6.1-stable patches

added patches:
	fanotify-fix-false-positive-on-permission-events.patch
	net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch

diff --git a/queue-6.1/fanotify-fix-false-positive-on-permission-events.patch b/queue-6.1/fanotify-fix-false-positive-on-permission-events.patch
new file mode 100644 (file)
index 0000000..b4d39b1
--- /dev/null
+++ b/queue-6.1/fanotify-fix-false-positive-on-permission-events.patch
@@ -0,0 +1,86 @@
+From 7746e3bd4cc19b5092e00d32d676e329bfcb6900 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 10 Apr 2026 16:49:47 +0200
+Subject: fanotify: fix false positive on permission events
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 7746e3bd4cc19b5092e00d32d676e329bfcb6900 upstream.
+
+fsnotify_get_mark_safe() may return false for a mark on an unrelated group,
+which results in bypassing the permission check.
+
+Fix by skipping over detached marks that are not in the current group.
+
+CC: stable@vger.kernel.org
+Fixes: abc77577a669 ("fsnotify: Provide framework for dropping SRCU lock in ->handle_event")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Link: https://patch.msgid.link/20260410144950.156160-1-mszeredi@redhat.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fsnotify.c             |    2 +-
+ fs/notify/mark.c                 |   18 +++++++++++-------
+ include/linux/fsnotify_backend.h |    1 +
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -398,7 +398,7 @@ static struct fsnotify_mark *fsnotify_fi
+       return hlist_entry_safe(node, struct fsnotify_mark, obj_list);
+ }
+ 
+-static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
++struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
+ {
+       struct hlist_node *node = NULL;
+ 
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -380,9 +380,6 @@ EXPORT_SYMBOL_GPL(fsnotify_put_mark);
+  */
+ static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
+ {
+-      if (!mark)
+-              return true;
+-
+       if (refcount_inc_not_zero(&mark->refcnt)) {
+               spin_lock(&mark->lock);
+               if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) {
+@@ -423,15 +420,22 @@ bool fsnotify_prepare_user_wait(struct f
+       int type;
+ 
+       fsnotify_foreach_iter_type(type) {
++              struct fsnotify_mark *mark = iter_info->marks[type];
++
+               /* This can fail if mark is being removed */
+-              if (!fsnotify_get_mark_safe(iter_info->marks[type])) {
+-                      __release(&fsnotify_mark_srcu);
+-                      goto fail;
++              while (mark && !fsnotify_get_mark_safe(mark)) {
++                      if (mark->group == iter_info->current_group) {
++                              __release(&fsnotify_mark_srcu);
++                              goto fail;
++                      }
++                      /* This is a mark in an unrelated group, skip */
++                      mark = fsnotify_next_mark(mark);
++                      iter_info->marks[type] = mark;
+               }
+       }
+ 
+       /*
+-       * Now that both marks are pinned by refcount in the inode / vfsmount
++       * Now that all marks are pinned by refcount in the inode / vfsmount / etc
+        * lists, we can drop SRCU lock, and safely resume the list iteration
+        * once userspace returns.
+        */
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -820,6 +820,7 @@ static inline void fsnotify_clear_sb_mar
+ }
+ extern void fsnotify_get_mark(struct fsnotify_mark *mark);
+ extern void fsnotify_put_mark(struct fsnotify_mark *mark);
++struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark);
+ extern void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info);
+ extern bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info);
+ 

diff --git a/queue-6.1/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch b/queue-6.1/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch
new file mode 100644 (file)
index 0000000..b4aeb8c
--- /dev/null
+++ b/queue-6.1/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch
@@ -0,0 +1,74 @@
+From 4b9e327991815e128ad3af75c3a04630a63ce3e0 Mon Sep 17 00:00:00 2001
+From: Kai Zen <kai.aizen.dev@gmail.com>
+Date: Thu, 30 Apr 2026 18:26:48 +0300
+Subject: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
+
+From: Kai Zen <kai.aizen.dev@gmail.com>
+
+commit 4b9e327991815e128ad3af75c3a04630a63ce3e0 upstream.
+
+rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack
+without initialisation:
+
+       struct ifla_vf_broadcast vf_broadcast;
+
+The struct contains a single fixed 32-byte field:
+
+       /* include/uapi/linux/if_link.h */
+       struct ifla_vf_broadcast {
+               __u8 broadcast[32];
+       };
+
+The function then copies dev->broadcast into it using dev->addr_len
+as the length:
+
+       memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
+
+On Ethernet devices (the overwhelming majority of SR-IOV NICs)
+dev->addr_len is 6, so only the first 6 bytes of broadcast[] are
+written. The remaining 26 bytes retain whatever was previously on
+the kernel stack. The full struct is then handed to userspace via:
+
+       nla_put(skb, IFLA_VF_BROADCAST,
+               sizeof(vf_broadcast), &vf_broadcast)
+
+leaking up to 26 bytes of uninitialised kernel stack per VF per
+RTM_GETLINK request, repeatable.
+
+The other vf_* structs in the same function are explicitly zeroed
+for exactly this reason - see the memset() calls for ivi,
+vf_vlan_info, node_guid and port_guid a few lines above.
+vf_broadcast was simply missed when it was added.
+
+Reachability: any unprivileged local process can open AF_NETLINK /
+NETLINK_ROUTE without capabilities and send RTM_GETLINK with an
+IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks
+each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per
+VF per request. Stack residue at this call site can include return
+addresses and transient sensitive data; KASAN with stack
+instrumentation, or KMSAN, will flag the nla_put() when reproduced.
+
+Zero the on-stack struct before the partial memcpy, matching the
+existing pattern used for the other vf_* structs in the same
+function.
+
+Fixes: 75345f888f70 ("ipoib: show VF broadcast address")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai Zen <kai.aizen.dev@gmail.com>
+Link: https://patch.msgid.link/3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1346,6 +1346,7 @@ static noinline_for_stack int rtnl_fill_
+               port_guid.vf = ivi.vf;
+ 
+       memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
++      memset(&vf_broadcast, 0, sizeof(vf_broadcast));
+       memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
+       vf_vlan.vlan = ivi.vlan;
+       vf_vlan.qos = ivi.qos;

diff --git a/queue-6.1/series b/queue-6.1/series
index 7f5206e191418ce844c9696d60c1abb975003cd6..615ed0dce21722144000cffbb9f10eb5583225d8 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -323,3 +323,5 @@ bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch
 bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch
 spi-zynqmp-gqspi-fix-controller-deregistration.patch
 staging-vme_user-fix-root-device-leak-on-init-failure.patch
+fanotify-fix-false-positive-on-permission-events.patch
+net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch