bump version to 5.13.19-11

backport linux-5.15.y stable tree commit 114e9f141822e697
"lib/iov_iter: initialize "flags" in new pipe_buffer"

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/Makefile b/Makefile
index 6f85e9740b092805509db0d216fcf82031a86c64..ac8c784ddaaf983d89040f23f675f722d5b2cea9 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,7 @@ KERNEL_PATCHLEVEL=19
 # rebuild packages with new KREL and run 'make abiupdate'
 KREL=5
 
-PKGREL=10
+PKGREL=11
 
 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

diff --git a/debian/changelog b/debian/changelog
index ab066f29c728262c5bd393794482eefdfe94ef4c..151645055605ddea9e19df41735c9b58004cde8f 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pve-kernel (5.13.19-11) bullseye; urgency=medium
+
+  * backport "lib/iov_iter: initialize "flags" in new pipe_buffer" fixing
+    CVE-2022-0847 "dirty pipe"
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 07 Mar 2022 13:28:22 +0100
+
 pve-kernel (5.13.19-10) bullseye; urgency=medium
 
   * update to Ubuntu-5.13.0-31.34

diff --git a/patches/kernel/0010-lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch b/patches/kernel/0010-lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch
new file mode 100644 (file)
index 0000000..4c1755a
--- /dev/null
+++ b/patches/kernel/0010-lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch
@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Mon, 21 Feb 2022 11:03:13 +0100
+Subject: [PATCH] lib/iov_iter: initialize "flags" in new pipe_buffer
+
+commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream.
+
+The functions copy_page_to_iter_pipe() and push_pipe() can both
+allocate a new pipe_buffer, but the "flags" member initializer is
+missing.
+
+Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed")
+To: Alexander Viro <viro@zeniv.linux.org.uk>
+To: linux-fsdevel@vger.kernel.org
+To: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ lib/iov_iter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 9ffa7dc197be..fa5827e2e9a3 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -449,6 +449,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
+               return 0;
+ 
+       buf->ops = &page_cache_pipe_buf_ops;
++      buf->flags = 0;
+       get_page(page);
+       buf->page = page;
+       buf->offset = offset;
+@@ -564,6 +565,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
+                       break;
+ 
+               buf->ops = &default_pipe_buf_ops;
++              buf->flags = 0;
+               buf->page = page;
+               buf->offset = 0;
+               buf->len = min_t(ssize_t, left, PAGE_SIZE);