From bffa87b9af24af60567fb9ee649fc94ac8e88a79 Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Tue, 18 Jul 2023 16:26:09 +0100 Subject: [PATCH 1/2] linux: Add gettext to build dependencies Signed-off-by: Naadir Jeewa Change-Id: I488dbd212de7fb36d6ee342054f6c66e086f2dc0 --- SPECS/linux/linux-aws.spec | 1 + SPECS/linux/linux-esx.spec | 1 + SPECS/linux/linux-rt.spec | 1 + SPECS/linux/linux-secure.spec | 1 + SPECS/linux/linux.spec | 1 + 5 files changed, 5 insertions(+) diff --git a/SPECS/linux/linux-aws.spec b/SPECS/linux/linux-aws.spec index bbdff80e41..f8fcf75e2a 100644 --- a/SPECS/linux/linux-aws.spec +++ b/SPECS/linux/linux-aws.spec @@ -258,6 +258,7 @@ BuildRequires: openssl-devel BuildRequires: procps-ng-devel BuildRequires: audit-devel BuildRequires: bison +BuildRequires: gettext Requires: filesystem Requires: kmod diff --git a/SPECS/linux/linux-esx.spec b/SPECS/linux/linux-esx.spec index bca9a1bcf7..4db9c6803e 100644 --- a/SPECS/linux/linux-esx.spec +++ b/SPECS/linux/linux-esx.spec @@ -520,6 +520,7 @@ BuildRequires: procps-ng-devel BuildRequires: lz4 BuildRequires: elfutils-libelf-devel BuildRequires: bison +BuildRequires: gettext Requires: filesystem Requires: kmod diff --git a/SPECS/linux/linux-rt.spec b/SPECS/linux/linux-rt.spec index d5a4176a4b..54313685f4 100644 --- a/SPECS/linux/linux-rt.spec +++ b/SPECS/linux/linux-rt.spec @@ -752,6 +752,7 @@ BuildRequires: procps-ng-devel BuildRequires: audit-devel BuildRequires: elfutils-libelf-devel BuildRequires: bison +BuildRequires: gettext Requires: filesystem Requires: kmod diff --git a/SPECS/linux/linux-secure.spec b/SPECS/linux/linux-secure.spec index af421cfc60..ed1d4097df 100644 --- a/SPECS/linux/linux-secure.spec +++ b/SPECS/linux/linux-secure.spec @@ -288,6 +288,7 @@ BuildRequires: Linux-PAM-devel BuildRequires: openssl-devel BuildRequires: procps-ng-devel BuildRequires: bison +BuildRequires: gettext Requires: filesystem Requires: kmod diff --git a/SPECS/linux/linux.spec b/SPECS/linux/linux.spec index 9903f87d40..95a386348d 100644 --- a/SPECS/linux/linux.spec +++ b/SPECS/linux/linux.spec @@ -577,6 +577,7 @@ BuildRequires: libunwind-devel BuildRequires: slang-devel BuildRequires: python3-devel BuildRequires: bison +BuildRequires: gettext %ifarch x86_64 BuildRequires: pciutils-devel %endif From e48406e42fe197ff51ce87f53c49eeb8d0ce179b Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Thu, 20 Jul 2023 01:17:03 +0100 Subject: [PATCH 2/2] Linux 4.19.285-2: Add fixes for bpfilter and usermode helpers affecting iptables. Signed-off-by: Naadir Jeewa Change-Id: Iac186b69ee40873c30e102400d21ac2241ae4120 --- ...-cleanup-callback-to-release-umh_inf.patch | 185 ++++++++++++++ ...dd-command-line-to-user-mode-helpers.patch | 93 +++++++ ...tart-bpfilter_umh-when-error-occurre.patch | 202 +++++++++++++++ ...-add-exit-routine-for-UMH-process-rt.patch | 150 +++++++++++ ...umh-add-exit-routine-for-UMH-process.patch | 150 +++++++++++ ...allow-to-remove-bpfilter-module-whil.patch | 239 ++++++++++++++++++ ...t-use-module_init-in-non-modular-cod.patch | 41 +++ ...lback-to-netfilter-if-failed-to-load.patch | 41 +++ SPECS/linux/linux-aws.spec | 22 +- SPECS/linux/linux-esx.spec | 22 +- SPECS/linux/linux-rt.spec | 22 +- SPECS/linux/linux-secure.spec | 22 +- SPECS/linux/linux.spec | 22 +- 13 files changed, 1206 insertions(+), 5 deletions(-) create mode 100644 SPECS/linux/0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch create mode 100644 SPECS/linux/0001-umh-Add-command-line-to-user-mode-helpers.patch create mode 100644 SPECS/linux/0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch create mode 100644 SPECS/linux/0002-umh-add-exit-routine-for-UMH-process-rt.patch create mode 100644 SPECS/linux/0002-umh-add-exit-routine-for-UMH-process.patch create mode 100644 SPECS/linux/0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch create mode 100644 SPECS/linux/0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch create mode 100644 SPECS/linux/0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch diff --git a/SPECS/linux/0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch b/SPECS/linux/0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch new file mode 100644 index 0000000000..2460d500e7 --- /dev/null +++ b/SPECS/linux/0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch @@ -0,0 +1,185 @@ +From 5b4cb650e569db2e6a09d2fa0ef8eb789a0ac5d8 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 9 Jan 2019 02:24:34 +0900 +Subject: [PATCH] net: bpfilter: use cleanup callback to release umh_info + +Now, UMH process is killed, do_exit() calls the umh_info->cleanup callback +to release members of the umh_info. +This patch makes bpfilter_umh's cleanup routine to use the +umh_info->cleanup callback. + +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +--- + include/linux/bpfilter.h | 11 ++++++++--- + net/bpfilter/bpfilter_kern.c | 23 ++++++++++------------- + net/ipv4/bpfilter/sockopt.c | 33 ++++++++++++++++++++++++++------- + 3 files changed, 44 insertions(+), 23 deletions(-) + +diff --git a/include/linux/bpfilter.h b/include/linux/bpfilter.h +index f02cee0225d4..70ffeed280e9 100644 +--- a/include/linux/bpfilter.h ++++ b/include/linux/bpfilter.h +@@ -3,13 +3,18 @@ + #define _LINUX_BPFILTER_H + + #include ++#include + + struct sock; + int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval, + unsigned int optlen); + int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval, + int __user *optlen); +-extern int (*bpfilter_process_sockopt)(struct sock *sk, int optname, +- char __user *optval, +- unsigned int optlen, bool is_set); ++struct bpfilter_umh_ops { ++ struct umh_info info; ++ int (*sockopt)(struct sock *sk, int optname, ++ char __user *optval, ++ unsigned int optlen, bool is_set); ++}; ++extern struct bpfilter_umh_ops bpfilter_ops; + #endif +diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c +index 7acfc83087d5..a68940b74c01 100644 +--- a/net/bpfilter/bpfilter_kern.c ++++ b/net/bpfilter/bpfilter_kern.c +@@ -13,7 +13,6 @@ + extern char bpfilter_umh_start; + extern char bpfilter_umh_end; + +-static struct umh_info info; + /* since ip_getsockopt() can run in parallel, serialize access to umh */ + static DEFINE_MUTEX(bpfilter_lock); + +@@ -28,16 +27,13 @@ static void shutdown_umh(struct umh_info *info) + send_sig(SIGKILL, tsk, 1); + put_task_struct(tsk); + } +- fput(info->pipe_to_umh); +- fput(info->pipe_from_umh); +- info->pid = 0; + } + + static void __stop_umh(void) + { + if (IS_ENABLED(CONFIG_INET)) { +- bpfilter_process_sockopt = NULL; +- shutdown_umh(&info); ++ bpfilter_ops.sockopt = NULL; ++ shutdown_umh(&bpfilter_ops.info); + } + } + +@@ -64,9 +60,10 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname, + req.addr = (long __force __user)optval; + req.len = optlen; + mutex_lock(&bpfilter_lock); +- if (!info.pid) ++ if (!bpfilter_ops.info.pid) + goto out; +- n = __kernel_write(info.pipe_to_umh, &req, sizeof(req), &pos); ++ n = __kernel_write(bpfilter_ops.info.pipe_to_umh, &req, sizeof(req), ++ &pos); + if (n != sizeof(req)) { + pr_err("write fail %zd\n", n); + __stop_umh(); +@@ -74,7 +71,8 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname, + goto out; + } + pos = 0; +- n = kernel_read(info.pipe_from_umh, &reply, sizeof(reply), &pos); ++ n = kernel_read(bpfilter_ops.info.pipe_from_umh, &reply, sizeof(reply), ++ &pos); + if (n != sizeof(reply)) { + pr_err("read fail %zd\n", n); + __stop_umh(); +@@ -94,10 +94,10 @@ static int __init load_umh(void) + /* fork usermode process */ + err = fork_usermode_blob(&bpfilter_umh_start, + &bpfilter_umh_end - &bpfilter_umh_start, +- &info); ++ &bpfilter_ops.info); + if (err) + return err; +- pr_info("Loaded bpfilter_umh pid %d\n", info.pid); ++ pr_info("Loaded bpfilter_umh pid %d\n", bpfilter_ops.info.pid); + + /* health check that usermode process started correctly */ + if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) { +@@ -106,7 +103,7 @@ static int __init load_umh(void) + return -EFAULT; + } + if (IS_ENABLED(CONFIG_INET)) +- bpfilter_process_sockopt = &__bpfilter_process_sockopt; ++ bpfilter_ops.sockopt = &__bpfilter_process_sockopt; + + return 0; + } +diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c +index 5e04ed25bc0e..c326cfbc0f62 100644 +--- a/net/ipv4/bpfilter/sockopt.c ++++ b/net/ipv4/bpfilter/sockopt.c +@@ -1,28 +1,37 @@ + // SPDX-License-Identifier: GPL-2.0 ++#include ++#include + #include + #include + #include + #include + #include ++#include ++#include + +-int (*bpfilter_process_sockopt)(struct sock *sk, int optname, +- char __user *optval, +- unsigned int optlen, bool is_set); +-EXPORT_SYMBOL_GPL(bpfilter_process_sockopt); ++struct bpfilter_umh_ops bpfilter_ops; ++EXPORT_SYMBOL_GPL(bpfilter_ops); ++ ++static void bpfilter_umh_cleanup(struct umh_info *info) ++{ ++ fput(info->pipe_to_umh); ++ fput(info->pipe_from_umh); ++ info->pid = 0; ++} + + static int bpfilter_mbox_request(struct sock *sk, int optname, + char __user *optval, + unsigned int optlen, bool is_set) + { +- if (!bpfilter_process_sockopt) { ++ if (!bpfilter_ops.sockopt) { + int err = request_module("bpfilter"); + + if (err) + return err; +- if (!bpfilter_process_sockopt) ++ if (!bpfilter_ops.sockopt) + return -ECHILD; + } +- return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set); ++ return bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set); + } + + int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval, +@@ -41,3 +50,13 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval, + + return bpfilter_mbox_request(sk, optname, optval, len, false); + } ++ ++static int __init bpfilter_sockopt_init(void) ++{ ++ bpfilter_ops.info.cmdline = "bpfilter_umh"; ++ bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup; ++ ++ return 0; ++} ++ ++module_init(bpfilter_sockopt_init); +-- +2.41.0 diff --git a/SPECS/linux/0001-umh-Add-command-line-to-user-mode-helpers.patch b/SPECS/linux/0001-umh-Add-command-line-to-user-mode-helpers.patch new file mode 100644 index 0000000000..0ece4e11f5 --- /dev/null +++ b/SPECS/linux/0001-umh-Add-command-line-to-user-mode-helpers.patch @@ -0,0 +1,93 @@ +From 876dcf2f3aaa0f68d437b368b93a4c4b81521191 Mon Sep 17 00:00:00 2001 +From: Olivier Brunel +Date: Sat, 20 Oct 2018 19:39:56 +0200 +Subject: [PATCH] umh: Add command line to user mode helpers + +User mode helpers were spawned without a command line, and because +an empty command line is used by many tools to identify processes as +kernel threads, this could cause some issues. + +Notably during killing spree on shutdown, since such helper would then +be skipped (i.e. not killed) which would result in the process remaining +alive, and thus preventing unmouting of the rootfs (as experienced with +the bpfilter umh). + +Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper") +Signed-off-by: Olivier Brunel +Signed-off-by: David S. Miller +--- + include/linux/umh.h | 1 + + kernel/umh.c | 16 ++++++++++++++-- + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/include/linux/umh.h b/include/linux/umh.h +index 5c812acbb80a..235f51b62c71 100644 +--- a/include/linux/umh.h ++++ b/include/linux/umh.h +@@ -44,6 +44,7 @@ struct subprocess_info *call_usermodehelper_setup_file(struct file *file, + int (*init)(struct subprocess_info *info, struct cred *new), + void (*cleanup)(struct subprocess_info *), void *data); + struct umh_info { ++ const char *cmdline; + struct file *pipe_to_umh; + struct file *pipe_from_umh; + pid_t pid; +diff --git a/kernel/umh.c b/kernel/umh.c +index c449858946af..0baa672e023c 100644 +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -405,11 +405,19 @@ struct subprocess_info *call_usermodehelper_setup_file(struct file *file, + void (*cleanup)(struct subprocess_info *info), void *data) + { + struct subprocess_info *sub_info; ++ struct umh_info *info = data; ++ const char *cmdline = (info->cmdline) ? info->cmdline : "usermodehelper"; + + sub_info = kzalloc(sizeof(struct subprocess_info), GFP_KERNEL); + if (!sub_info) + return NULL; + ++ sub_info->argv = argv_split(GFP_KERNEL, cmdline, NULL); ++ if (!sub_info->argv) { ++ kfree(sub_info); ++ return NULL; ++ } ++ + INIT_WORK(&sub_info->work, call_usermodehelper_exec_work); + sub_info->path = "none"; + sub_info->file = file; +@@ -458,10 +466,11 @@ static int umh_pipe_setup(struct subprocess_info *info, struct cred *new) + return 0; + } + +-static void umh_save_pid(struct subprocess_info *info) ++static void umh_clean_and_save_pid(struct subprocess_info *info) + { + struct umh_info *umh_info = info->data; + ++ argv_free(info->argv); + umh_info->pid = info->pid; + } + +@@ -471,6 +480,9 @@ static void umh_save_pid(struct subprocess_info *info) + * @len: length of the blob + * @info: information about usermode process (shouldn't be NULL) + * ++ * If info->cmdline is set it will be used as command line for the ++ * user process, else "usermodehelper" is used. ++ * + * Returns either negative error or zero which indicates success + * in executing a blob of bytes as a usermode process. In such + * case 'struct umh_info *info' is populated with two pipes +@@ -500,7 +512,7 @@ int fork_usermode_blob(void *data, size_t len, struct umh_info *info) + + err = -ENOMEM; + sub_info = call_usermodehelper_setup_file(file, umh_pipe_setup, +- umh_save_pid, info); ++ umh_clean_and_save_pid, info); + if (!sub_info) + goto out; + +-- +2.41.0 + diff --git a/SPECS/linux/0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch b/SPECS/linux/0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch new file mode 100644 index 0000000000..1ca0f4b772 --- /dev/null +++ b/SPECS/linux/0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch @@ -0,0 +1,202 @@ +From 61fbf5933d42b02f552123af5a87a06335a3b4db Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 9 Jan 2019 02:24:53 +0900 +Subject: [PATCH] net: bpfilter: restart bpfilter_umh when error occurred + +The bpfilter_umh will be stopped via __stop_umh() when the bpfilter +error occurred. +The bpfilter_umh() couldn't start again because there is no restart +routine. + +The section of the bpfilter_umh_{start/end} is no longer .init.rodata +because these area should be reused in the restart routine. hence +the section name is changed to .bpfilter_umh. + +The bpfilter_ops->start() is restart callback. it will be called when +bpfilter_umh is stopped. +The stop bit means bpfilter_umh is stopped. this bit is set by both +start and stop routine. + +Before this patch, +Test commands: + $ iptables -vnL + $ kill -9 + $ iptables -vnL + [ 480.045136] bpfilter: write fail -32 + $ iptables -vnL + +All iptables commands will fail. + +After this patch, +Test commands: + $ iptables -vnL + $ kill -9 + $ iptables -vnL + $ iptables -vnL + +Now, all iptables commands will work. + +Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +--- + include/linux/bpfilter.h | 2 ++ + net/bpfilter/bpfilter_kern.c | 36 +++++++++++++++++++++++--------- + net/bpfilter/bpfilter_umh_blob.S | 2 +- + net/ipv4/bpfilter/sockopt.c | 11 +++++++++- + 4 files changed, 39 insertions(+), 12 deletions(-) + +diff --git a/include/linux/bpfilter.h b/include/linux/bpfilter.h +index 70ffeed280e9..8ebcbdd70bdc 100644 +--- a/include/linux/bpfilter.h ++++ b/include/linux/bpfilter.h +@@ -15,6 +15,8 @@ struct bpfilter_umh_ops { + int (*sockopt)(struct sock *sk, int optname, + char __user *optval, + unsigned int optlen, bool is_set); ++ int (*start)(void); ++ bool stop; + }; + extern struct bpfilter_umh_ops bpfilter_ops; + #endif +diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c +index 908375b45d75..a07b4b2c9b0a 100644 +--- a/net/bpfilter/bpfilter_kern.c ++++ b/net/bpfilter/bpfilter_kern.c +@@ -16,13 +16,13 @@ extern char bpfilter_umh_end; + /* since ip_getsockopt() can run in parallel, serialize access to umh */ + static DEFINE_MUTEX(bpfilter_lock); + +-static void shutdown_umh(struct umh_info *info) ++static void shutdown_umh(void) + { + struct task_struct *tsk; + +- if (!info->pid) ++ if (bpfilter_ops.stop) + return; +- tsk = get_pid_task(find_vpid(info->pid), PIDTYPE_PID); ++ tsk = get_pid_task(find_vpid(bpfilter_ops.info.pid), PIDTYPE_PID); + if (tsk) { + send_sig(SIGKILL, tsk, 1); + put_task_struct(tsk); +@@ -31,10 +31,8 @@ static void shutdown_umh(struct umh_info *info) + + static void __stop_umh(void) + { +- if (IS_ENABLED(CONFIG_INET)) { +- bpfilter_ops.sockopt = NULL; +- shutdown_umh(&bpfilter_ops.info); +- } ++ if (IS_ENABLED(CONFIG_INET)) ++ shutdown_umh(); + } + + static void stop_umh(void) +@@ -85,7 +83,7 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname, + return ret; + } + +-static int __init load_umh(void) ++static int start_umh(void) + { + int err; + +@@ -95,6 +93,7 @@ static int __init load_umh(void) + &bpfilter_ops.info); + if (err) + return err; ++ bpfilter_ops.stop = false; + pr_info("Loaded bpfilter_umh pid %d\n", bpfilter_ops.info.pid); + + /* health check that usermode process started correctly */ +@@ -102,14 +101,31 @@ static int __init load_umh(void) + stop_umh(); + return -EFAULT; + } +- if (IS_ENABLED(CONFIG_INET)) +- bpfilter_ops.sockopt = &__bpfilter_process_sockopt; + + return 0; + } + ++static int __init load_umh(void) ++{ ++ int err; ++ ++ if (!bpfilter_ops.stop) ++ return -EFAULT; ++ err = start_umh(); ++ if (!err && IS_ENABLED(CONFIG_INET)) { ++ bpfilter_ops.sockopt = &__bpfilter_process_sockopt; ++ bpfilter_ops.start = &start_umh; ++ } ++ ++ return err; ++} ++ + static void __exit fini_umh(void) + { ++ if (IS_ENABLED(CONFIG_INET)) { ++ bpfilter_ops.start = NULL; ++ bpfilter_ops.sockopt = NULL; ++ } + stop_umh(); + } + module_init(load_umh); +diff --git a/net/bpfilter/bpfilter_umh_blob.S b/net/bpfilter/bpfilter_umh_blob.S +index 40311d10d2f2..7f1c521dcc2f 100644 +--- a/net/bpfilter/bpfilter_umh_blob.S ++++ b/net/bpfilter/bpfilter_umh_blob.S +@@ -1,5 +1,5 @@ + /* SPDX-License-Identifier: GPL-2.0 */ +- .section .init.rodata, "a" ++ .section .bpfilter_umh, "a" + .global bpfilter_umh_start + bpfilter_umh_start: + .incbin "net/bpfilter/bpfilter_umh" +diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c +index c326cfbc0f62..de84ede4e765 100644 +--- a/net/ipv4/bpfilter/sockopt.c ++++ b/net/ipv4/bpfilter/sockopt.c +@@ -14,6 +14,7 @@ EXPORT_SYMBOL_GPL(bpfilter_ops); + + static void bpfilter_umh_cleanup(struct umh_info *info) + { ++ bpfilter_ops.stop = true; + fput(info->pipe_to_umh); + fput(info->pipe_from_umh); + info->pid = 0; +@@ -23,14 +24,21 @@ static int bpfilter_mbox_request(struct sock *sk, int optname, + char __user *optval, + unsigned int optlen, bool is_set) + { ++ int err; ++ + if (!bpfilter_ops.sockopt) { +- int err = request_module("bpfilter"); ++ err = request_module("bpfilter"); + + if (err) + return err; + if (!bpfilter_ops.sockopt) + return -ECHILD; + } ++ if (bpfilter_ops.stop) { ++ err = bpfilter_ops.start(); ++ if (err) ++ return err; ++ } + return bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set); + } + +@@ -53,6 +61,7 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval, + + static int __init bpfilter_sockopt_init(void) + { ++ bpfilter_ops.stop = true; + bpfilter_ops.info.cmdline = "bpfilter_umh"; + bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup; + +-- +2.41.0 diff --git a/SPECS/linux/0002-umh-add-exit-routine-for-UMH-process-rt.patch b/SPECS/linux/0002-umh-add-exit-routine-for-UMH-process-rt.patch new file mode 100644 index 0000000000..bc2420bbef --- /dev/null +++ b/SPECS/linux/0002-umh-add-exit-routine-for-UMH-process-rt.patch @@ -0,0 +1,150 @@ +From 73ab1cb2de9e3efe7f818d5453de271e5371df1d Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 9 Jan 2019 02:23:56 +0900 +Subject: [PATCH] umh: add exit routine for UMH process + +A UMH process which is created by the fork_usermode_blob() such as +bpfilter needs to release members of the umh_info when process is +terminated. +But the do_exit() does not release members of the umh_info. hence module +which uses UMH needs own code to detect whether UMH process is +terminated or not. +But this implementation needs extra code for checking the status of +UMH process. it eventually makes the code more complex. + +The new PF_UMH flag is added and it is used to identify UMH processes. +The exit_umh() does not release members of the umh_info. +Hence umh_info->cleanup callback should release both members of the +umh_info and the private data. + +Suggested-by: David S. Miller +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +--- + include/linux/sched.h | 9 +++++++++ + include/linux/umh.h | 2 ++ + kernel/exit.c | 1 + + kernel/umh.c | 33 +++++++++++++++++++++++++++++++-- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index fd4899236037..9e559b6b4bfb 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1450,6 +1450,7 @@ extern struct pid *cad_pid; + #define PF_KTHREAD 0x00200000 /* I am a kernel thread */ + #define PF_RANDOMIZE 0x00400000 /* Randomize virtual address space */ + #define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */ ++#define PF_UMH 0x02000000 /* I'm an Usermodehelper process */ + #define PF_NO_SETAFFINITY 0x04000000 /* Userland is not allowed to meddle with cpus_mask */ + #define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy */ + #define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */ +@@ -1900,6 +1901,14 @@ static inline void rseq_execve(struct task_struct *t) + + #endif + ++void __exit_umh(struct task_struct *tsk); ++ ++static inline void exit_umh(struct task_struct *tsk) ++{ ++ if (unlikely(tsk->flags & PF_UMH)) ++ __exit_umh(tsk); ++} ++ + #ifdef CONFIG_DEBUG_RSEQ + + void rseq_syscall(struct pt_regs *regs); +diff --git a/include/linux/umh.h b/include/linux/umh.h +index 235f51b62c71..0c08de356d0d 100644 +--- a/include/linux/umh.h ++++ b/include/linux/umh.h +@@ -47,6 +47,8 @@ struct umh_info { + const char *cmdline; + struct file *pipe_to_umh; + struct file *pipe_from_umh; ++ struct list_head list; ++ void (*cleanup)(struct umh_info *info); + pid_t pid; + }; + int fork_usermode_blob(void *data, size_t len, struct umh_info *info); +diff --git a/kernel/exit.c b/kernel/exit.c +index 02360ec3b122..0467c8868c35 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -916,6 +916,7 @@ void __noreturn do_exit(long code) + exit_task_namespaces(tsk); + exit_task_work(tsk); + exit_thread(tsk); ++ exit_umh(tsk); + + /* + * Flush inherited counters to the parent - before the parent +diff --git a/kernel/umh.c b/kernel/umh.c +index a00c51651906..535fe0e09ca9 100644 +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -38,6 +38,8 @@ static kernel_cap_t usermodehelper_bset = CAP_FULL_SET; + static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET; + static DEFINE_SPINLOCK(umh_sysctl_lock); + static DECLARE_RWSEM(umhelper_sem); ++static LIST_HEAD(umh_list); ++static DEFINE_MUTEX(umh_list_lock); + + static void call_usermodehelper_freeinfo(struct subprocess_info *info) + { +@@ -109,10 +111,12 @@ static int call_usermodehelper_exec_async(void *data) + commit_creds(new); + + sub_info->pid = task_pid_nr(current); +- if (sub_info->file) ++ if (sub_info->file) { + retval = do_execve_file(sub_info->file, + sub_info->argv, sub_info->envp); +- else ++ if (!retval) ++ current->flags |= PF_UMH; ++ } else + retval = do_execve(getname_kernel(sub_info->path), + (const char __user *const __user *)sub_info->argv, + (const char __user *const __user *)sub_info->envp); +@@ -526,6 +530,11 @@ int fork_usermode_blob(void *data, size_t len, struct umh_info *info) + goto out; + + err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC); ++ if (!err) { ++ mutex_lock(&umh_list_lock); ++ list_add(&info->list, &umh_list); ++ mutex_unlock(&umh_list_lock); ++ } + out: + fput(file); + return err; +@@ -693,6 +702,26 @@ static int proc_cap_handler(struct ctl_table *table, int write, + return 0; + } + ++void __exit_umh(struct task_struct *tsk) ++{ ++ struct umh_info *info; ++ pid_t pid = tsk->pid; ++ ++ mutex_lock(&umh_list_lock); ++ list_for_each_entry(info, &umh_list, list) { ++ if (info->pid == pid) { ++ list_del(&info->list); ++ mutex_unlock(&umh_list_lock); ++ goto out; ++ } ++ } ++ mutex_unlock(&umh_list_lock); ++ return; ++out: ++ if (info->cleanup) ++ info->cleanup(info); ++} ++ + struct ctl_table usermodehelper_table[] = { + { + .procname = "bset", +-- +2.41.0 diff --git a/SPECS/linux/0002-umh-add-exit-routine-for-UMH-process.patch b/SPECS/linux/0002-umh-add-exit-routine-for-UMH-process.patch new file mode 100644 index 0000000000..99b577e80f --- /dev/null +++ b/SPECS/linux/0002-umh-add-exit-routine-for-UMH-process.patch @@ -0,0 +1,150 @@ +From 73ab1cb2de9e3efe7f818d5453de271e5371df1d Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 9 Jan 2019 02:23:56 +0900 +Subject: [PATCH] umh: add exit routine for UMH process + +A UMH process which is created by the fork_usermode_blob() such as +bpfilter needs to release members of the umh_info when process is +terminated. +But the do_exit() does not release members of the umh_info. hence module +which uses UMH needs own code to detect whether UMH process is +terminated or not. +But this implementation needs extra code for checking the status of +UMH process. it eventually makes the code more complex. + +The new PF_UMH flag is added and it is used to identify UMH processes. +The exit_umh() does not release members of the umh_info. +Hence umh_info->cleanup callback should release both members of the +umh_info and the private data. + +Suggested-by: David S. Miller +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +--- + include/linux/sched.h | 9 +++++++++ + include/linux/umh.h | 2 ++ + kernel/exit.c | 1 + + kernel/umh.c | 33 +++++++++++++++++++++++++++++++-- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index fd4899236037..9e559b6b4bfb 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1402,6 +1402,7 @@ extern struct pid *cad_pid; + #define PF_KTHREAD 0x00200000 /* I am a kernel thread */ + #define PF_RANDOMIZE 0x00400000 /* Randomize virtual address space */ + #define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */ ++#define PF_UMH 0x02000000 /* I'm an Usermodehelper process */ + #define PF_NO_SETAFFINITY 0x04000000 /* Userland is not allowed to meddle with cpus_allowed */ + #define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy */ + #define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */ +@@ -1900,6 +1901,14 @@ static inline void rseq_execve(struct task_struct *t) + + #endif + ++void __exit_umh(struct task_struct *tsk); ++ ++static inline void exit_umh(struct task_struct *tsk) ++{ ++ if (unlikely(tsk->flags & PF_UMH)) ++ __exit_umh(tsk); ++} ++ + #ifdef CONFIG_DEBUG_RSEQ + + void rseq_syscall(struct pt_regs *regs); +diff --git a/include/linux/umh.h b/include/linux/umh.h +index 235f51b62c71..0c08de356d0d 100644 +--- a/include/linux/umh.h ++++ b/include/linux/umh.h +@@ -47,6 +47,8 @@ struct umh_info { + const char *cmdline; + struct file *pipe_to_umh; + struct file *pipe_from_umh; ++ struct list_head list; ++ void (*cleanup)(struct umh_info *info); + pid_t pid; + }; + int fork_usermode_blob(void *data, size_t len, struct umh_info *info); +diff --git a/kernel/exit.c b/kernel/exit.c +index 02360ec3b122..0467c8868c35 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -916,6 +916,7 @@ void __noreturn do_exit(long code) + exit_task_namespaces(tsk); + exit_task_work(tsk); + exit_thread(tsk); ++ exit_umh(tsk); + + /* + * Flush inherited counters to the parent - before the parent +diff --git a/kernel/umh.c b/kernel/umh.c +index a00c51651906..535fe0e09ca9 100644 +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -38,6 +38,8 @@ static kernel_cap_t usermodehelper_bset = CAP_FULL_SET; + static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET; + static DEFINE_SPINLOCK(umh_sysctl_lock); + static DECLARE_RWSEM(umhelper_sem); ++static LIST_HEAD(umh_list); ++static DEFINE_MUTEX(umh_list_lock); + + static void call_usermodehelper_freeinfo(struct subprocess_info *info) + { +@@ -109,10 +111,12 @@ static int call_usermodehelper_exec_async(void *data) + commit_creds(new); + + sub_info->pid = task_pid_nr(current); +- if (sub_info->file) ++ if (sub_info->file) { + retval = do_execve_file(sub_info->file, + sub_info->argv, sub_info->envp); +- else ++ if (!retval) ++ current->flags |= PF_UMH; ++ } else + retval = do_execve(getname_kernel(sub_info->path), + (const char __user *const __user *)sub_info->argv, + (const char __user *const __user *)sub_info->envp); +@@ -526,6 +530,11 @@ int fork_usermode_blob(void *data, size_t len, struct umh_info *info) + goto out; + + err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC); ++ if (!err) { ++ mutex_lock(&umh_list_lock); ++ list_add(&info->list, &umh_list); ++ mutex_unlock(&umh_list_lock); ++ } + out: + fput(file); + return err; +@@ -693,6 +702,26 @@ static int proc_cap_handler(struct ctl_table *table, int write, + return 0; + } + ++void __exit_umh(struct task_struct *tsk) ++{ ++ struct umh_info *info; ++ pid_t pid = tsk->pid; ++ ++ mutex_lock(&umh_list_lock); ++ list_for_each_entry(info, &umh_list, list) { ++ if (info->pid == pid) { ++ list_del(&info->list); ++ mutex_unlock(&umh_list_lock); ++ goto out; ++ } ++ } ++ mutex_unlock(&umh_list_lock); ++ return; ++out: ++ if (info->cleanup) ++ info->cleanup(info); ++} ++ + struct ctl_table usermodehelper_table[] = { + { + .procname = "bset", +-- +2.41.0 diff --git a/SPECS/linux/0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch b/SPECS/linux/0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch new file mode 100644 index 0000000000..6a902fd257 --- /dev/null +++ b/SPECS/linux/0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch @@ -0,0 +1,239 @@ +From 71a8508402b570127d6500c1ad456bbd33ccf187 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 9 Jan 2019 02:25:10 +0900 +Subject: [PATCH] net: bpfilter: disallow to remove bpfilter module while being + used + +The bpfilter.ko module can be removed while functions of the bpfilter.ko +are executing. so panic can occurred. in order to protect that, locks can +be used. a bpfilter_lock protects routines in the +__bpfilter_process_sockopt() but it's not enough because __exit routine +can be executed concurrently. + +Now, the bpfilter_umh can not run in parallel. +So, the module do not removed while it's being used and it do not +double-create UMH process. +The members of the umh_info and the bpfilter_umh_ops are protected by +the bpfilter_umh_ops.lock. + +test commands: + while : + do + iptables -I FORWARD -m string --string ap --algo kmp & + modprobe -rv bpfilter & + done + +splat looks like: +[ 298.623435] BUG: unable to handle kernel paging request at fffffbfff807440b +[ 298.628512] #PF error: [normal kernel read fault] +[ 298.633018] PGD 124327067 P4D 124327067 PUD 11c1a3067 PMD 119eb2067 PTE 0 +[ 298.638859] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 298.638859] CPU: 0 PID: 2997 Comm: iptables Not tainted 4.20.0+ #154 +[ 298.638859] RIP: 0010:__mutex_lock+0x6b9/0x16a0 +[ 298.638859] Code: c0 00 00 e8 89 82 ff ff 80 bd 8f fc ff ff 00 0f 85 d9 05 00 00 48 8b 85 80 fc ff ff 48 bf 00 00 00 00 00 fc ff df 48 c1 e8 03 <80> 3c 38 00 0f 85 1d 0e 00 00 48 8b 85 c8 fc ff ff 49 39 47 58 c6 +[ 298.638859] RSP: 0018:ffff88810e7777a0 EFLAGS: 00010202 +[ 298.638859] RAX: 1ffffffff807440b RBX: ffff888111bd4d80 RCX: 0000000000000000 +[ 298.638859] RDX: 1ffff110235ff806 RSI: ffff888111bd5538 RDI: dffffc0000000000 +[ 298.638859] RBP: ffff88810e777b30 R08: 0000000080000002 R09: 0000000000000000 +[ 298.638859] R10: 0000000000000000 R11: 0000000000000000 R12: fffffbfff168a42c +[ 298.638859] R13: ffff888111bd4d80 R14: ffff8881040e9a05 R15: ffffffffc03a2000 +[ 298.638859] FS: 00007f39e3758700(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 +[ 298.638859] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 298.638859] CR2: fffffbfff807440b CR3: 000000011243e000 CR4: 00000000001006f0 +[ 298.638859] Call Trace: +[ 298.638859] ? mutex_lock_io_nested+0x1560/0x1560 +[ 298.638859] ? kasan_kmalloc+0xa0/0xd0 +[ 298.638859] ? kmem_cache_alloc+0x1c2/0x260 +[ 298.638859] ? __alloc_file+0x92/0x3c0 +[ 298.638859] ? alloc_empty_file+0x43/0x120 +[ 298.638859] ? alloc_file_pseudo+0x220/0x330 +[ 298.638859] ? sock_alloc_file+0x39/0x160 +[ 298.638859] ? __sys_socket+0x113/0x1d0 +[ 298.638859] ? __x64_sys_socket+0x6f/0xb0 +[ 298.638859] ? do_syscall_64+0x138/0x560 +[ 298.638859] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 298.638859] ? __alloc_file+0x92/0x3c0 +[ 298.638859] ? init_object+0x6b/0x80 +[ 298.638859] ? cyc2ns_read_end+0x10/0x10 +[ 298.638859] ? cyc2ns_read_end+0x10/0x10 +[ 298.638859] ? hlock_class+0x140/0x140 +[ 298.638859] ? sched_clock_local+0xd4/0x140 +[ 298.638859] ? sched_clock_local+0xd4/0x140 +[ 298.638859] ? check_flags.part.37+0x440/0x440 +[ 298.638859] ? __lock_acquire+0x4f90/0x4f90 +[ 298.638859] ? set_rq_offline.part.89+0x140/0x140 +[ ... ] + +Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +--- + include/linux/bpfilter.h | 2 ++ + net/bpfilter/bpfilter_kern.c | 28 +++++++++++----------------- + net/ipv4/bpfilter/sockopt.c | 22 ++++++++++++++++------ + 3 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/include/linux/bpfilter.h b/include/linux/bpfilter.h +index 8ebcbdd70bdc..d815622cd31e 100644 +--- a/include/linux/bpfilter.h ++++ b/include/linux/bpfilter.h +@@ -12,6 +12,8 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval, + int __user *optlen); + struct bpfilter_umh_ops { + struct umh_info info; ++ /* since ip_getsockopt() can run in parallel, serialize access to umh */ ++ struct mutex lock; + int (*sockopt)(struct sock *sk, int optname, + char __user *optval, + unsigned int optlen, bool is_set); +diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c +index c0fcde910a7a..7ee4fea93637 100644 +--- a/net/bpfilter/bpfilter_kern.c ++++ b/net/bpfilter/bpfilter_kern.c +@@ -13,9 +13,6 @@ + extern char bpfilter_umh_start; + extern char bpfilter_umh_end; + +-/* since ip_getsockopt() can run in parallel, serialize access to umh */ +-static DEFINE_MUTEX(bpfilter_lock); +- + static void shutdown_umh(void) + { + struct task_struct *tsk; +@@ -36,13 +33,6 @@ static void __stop_umh(void) + shutdown_umh(); + } + +-static void stop_umh(void) +-{ +- mutex_lock(&bpfilter_lock); +- __stop_umh(); +- mutex_unlock(&bpfilter_lock); +-} +- + static int __bpfilter_process_sockopt(struct sock *sk, int optname, + char __user *optval, + unsigned int optlen, bool is_set) +@@ -58,7 +48,6 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname, + req.cmd = optname; + req.addr = (long __force __user)optval; + req.len = optlen; +- mutex_lock(&bpfilter_lock); + if (!bpfilter_ops.info.pid) + goto out; + n = __kernel_write(bpfilter_ops.info.pipe_to_umh, &req, sizeof(req), +@@ -80,7 +69,6 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname, + } + ret = reply.status; + out: +- mutex_unlock(&bpfilter_lock); + return ret; + } + +@@ -99,7 +87,7 @@ static int start_umh(void) + + /* health check that usermode process started correctly */ + if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) { +- stop_umh(); ++ shutdown_umh(); + return -EFAULT; + } + +@@ -110,24 +98,30 @@ static int __init load_umh(void) + { + int err; + +- if (!bpfilter_ops.stop) +- return -EFAULT; ++ mutex_lock(&bpfilter_ops.lock); ++ if (!bpfilter_ops.stop) { ++ err = -EFAULT; ++ goto out; ++ } + err = start_umh(); + if (!err && IS_ENABLED(CONFIG_INET)) { + bpfilter_ops.sockopt = &__bpfilter_process_sockopt; + bpfilter_ops.start = &start_umh; + } +- ++out: ++ mutex_unlock(&bpfilter_ops.lock); + return err; + } + + static void __exit fini_umh(void) + { ++ mutex_lock(&bpfilter_ops.lock); + if (IS_ENABLED(CONFIG_INET)) { ++ shutdown_umh(); + bpfilter_ops.start = NULL; + bpfilter_ops.sockopt = NULL; + } +- stop_umh(); ++ mutex_unlock(&bpfilter_ops.lock); + } + module_init(load_umh); + module_exit(fini_umh); +diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c +index de84ede4e765..1e976bb93d99 100644 +--- a/net/ipv4/bpfilter/sockopt.c ++++ b/net/ipv4/bpfilter/sockopt.c +@@ -14,10 +14,12 @@ EXPORT_SYMBOL_GPL(bpfilter_ops); + + static void bpfilter_umh_cleanup(struct umh_info *info) + { ++ mutex_lock(&bpfilter_ops.lock); + bpfilter_ops.stop = true; + fput(info->pipe_to_umh); + fput(info->pipe_from_umh); + info->pid = 0; ++ mutex_unlock(&bpfilter_ops.lock); + } + + static int bpfilter_mbox_request(struct sock *sk, int optname, +@@ -25,21 +27,28 @@ static int bpfilter_mbox_request(struct sock *sk, int optname, + unsigned int optlen, bool is_set) + { + int err; +- ++ mutex_lock(&bpfilter_ops.lock); + if (!bpfilter_ops.sockopt) { ++ mutex_unlock(&bpfilter_ops.lock); + err = request_module("bpfilter"); ++ mutex_lock(&bpfilter_ops.lock); + + if (err) +- return err; +- if (!bpfilter_ops.sockopt) +- return -ECHILD; ++ goto out; ++ if (!bpfilter_ops.sockopt) { ++ err = -ECHILD; ++ goto out; ++ } + } + if (bpfilter_ops.stop) { + err = bpfilter_ops.start(); + if (err) +- return err; ++ goto out; + } +- return bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set); ++ err = bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set); ++out: ++ mutex_unlock(&bpfilter_ops.lock); ++ return err; + } + + int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval, +@@ -61,6 +70,7 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval, + + static int __init bpfilter_sockopt_init(void) + { ++ mutex_init(&bpfilter_ops.lock); + bpfilter_ops.stop = true; + bpfilter_ops.info.cmdline = "bpfilter_umh"; + bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup; +-- +2.41.0 + diff --git a/SPECS/linux/0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch b/SPECS/linux/0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch new file mode 100644 index 0000000000..8025272ebe --- /dev/null +++ b/SPECS/linux/0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch @@ -0,0 +1,41 @@ +From 3557b3fdeefacdd111469f90db1a0602902c9698 Mon Sep 17 00:00:00 2001 +From: Paul Gortmaker +Date: Sat, 20 Apr 2019 23:29:47 -0400 +Subject: [PATCH] net: bpfilter: dont use module_init in non-modular code + +The Kconfig controlling this code is: + +bpfilter/Kconfig:menuconfig BPFILTER +bpfilter/Kconfig: bool "BPF based packet filtering framework (BPFILTER)" + +Since it isn't a module, we shouldn't use module_init(). Instead we +use device_initcall() - which is exactly what module_init() defaults +to for non-modular code/builds. + +We don't remove from the includes since this file does +a request_module() and hence is a valid user of that header file, even +though it is not modular itself. + +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: Hideaki YOSHIFUJI +Signed-off-by: Paul Gortmaker +Signed-off-by: David S. Miller +--- + net/ipv4/bpfilter/sockopt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c +index 1e976bb93d99..15427163a041 100644 +--- a/net/ipv4/bpfilter/sockopt.c ++++ b/net/ipv4/bpfilter/sockopt.c +@@ -77,5 +77,4 @@ static int __init bpfilter_sockopt_init(void) + + return 0; + } +- +-module_init(bpfilter_sockopt_init); ++device_initcall(bpfilter_sockopt_init); +-- +2.41.0 + diff --git a/SPECS/linux/0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch b/SPECS/linux/0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch new file mode 100644 index 0000000000..d9337f0b0b --- /dev/null +++ b/SPECS/linux/0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch @@ -0,0 +1,41 @@ +From 752beb5ec4413d40434957e427c6c48d5043f805 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 15 May 2019 14:40:52 +0300 +Subject: [PATCH] net: bpfilter: fallback to netfilter if failed to load + bpfilter kernel module + +If bpfilter is not available return ENOPROTOOPT to fallback to netfilter. + +Function request_module() returns both errors and userspace exit codes. +Just ignore them. Rechecking bpfilter_ops is enough. + +Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module") +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: David S. Miller +--- + net/ipv4/bpfilter/sockopt.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c +index 15427163a041..0480918bfc7c 100644 +--- a/net/ipv4/bpfilter/sockopt.c ++++ b/net/ipv4/bpfilter/sockopt.c +@@ -30,13 +30,11 @@ static int bpfilter_mbox_request(struct sock *sk, int optname, + mutex_lock(&bpfilter_ops.lock); + if (!bpfilter_ops.sockopt) { + mutex_unlock(&bpfilter_ops.lock); +- err = request_module("bpfilter"); ++ request_module("bpfilter"); + mutex_lock(&bpfilter_ops.lock); + +- if (err) +- goto out; + if (!bpfilter_ops.sockopt) { +- err = -ECHILD; ++ err = -ENOPROTOOPT; + goto out; + } + } +-- +2.41.0 + diff --git a/SPECS/linux/linux-aws.spec b/SPECS/linux/linux-aws.spec index f8fcf75e2a..41c74a422b 100644 --- a/SPECS/linux/linux-aws.spec +++ b/SPECS/linux/linux-aws.spec @@ -3,7 +3,7 @@ Summary: Kernel Name: linux-aws Version: 4.19.285 -Release: 1%{?kat_build:.kat}%{?dist} +Release: 2%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org Group: System Environment/Kernel @@ -239,6 +239,17 @@ Patch310: 0001-tun-tun_chr_open-correctly-initialize-socket-uid.patch #Fix for CVE-2023-1077 Patch311: 0001-sched-rt-pick_next_rt_entity-check-list_entry.patch +# Usermode helper fixes +Patch400: 0001-umh-Add-command-line-to-user-mode-helpers.patch +Patch401: 0002-umh-add-exit-routine-for-UMH-process.patch + +# BPFilter fixes +Patch405: 0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch +Patch406: 0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch +Patch407: 0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch +Patch408: 0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch +Patch409: 0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch + %if 0%{?kat_build} Patch1000: fips-kat-tests.patch %endif @@ -341,6 +352,12 @@ Kernel driver for oprofile, a statistical profiler for Linux systems # CVE fixes %autopatch -p1 -m300 -M311 +# Usermode helper patches +%autopatch -p1 -m400 -M401 + +# bpfilter patches +%autopatch -p1 -m405 -M409 + %if 0%{?kat_build} %patch1000 -p1 %endif @@ -540,6 +557,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg %endif %changelog +* Tue Jul 18 2023 Naadir Jeewa 4.19.285-2 +- Fixes for bpfilter and usermode helpers +- Add additional build dependencies for container builds * Wed Jun 14 2023 Brennan Lamoreaux 4.19.285-1 - Update to version 4.19.285 * Wed Jun 14 2023 Srish Srinivasan 4.19.283-5 diff --git a/SPECS/linux/linux-esx.spec b/SPECS/linux/linux-esx.spec index 4db9c6803e..4b6f774c8a 100644 --- a/SPECS/linux/linux-esx.spec +++ b/SPECS/linux/linux-esx.spec @@ -3,7 +3,7 @@ Summary: Kernel Name: linux-esx Version: 4.19.285 -Release: 1%{?kat_build:.kat}%{?dist} +Release: 2%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org Group: System Environment/Kernel @@ -504,6 +504,17 @@ Patch833: 0003-ptp-ptp_vmw-Add-module-param-to-probe-device-using-h.patch Patch1000: fips-kat-tests.patch %endif +# Usermode helper fixes +Patch1540: 0001-umh-Add-command-line-to-user-mode-helpers.patch +Patch1541: 0002-umh-add-exit-routine-for-UMH-process.patch + +# BPFilter fixes +Patch1545: 0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch +Patch1546: 0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch +Patch1547: 0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch +Patch1548: 0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch +Patch1549: 0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch + BuildArch: x86_64 BuildRequires: bc @@ -617,6 +628,12 @@ popd %patch1000 -p1 %endif +# Usermode helper patches +%autopatch -p1 -m1540 -M1541 + +# bpfilter patches +%autopatch -p1 -m1545 -M1549 + %build make mrproper %{?_smp_mflags} cp %{SOURCE1} .config @@ -821,6 +838,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg %{_modulesdir}/extra/.hmac_generator.ko.xz.hmac %changelog +* Tue Jul 18 2023 Naadir Jeewa 4.19.285-2 +- Fixes for bpfilter and usermode helpers +- Add additional build dependencies for container builds * Wed Jun 14 2023 Brennan Lamoreaux 4.19.285-1 - Update to version 4.19.285 * Wed Jun 14 2023 Srish Srinivasan 4.19.283-4 diff --git a/SPECS/linux/linux-rt.spec b/SPECS/linux/linux-rt.spec index 54313685f4..ef7baa448b 100644 --- a/SPECS/linux/linux-rt.spec +++ b/SPECS/linux/linux-rt.spec @@ -3,7 +3,7 @@ Summary: Kernel Name: linux-rt Version: 4.19.285 -Release: 1%{?kat_build:.%kat}%{?dist} +Release: 2%{?kat_build:.%kat}%{?dist} License: GPLv2 URL: http://www.kernel.org Group: System Environment/Kernel @@ -736,6 +736,17 @@ Patch1537: ice-v1.6.4-ice-kcompat.h-Add-support-for-Photon-OS-3.0.patch Patch1538: ice-v1.6.4-ice-Make-ice-driver-honor-default-and-user-defined-I.patch Patch1539: ice-v1.6.4-add-alias-to-modules_install_no_aux.patch +# Usermode helper patches +Patch1540: 0001-umh-Add-command-line-to-user-mode-helpers.patch +Patch1541: 0002-umh-add-exit-routine-for-UMH-process-rt.patch + +# bpfilter patches +Patch1545: 0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch +Patch1546: 0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch +Patch1547: 0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch +Patch1548: 0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch +Patch1549: 0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch + BuildArch: x86_64 BuildRequires: bc @@ -990,6 +1001,12 @@ pushd ../ice-%{ice_version_1_6_4} %autopatch -p1 -m1536 -M1539 popd +# Usermode helper patches +%autopatch -p1 -m1540 -M1541 + +# bpfilter patches +%autopatch -p1 -m1545 -M1549 + %build make mrproper %{?_smp_mflags} @@ -1350,6 +1367,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg %{_mandir}/* %changelog +* Tue Jul 18 2023 Naadir Jeewa 4.19.285-2 +- Fixes for bpfilter and usermode helpers +- Add additional build dependencies for container builds * Wed Jun 14 2023 Brennan Lamoreaux 4.19.285-1 - Update to version 4.19.285 * Wed Jun 14 2023 Srish Srinivasan 4.19.283-5 diff --git a/SPECS/linux/linux-secure.spec b/SPECS/linux/linux-secure.spec index ed1d4097df..578e0c6706 100644 --- a/SPECS/linux/linux-secure.spec +++ b/SPECS/linux/linux-secure.spec @@ -3,7 +3,7 @@ Summary: Kernel Name: linux-secure Version: 4.19.285 -Release: 1%{?kat_build:.kat}%{?dist} +Release: 2%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org Group: System Environment/Kernel @@ -274,6 +274,17 @@ Patch206: 0001-sched-rt-pick_next_rt_entity-check-list_entry.patch Patch1000: fips-kat-tests.patch %endif +# Usermode helper fixes +Patch1540: 0001-umh-Add-command-line-to-user-mode-helpers.patch +Patch1541: 0002-umh-add-exit-routine-for-UMH-process.patch + +# BPFilter fixes +Patch1545: 0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch +Patch1546: 0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch +Patch1547: 0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch +Patch1548: 0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch +Patch1549: 0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch + BuildArch: x86_64 BuildRequires: bc @@ -358,6 +369,12 @@ popd %patch1000 -p1 %endif +# Usermode helper patches +%autopatch -p1 -m1540 -M1541 + +# bpfilter patches +%autopatch -p1 -m1545 -M1549 + %build make mrproper %{?_smp_mflags} cp %{SOURCE1} .config @@ -520,6 +537,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg %{_usrsrc}/linux-headers-%{uname_r} %changelog +* Tue Jul 18 2023 Naadir Jeewa 4.19.285-2 +- Fixes for bpfilter and usermode helpers +- Add additional build dependencies for container builds * Wed Jun 14 2023 Brennan Lamoreaux 4.19.285-1 - Update to version 4.19.285 * Wed Jun 14 2023 Srish Srinivasan 4.19.283-5 diff --git a/SPECS/linux/linux.spec b/SPECS/linux/linux.spec index 95a386348d..0f48806cbb 100644 --- a/SPECS/linux/linux.spec +++ b/SPECS/linux/linux.spec @@ -3,7 +3,7 @@ Summary: Kernel Name: linux Version: 4.19.285 -Release: 1%{?kat_build:.kat}%{?dist} +Release: 2%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org Group: System Environment/Kernel @@ -517,6 +517,17 @@ Patch1521: ice-v1.11.14-ice-kcompat.h-Add-support-for-Photon-OS-3.0.patch Patch1522: ice-v1.11.14-don-t-install-auxiliary-module-on-modul.patch %endif +# Usermode helper fixes +Patch1540: 0001-umh-Add-command-line-to-user-mode-helpers.patch +Patch1541: 0002-umh-add-exit-routine-for-UMH-process.patch + +# BPFilter fixes +Patch1545: 0001-net-bpfilter-use-cleanup-callback-to-release-umh_inf.patch +Patch1546: 0002-net-bpfilter-restart-bpfilter_umh-when-error-occurre.patch +Patch1547: 0003-net-bpfilter-disallow-to-remove-bpfilter-module-whil.patch +Patch1548: 0004-net-bpfilter-dont-use-module_init-in-non-modular-cod.patch +Patch1549: 0005-net-bpfilter-fallback-to-netfilter-if-failed-to-load.patch + # Fix for CVE-2021-4204 Patch1550: 0002-bpf-Disallow-unprivileged-bpf-by-default.patch @@ -745,6 +756,12 @@ popd %endif +# Usermode helper patches +%autopatch -p1 -m1540 -M1541 + +# bpfilter patches +%autopatch -p1 -m1545 -M1549 + # CVE Patches %autopatch -p1 -m1550 -M1564 @@ -1135,6 +1152,9 @@ getent group sgx_prv >/dev/null || groupadd -r sgx_prv %endif %changelog +* Tue Jul 18 2023 Naadir Jeewa 4.19.285-2 +- Fixes for bpfilter and usermode helpers +- Add additional build dependencies for container builds * Wed Jun 14 2023 Brennan Lamoreaux 4.19.285-1 - Update to version 4.19.285 * Wed Jun 14 2023 Srish Srinivasan 4.19.283-4