diff --git a/blacklist.conf b/blacklist.conf index 99d81b4..6e0a91a 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -472,7 +472,6 @@ f7b16f51753a845b08e977184fb0b76b145ae0ba # clk:ti: reverting the above in 5.15.y 3de360c3fdb34fbdbaf6da3af94367d3fded95d3 # kABI break for no reason 2a735e4b5580a2a6bbd6572109b4c4f163c57462 # this requires 33fb697ec7e58c4f9b6a68d2786441189cd2df92, which is extremely risky c530a3c716b963625e43aa915e0de6b4d1ce8ad9 # PSI unused, see bsc#1204751 -4534dee941056a4ab9dca4a9e2edff28692800b2 # unimportant, scsi/appid must be set by privileged user anyway 5ec9c514d4a0e1749781c4c61485f9a69c212716 # already applied d351c90ce248601ce34fbc5ac817e3362b441b55 # already applied fdabc3f10e774ddc86ba715b9bc0c861d7e0834c # ASoC:wm8997: reverted in below diff --git a/patches.suse/cgroup-cgroup-Honor-caller-s-cgroup-NS-when-resolving-cgroup-id.patch b/patches.suse/cgroup-cgroup-Honor-caller-s-cgroup-NS-when-resolving-cgroup-id.patch new file mode 100644 index 0000000..9d7e1a7 --- /dev/null +++ b/patches.suse/cgroup-cgroup-Honor-caller-s-cgroup-NS-when-resolving-cgroup-id.patch @@ -0,0 +1,69 @@ +From: =?utf-8?b?TWljaGFsIEtvdXRuw70gPG1rb3V0bnlAc3VzZS5jb20+?= +Date: Fri, 26 Aug 2022 18:52:36 +0200 +Subject: cgroup: cgroup: Honor caller's cgroup NS when resolving cgroup id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 4534dee941056a4ab9dca4a9e2edff28692800b2 +Patch-mainline: v6.1-rc1 +References: bsc#1205650 + +Cgroup ids are resolved in the global scope. That may be needed sometime +(in future) but currently it violates virtual view provided through +cgroup namespaces. + +There are currently following users of the resolution: +- fc_appid_store +- bpf_iter_attach_cgroup +- mem_cgroup_get_from_ino + +None of the is a called on behalf of kernel but the resolution is made +with proper userspace context, hence the default to current->nsproxy +makes sens. (This doesn't rule out cgroup_get_from_id with cgroup NS +parameter in the future.) + +Since cgroup ids are defined on v2 hierarchy only, we simply check +existence in the cgroup namespace by looking at ancestry on the default +hierarchy. + +Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()") +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +--- + kernel/cgroup/cgroup.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -6003,11 +6003,12 @@ void cgroup_path_from_kernfs_id(u64 id, + * cgroup_get_from_id : get the cgroup associated with cgroup id + * @id: cgroup id + * On success return the cgrp, on failure return NULL ++ * Only cgroups within current task's cgroup NS are valid. + */ + struct cgroup *cgroup_get_from_id(u64 id) + { + struct kernfs_node *kn; +- struct cgroup *cgrp = NULL; ++ struct cgroup *cgrp = NULL, *root_cgrp; + + kn = kernfs_find_and_get_node_by_id(cgrp_dfl_root.kf_root, id); + if (!kn) +@@ -6025,6 +6026,17 @@ struct cgroup *cgroup_get_from_id(u64 id + rcu_read_unlock(); + put: + kernfs_put(kn); ++ ++ if (!cgrp) ++ goto out; ++ ++ spin_lock_irq(&css_set_lock); ++ root_cgrp = current_cgns_cgroup_from_root(&cgrp_dfl_root); ++ spin_unlock_irq(&css_set_lock); ++ if (!cgroup_is_descendant(cgrp, root_cgrp)) { ++ cgroup_put(cgrp); ++ cgrp = NULL; ++ } + out: + return cgrp; + } diff --git a/series.conf b/series.conf index 6198100..6dc2ae9 100644 --- a/series.conf +++ b/series.conf @@ -16707,6 +16707,7 @@ patches.suse/perf-x86-uncore-Add-new-Raptor-Lake-S-support.patch patches.suse/locking-rwsem-Disable-preemption-while-trying-for-rw.patch patches.suse/cgroup-Honor-caller-s-cgroup-NS-when-resolving-path.patch + patches.suse/cgroup-cgroup-Honor-caller-s-cgroup-NS-when-resolving-cgroup-id.patch patches.suse/cgroup-cpuset-Enable-update_tasks_cpumask-on-top_cpuset.patch patches.suse/livepatch-fix-race-between-fork-and-KLP-transition.patch patches.suse/livepatch-Add-a-missing-newline-character-in-klp_mod.patch