--- /dev/null
+From 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 29 Jun 2023 07:20:44 +0300
+Subject: fanotify: disallow mount/sb marks on kernel internal pseudo fs
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c upstream.
+
+Hopefully, nobody is trying to abuse mount/sb marks for watching all
+anonymous pipes/inodes.
+
+I cannot think of a good reason to allow this - it looks like an
+oversight that dated back to the original fanotify API.
+
+Link: https://lore.kernel.org/linux-fsdevel/20230628101132.kvchg544mczxv2pm@quack3/
+Fixes: 0ff21db9fcc3 ("fanotify: hooks the fanotify_mark syscall to the vfsmount code")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230629042044.25723-1-amir73il@gmail.com>
+[backport to 5.x.y]
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fanotify/fanotify_user.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -1337,8 +1337,11 @@ static int fanotify_test_fid(struct path
+ return 0;
+ }
+
+-static int fanotify_events_supported(struct path *path, __u64 mask)
++static int fanotify_events_supported(struct path *path, __u64 mask,
++ unsigned int flags)
+ {
++ unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
++
+ /*
+ * Some filesystems such as 'proc' acquire unusual locks when opening
+ * files. For them fanotify permission events have high chances of
+@@ -1350,6 +1353,21 @@ static int fanotify_events_supported(str
+ if (mask & FANOTIFY_PERM_EVENTS &&
+ path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM)
+ return -EINVAL;
++
++ /*
++ * mount and sb marks are not allowed on kernel internal pseudo fs,
++ * like pipe_mnt, because that would subscribe to events on all the
++ * anonynous pipes in the system.
++ *
++ * SB_NOUSER covers all of the internal pseudo fs whose objects are not
++ * exposed to user's mount namespace, but there are other SB_KERNMOUNT
++ * fs, like nsfs, debugfs, for which the value of allowing sb and mount
++ * mark is questionable. For now we leave them alone.
++ */
++ if (mark_type != FAN_MARK_INODE &&
++ path->mnt->mnt_sb->s_flags & SB_NOUSER)
++ return -EINVAL;
++
+ return 0;
+ }
+
+@@ -1476,7 +1494,7 @@ static int do_fanotify_mark(int fanotify
+ goto fput_and_out;
+
+ if (flags & FAN_MARK_ADD) {
+- ret = fanotify_events_supported(&path, mask);
++ ret = fanotify_events_supported(&path, mask, flags);
+ if (ret)
+ goto path_put_and_out;
+ }
--- /dev/null
+From 3e70489721b6c870252c9082c496703677240f53 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 26 Jun 2023 00:42:18 +0200
+Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 3e70489721b6c870252c9082c496703677240f53 upstream.
+
+Otherwise a dangling reference to a rule object that is gone remains
+in the set binding list.
+
+Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5042,6 +5042,8 @@ void nf_tables_deactivate_set(const stru
+ nft_set_trans_unbind(ctx, set);
+ if (nft_set_is_anonymous(set))
+ nft_deactivate_next(ctx->net, set);
++ else
++ list_del_rcu(&binding->list);
+
+ set->use--;
+ break;
--- /dev/null
+From f4e19e595cc2e76a8a58413eb19d3d9c51328b53 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Tue, 16 May 2023 22:16:19 +0800
+Subject: ovl: fix null pointer dereference in ovl_get_acl_rcu()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit f4e19e595cc2e76a8a58413eb19d3d9c51328b53 upstream.
+
+Following process:
+ P1 P2
+ path_openat
+ link_path_walk
+ may_lookup
+ inode_permission(rcu)
+ ovl_permission
+ acl_permission_check
+ check_acl
+ get_cached_acl_rcu
+ ovl_get_inode_acl
+ realinode = ovl_inode_real(ovl_inode)
+ drop_cache
+ __dentry_kill(ovl_dentry)
+ iput(ovl_inode)
+ ovl_destroy_inode(ovl_inode)
+ dput(oi->__upperdentry)
+ dentry_kill(upperdentry)
+ dentry_unlink_inode
+ upperdentry->d_inode = NULL
+ ovl_inode_upper
+ upperdentry = ovl_i_dentry_upper(ovl_inode)
+ d_inode(upperdentry) // returns NULL
+ IS_POSIXACL(realinode) // NULL pointer dereference
+, will trigger an null pointer dereference at realinode:
+ [ 205.472797] BUG: kernel NULL pointer dereference, address:
+ 0000000000000028
+ [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted
+ 6.3.0-12064-g2edfa098e750-dirty #1216
+ [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300
+ [ 205.489584] Call Trace:
+ [ 205.489812] <TASK>
+ [ 205.490014] ovl_get_inode_acl+0x26/0x30
+ [ 205.490466] get_cached_acl_rcu+0x61/0xa0
+ [ 205.490908] generic_permission+0x1bf/0x4e0
+ [ 205.491447] ovl_permission+0x79/0x1b0
+ [ 205.491917] inode_permission+0x15e/0x2c0
+ [ 205.492425] link_path_walk+0x115/0x550
+ [ 205.493311] path_lookupat.isra.0+0xb2/0x200
+ [ 205.493803] filename_lookup+0xda/0x240
+ [ 205.495747] vfs_fstatat+0x7b/0xb0
+
+Fetch a reproducer in [Link].
+
+Use the helper ovl_i_path_realinode() to get realinode and then do
+non-nullptr checking.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217404
+Fixes: 332f606b32b6 ("ovl: enable RCU'd ->get_acl()")
+Cc: <stable@vger.kernel.org> # v5.15
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Suggested-by: Christian Brauner <brauner@kernel.org>
+Suggested-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -453,7 +453,15 @@ struct posix_acl *ovl_get_acl(struct ino
+ const struct cred *old_cred;
+ struct posix_acl *acl;
+
+- if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
++ if (!IS_ENABLED(CONFIG_FS_POSIX_ACL))
++ return NULL;
++
++ if (!realinode) {
++ WARN_ON(!rcu);
++ return ERR_PTR(-ECHILD);
++ }
++
++ if (!IS_POSIXACL(realinode))
+ return NULL;
+
+ if (rcu)
arm-orion5x-fix-d2net-gpio-initialization.patch
leds-trigger-netdev-recheck-netdev_led_mode_linkup-on-dev-rename.patch
fs-no-need-to-check-source.patch
+ovl-fix-null-pointer-dereference-in-ovl_get_acl_rcu.patch
+fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch
+netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
