From: Greg Kroah-Hartman Date: Tue, 12 May 2026 13:28:22 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb10a453edf1b86a5ef340dccaddb60c9bb38dcd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: fanotify-fix-false-positive-on-permission-events.patch net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch --- diff --git a/queue-5.10/fanotify-fix-false-positive-on-permission-events.patch b/queue-5.10/fanotify-fix-false-positive-on-permission-events.patch new file mode 100644 index 0000000000..b4d39b16f9 --- /dev/null +++ b/queue-5.10/fanotify-fix-false-positive-on-permission-events.patch @@ -0,0 +1,86 @@ +From 7746e3bd4cc19b5092e00d32d676e329bfcb6900 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 10 Apr 2026 16:49:47 +0200 +Subject: fanotify: fix false positive on permission events + +From: Miklos Szeredi + +commit 7746e3bd4cc19b5092e00d32d676e329bfcb6900 upstream. + +fsnotify_get_mark_safe() may return false for a mark on an unrelated group, +which results in bypassing the permission check. + +Fix by skipping over detached marks that are not in the current group. + +CC: stable@vger.kernel.org +Fixes: abc77577a669 ("fsnotify: Provide framework for dropping SRCU lock in ->handle_event") +Signed-off-by: Miklos Szeredi +Link: https://patch.msgid.link/20260410144950.156160-1-mszeredi@redhat.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 2 +- + fs/notify/mark.c | 18 +++++++++++------- + include/linux/fsnotify_backend.h | 1 + + 3 files changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -398,7 +398,7 @@ static struct fsnotify_mark *fsnotify_fi + return hlist_entry_safe(node, struct fsnotify_mark, obj_list); + } + +-static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark) ++struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark) + { + struct hlist_node *node = NULL; + +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -380,9 +380,6 @@ EXPORT_SYMBOL_GPL(fsnotify_put_mark); + */ + static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark) + { +- if (!mark) +- return true; +- + if (refcount_inc_not_zero(&mark->refcnt)) { + spin_lock(&mark->lock); + if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) { +@@ -423,15 +420,22 @@ bool fsnotify_prepare_user_wait(struct f + int type; + + fsnotify_foreach_iter_type(type) { ++ struct fsnotify_mark *mark = iter_info->marks[type]; ++ + /* This can fail if mark is being removed */ +- if (!fsnotify_get_mark_safe(iter_info->marks[type])) { +- __release(&fsnotify_mark_srcu); +- goto fail; ++ while (mark && !fsnotify_get_mark_safe(mark)) { ++ if (mark->group == iter_info->current_group) { ++ __release(&fsnotify_mark_srcu); ++ goto fail; ++ } ++ /* This is a mark in an unrelated group, skip */ ++ mark = fsnotify_next_mark(mark); ++ iter_info->marks[type] = mark; + } + } + + /* +- * Now that both marks are pinned by refcount in the inode / vfsmount ++ * Now that all marks are pinned by refcount in the inode / vfsmount / etc + * lists, we can drop SRCU lock, and safely resume the list iteration + * once userspace returns. + */ +--- a/include/linux/fsnotify_backend.h ++++ b/include/linux/fsnotify_backend.h +@@ -820,6 +820,7 @@ static inline void fsnotify_clear_sb_mar + } + extern void fsnotify_get_mark(struct fsnotify_mark *mark); + extern void fsnotify_put_mark(struct fsnotify_mark *mark); ++struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark); + extern void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info); + extern bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info); + diff --git a/queue-5.10/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch b/queue-5.10/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch new file mode 100644 index 0000000000..559d575c76 --- /dev/null +++ b/queue-5.10/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch @@ -0,0 +1,74 @@ +From 4b9e327991815e128ad3af75c3a04630a63ce3e0 Mon Sep 17 00:00:00 2001 +From: Kai Zen +Date: Thu, 30 Apr 2026 18:26:48 +0300 +Subject: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo + +From: Kai Zen + +commit 4b9e327991815e128ad3af75c3a04630a63ce3e0 upstream. + +rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack +without initialisation: + + struct ifla_vf_broadcast vf_broadcast; + +The struct contains a single fixed 32-byte field: + + /* include/uapi/linux/if_link.h */ + struct ifla_vf_broadcast { + __u8 broadcast[32]; + }; + +The function then copies dev->broadcast into it using dev->addr_len +as the length: + + memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); + +On Ethernet devices (the overwhelming majority of SR-IOV NICs) +dev->addr_len is 6, so only the first 6 bytes of broadcast[] are +written. The remaining 26 bytes retain whatever was previously on +the kernel stack. The full struct is then handed to userspace via: + + nla_put(skb, IFLA_VF_BROADCAST, + sizeof(vf_broadcast), &vf_broadcast) + +leaking up to 26 bytes of uninitialised kernel stack per VF per +RTM_GETLINK request, repeatable. + +The other vf_* structs in the same function are explicitly zeroed +for exactly this reason - see the memset() calls for ivi, +vf_vlan_info, node_guid and port_guid a few lines above. +vf_broadcast was simply missed when it was added. + +Reachability: any unprivileged local process can open AF_NETLINK / +NETLINK_ROUTE without capabilities and send RTM_GETLINK with an +IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks +each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per +VF per request. Stack residue at this call site can include return +addresses and transient sensitive data; KASAN with stack +instrumentation, or KMSAN, will flag the nla_put() when reproduced. + +Zero the on-stack struct before the partial memcpy, matching the +existing pattern used for the other vf_* structs in the same +function. + +Fixes: 75345f888f70 ("ipoib: show VF broadcast address") +Cc: stable@vger.kernel.org +Signed-off-by: Kai Zen +Link: https://patch.msgid.link/3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1287,6 +1287,7 @@ static noinline_for_stack int rtnl_fill_ + port_guid.vf = ivi.vf; + + memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); ++ memset(&vf_broadcast, 0, sizeof(vf_broadcast)); + memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); + vf_vlan.vlan = ivi.vlan; + vf_vlan.qos = ivi.qos; diff --git a/queue-5.10/series b/queue-5.10/series index d64d91a98c..daa02dc301 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -238,3 +238,5 @@ ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch +fanotify-fix-false-positive-on-permission-events.patch +net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch