Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v5.1 2019-04-28T20:14:50Z 2019-04-28T20:14:50Z Jan Kara jack@suse.cz 2019-04-24T16:39:57Z urn:sha1:b1da6a51871c6929dced1a7fad81990988b36ed6 fanotify_get_fsid() is reading mark->connector->fsid under srcu. It can happen that it sees mark not fully initialized or mark that is already detached from the object list. In these cases mark->connector can be NULL leading to NULL ptr dereference. Fix the problem by being careful when reading mark->connector and check it for being NULL. Also use WRITE_ONCE when writing the mark just to prevent compiler from doing something stupid. Reported-by: syzbot+15927486a4f1bfcbaf91@syzkaller.appspotmail.com Fixes: 77115225acc6 ("fanotify: cache fsid in fsnotify_mark_connector") Signed-off-by: Jan Kara <jack@suse.cz> 2019-03-19T08:29:07Z Jan Kara jack@suse.cz 2019-03-12T11:42:37Z urn:sha1:b2d22b6bb33aac10c415e4ba13c8eade201c6f09 When file handle is embedded inside fanotify_event and usercopy checks are enabled, we get a warning like: Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLAB object 'fanotify_event' (offset 40, size 8)! WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110 mm/usercopy.c:78 Annotate handling in fanotify_event properly to mark copying it to userspace is fine. Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com Fixes: a8b13aa20afb ("fanotify: enable FAN_REPORT_FID init flag") Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-03-11T09:13:17Z ZhangXiaoxu zhangxiaoxu5@huawei.com 2019-03-02T01:17:32Z urn:sha1:62c9d2674b31d4c8a674bee86b7edc6da2803aea Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()") forgot to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark() Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()") Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-21T10:47:23Z Jan Kara jack@suse.cz 2019-02-21T10:47:23Z urn:sha1:b51905798195eeb427c873643b3ada0d7bd991a7 Making waits for response to fanotify permission events interruptible can result in EINTR returns from open(2) or other syscalls when there's e.g. AV software that's monitoring the file. Orion reports that e.g. bash is complaining like: bash: /etc/bash_completion.d/itweb-settings.bash: Interrupted system call So for now convert the wait from interruptible to only killable one. That is mostly invisible to userspace. Sadly this breaks hibernation with fanotify permission events pending again but we have to put more thought into how to fix this without regressing userspace visible behavior. Reported-by: Orion Poplawski <orion@nwra.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-18T11:41:16Z Jan Kara jack@suse.cz 2019-01-08T14:18:02Z urn:sha1:fabf7f29b3e2ce5ed9741bf06f3583cd7e82ed1c When waiting for response to fanotify permission events, we currently use uninterruptible waits. That makes code simple however it can cause lots of processes to end up in uninterruptible sleep with hard reboot being the only alternative in case fanotify listener process stops responding (e.g. due to a bug in its implementation). Uninterruptible sleep also makes system hibernation fail if the listener gets frozen before the process generating fanotify permission event. Fix these problems by using interruptible sleep for waiting for response to fanotify event. This is slightly tricky though - we have to detect when the event got already reported to userspace as in that case we must not free the event. Instead we push the responsibility for freeing the event to the process that will write response to the event. Reported-by: Orion Poplawski <orion@nwra.com> Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-18T11:41:16Z Jan Kara jack@suse.cz 2019-01-08T13:02:44Z urn:sha1:40873284d7106fc0f0f4d2deae74b38fb18342cc Track whether permission event got already reported to userspace and whether userspace already answered to the permission event. Protect stores to this field together with updates to ->response field by group->notification_lock. This will allow aborting wait for reply to permission event from userspace. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-18T11:41:16Z Jan Kara jack@suse.cz 2019-01-09T12:21:01Z urn:sha1:ca6f86998d810d4a9fe172bf4cb6d3353636881f Simplify iteration cleaning access_list in fanotify_release(). That will make following changes more obvious. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-18T11:41:16Z Jan Kara jack@suse.cz 2019-01-09T12:15:23Z urn:sha1:f7db89accc9c51d8f765d79b8e9557cc623ec20e Create function to remove event from the notification list. Later it will be used from more places. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-18T11:40:46Z Jan Kara jack@suse.cz 2019-01-08T12:52:31Z urn:sha1:8c5544666c9d88046bfd60aa7d5fea5c6d3d59bd get_one_event() has a single caller and that just locks notification_lock around the call. Move locking inside get_one_event() as that will make using ->response field for permission event state easier. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> 2019-02-18T10:49:36Z Jan Kara jack@suse.cz 2019-01-08T12:28:18Z urn:sha1:af6a51130626bfd3e60041d80335b2c31590d56d Fold dequeue_event() into process_access_response(). This will make changes to use of ->response field easier. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>