> > On Sun, Jun 23, 2019 at 10:29:16PM +0200, Greg KH wrote:
> > >On Sat, Jun 22, 2019 at 09:03:45PM -0400, Sasha Levin wrote:
> > >> On Fri, Jun 21, 2019 at 11:15:47AM +0300, Amir Goldstein wrote:
> > >> > On Thu, Jun 13, 2019 at 11:49 AM Amir Goldstein <amir73il@gmail.com> wrote:
> > >> > >
> > >> > > On Sun, Jun 9, 2019 at 12:45 PM <gregkh@linuxfoundation.org> wrote:
> > >> > > >
> > >> > > >
> > >> > > > The patch below does not apply to the 5.1-stable tree.
> > >> > > > If someone wants it applied there, or to any other stable or longterm
> > >> > > > tree, then please email the backport, including the original git commit
> > >> > > > id to <stable@vger.kernel.org>.
> > >> > > >
> > >> > > > thanks,
> > >> > > >
> > >> > > > greg k-h
> > >> > > >
> > >> > >
> > >> > > FYI, the failure to apply this patch would be resolved after you
> > >> > > picked up "ovl: check the capability before cred overridden" for
> > >> > > stable, please hold off from taking this patch just yet, because
> > >> > > it has a bug, whose fix wasn't picked upstream yet.
> > >> > >
> > >> >
> > >> > Greg,
> > >> >
> > >> > Please apply these patches to stable 4.19.
> > >> > They fix a docker regression (project quotas feature).
> > >> >
> > >> > b21d9c435f93 ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
> > >> > 941d935ac763 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
> > >> >
> > >> > They apply cleanly and tested on v4.19.53.
> > >>
> > >> I've queued these for 4.19.
> > >>
> > >> > While at it, I also tested that the following patches apply cleanly and solve
> > >> > relevant issues on v4.19.53, but they are not clear stable candidates.
> > >> >
> > >> > 1) /proc/locks shows incorrect ino. Only reported by xfstests (so far):
> > >> > 6dde1e42f497 ovl: make i_ino consistent with st_ino in more cases
> > >>
> > >> And this.
> > >>
> > >> > 2) Fix output of `modinfo overlay`:
> > >> > 253e74833911 ovl: fix typo in MODULE_PARM_DESC
> > >>
> > >> But not this one. Maybe we should be including these in stable trees
> > >> since the risk factor is low and it fixes something user-visible, but
> > >> our current rules object this this kind of patches so I've left it out.
> > >>
> > >> > 3) Disallow bogus layer combinations.
> > >> > syzbot has started to produce repros that create bogus layer combinations.
> > >> > So far it has only been able to reproduce a WARN_ON, which has already
> > >> > been fixed in stable, by  acf3062a7e1c ("ovl: relax WARN_ON()..."), but
> > >> > other real bugs could be lurking if those setups are allowed.
> > >> > We decided to detect and error on these setups on mount, to stop syzbot
> > >> > (and attackers) from trying to attack overlayfs this way.
> > >> > To stop syzbot from mutating this class of repros on stable kernel you
> > >> > MAY apply these 3 patches, but in any case, I would wait a while to see
> > >> > if more bugs are reported on master.
> > >> > Although this solves a problem dating before 4.19, I have no plans
> > >> > of backporting these patches further back.
> > >> >
> > >> > 146d62e5a586 ovl: detect overlapping layers
> > >> > 9179c21dc6ed ovl: don't fail with disconnected lower NFS
> > >> > 1dac6f5b0ed2 ovl: fix bogus -Wmaybe-unitialized warning
> > >>
> > >> I've queued these 3 for 4.19.
> > >
> > >What about the ones that are needed for 5.1?
> >
> > Ah yes, I haven't realized that the syzkaller ones are needed for 5.1.
> > I'll queue them up.
> >
> 
> I don't think syzkaller ones are more relevant to 5.1 then the rest of
> the patches applied to 4.19. If anything, its the other way around.
> According to syzbot dashboard, it is being run on LTS kernels, not on
> latest stable.
> 
> Please forgive me if my language caused confusion, when I said
> "please apply to 4.19" I meant 4.19+.

So is anything else needed to be done here, or are we all caught up and
everything merged properly?

thanks,

greg k-h

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Amir Goldstein]

> > I don't think syzkaller ones are more relevant to 5.1 then the rest of
> > the patches applied to 4.19. If anything, its the other way around.
> > According to syzbot dashboard, it is being run on LTS kernels, not on
> > latest stable.
> >
> > Please forgive me if my language caused confusion, when I said
> > "please apply to 4.19" I meant 4.19+.
>
> So is anything else needed to be done here, or are we all caught up and
> everything merged properly?
>

All the needed patches have been merged, but
Upstream commit 146d62e5a5867fbf84490d82455718bfb10fe824
("ovl: detect overlapping layers") did introduce a regression to
docker and friends into stable kernels :-/

The fix commit is already tested and waiting in linux-next:
0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection")
but did not hit upstream yet. When it does, will need to apply it to v4.19+

Thanks,
Amir.

Re: FAILED: patch "[PATCH] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls" failed to apply to 5.1-stable tree

[Greg KH]

On Wed, Jul 24, 2019 at 04:46:36PM +0300, Amir Goldstein wrote:
> > > I don't think syzkaller ones are more relevant to 5.1 then the rest of
> > > the patches applied to 4.19. If anything, its the other way around.
> > > According to syzbot dashboard, it is being run on LTS kernels, not on
> > > latest stable.
> > >
> > > Please forgive me if my language caused confusion, when I said
> > > "please apply to 4.19" I meant 4.19+.
> >
> > So is anything else needed to be done here, or are we all caught up and
> > everything merged properly?
> >
> 
> All the needed patches have been merged, but
> Upstream commit 146d62e5a5867fbf84490d82455718bfb10fe824
> ("ovl: detect overlapping layers") did introduce a regression to
> docker and friends into stable kernels :-/
> 
> The fix commit is already tested and waiting in linux-next:
> 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection")
> but did not hit upstream yet. When it does, will need to apply it to v4.19+

That is now in Linus's tree and I've queued it up now.

thanks,

greg k-h