<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/overlayfs, branch linux-6.10.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ovl: fail if trusted xattrs are needed but caller lacks permission</title>
<updated>2024-10-10T10:00:47+00:00</updated>
<author>
<name>Mike Baynton</name>
<email>mike@mbaynton.com</email>
</author>
<published>2024-07-11T03:52:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cea4f54ad41143ba65bb1878eb8f82d2e11f4818'/>
<id>cea4f54ad41143ba65bb1878eb8f82d2e11f4818</id>
<content type='text'>
commit 6c4a5f96450415735c31ed70ff354f0ee5cbf67b upstream.

Some overlayfs features require permission to read/write trusted.*
xattrs. These include redirect_dir, verity, metacopy, and data-only
layers. This patch adds additional validations at mount time to stop
overlays from mounting in certain cases where the resulting mount would
not function according to the user's expectations because they lack
permission to access trusted.* xattrs (for example, not global root.)

Similar checks in ovl_make_workdir() that disable features instead of
failing are still relevant and used in cases where the resulting mount
can still work "reasonably well." Generally, if the feature was enabled
through kernel config or module option, any mount that worked before
will still work the same; this applies to redirect_dir and metacopy. The
user must explicitly request these features in order to generate a mount
failure. Verity and data-only layers on the other hand must be explictly
requested and have no "reasonable" disabled or degraded alternative, so
mounts attempting either always fail.

"lower data-only dirs require metacopy support" moved down in case
userxattr is set, which disables metacopy.

Cc: stable@vger.kernel.org # v6.6+
Signed-off-by: Mike Baynton &lt;mike@mbaynton.com&gt;
Signed-off-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6c4a5f96450415735c31ed70ff354f0ee5cbf67b upstream.

Some overlayfs features require permission to read/write trusted.*
xattrs. These include redirect_dir, verity, metacopy, and data-only
layers. This patch adds additional validations at mount time to stop
overlays from mounting in certain cases where the resulting mount would
not function according to the user's expectations because they lack
permission to access trusted.* xattrs (for example, not global root.)

Similar checks in ovl_make_workdir() that disable features instead of
failing are still relevant and used in cases where the resulting mount
can still work "reasonably well." Generally, if the feature was enabled
through kernel config or module option, any mount that worked before
will still work the same; this applies to redirect_dir and metacopy. The
user must explicitly request these features in order to generate a mount
failure. Verity and data-only layers on the other hand must be explictly
requested and have no "reasonable" disabled or degraded alternative, so
mounts attempting either always fail.

"lower data-only dirs require metacopy support" moved down in case
userxattr is set, which disables metacopy.

Cc: stable@vger.kernel.org # v6.6+
Signed-off-by: Mike Baynton &lt;mike@mbaynton.com&gt;
Signed-off-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovl: fsync after metadata copy-up</title>
<updated>2024-10-10T10:00:38+00:00</updated>
<author>
<name>Amir Goldstein</name>
<email>amir73il@gmail.com</email>
</author>
<published>2024-08-29T15:51:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=df590bff84b9e101353e2989a3263629c6c00c95'/>
<id>df590bff84b9e101353e2989a3263629c6c00c95</id>
<content type='text'>
[ Upstream commit 7d6899fb69d25e1bc6f4700b7c1d92e6b608593d ]

For upper filesystems which do not use strict ordering of persisting
metadata changes (e.g. ubifs), when overlayfs file is modified for
the first time, copy up will create a copy of the lower file and
its parent directories in the upper layer. Permission lost of the
new upper parent directory was observed during power-cut stress test.

Fix by moving the fsync call to after metadata copy to make sure that the
metadata copied up directory and files persists to disk before renaming
from tmp to final destination.

With metacopy enabled, this change will hurt performance of workloads
such as chown -R, so we keep the legacy behavior of fsync only on copyup
of data.

Link: https://lore.kernel.org/linux-unionfs/CAOQ4uxj-pOvmw1-uXR3qVdqtLjSkwcR9nVKcNU_vC10Zyf2miQ@mail.gmail.com/
Reported-and-tested-by: Fei Lv &lt;feilv@asrmicro.com&gt;
Signed-off-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7d6899fb69d25e1bc6f4700b7c1d92e6b608593d ]

For upper filesystems which do not use strict ordering of persisting
metadata changes (e.g. ubifs), when overlayfs file is modified for
the first time, copy up will create a copy of the lower file and
its parent directories in the upper layer. Permission lost of the
new upper parent directory was observed during power-cut stress test.

Fix by moving the fsync call to after metadata copy to make sure that the
metadata copied up directory and files persists to disk before renaming
from tmp to final destination.

With metacopy enabled, this change will hurt performance of workloads
such as chown -R, so we keep the legacy behavior of fsync only on copyup
of data.

Link: https://lore.kernel.org/linux-unionfs/CAOQ4uxj-pOvmw1-uXR3qVdqtLjSkwcR9nVKcNU_vC10Zyf2miQ@mail.gmail.com/
Reported-and-tested-by: Fei Lv &lt;feilv@asrmicro.com&gt;
Signed-off-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovl: fix encoding fid for lower only root</title>
<updated>2024-06-14T08:30:40+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2024-06-14T07:55:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=004b8d1491b4bcbb7da1a3206d1e7e66822d47c6'/>
<id>004b8d1491b4bcbb7da1a3206d1e7e66822d47c6</id>
<content type='text'>
ovl_check_encode_origin() should return a positive number if the lower
dentry is to be encoded, zero otherwise.  If there's no upper layer at all
(read-only overlay), then it obviously needs to return positive.

This was broken by commit 16aac5ad1fa9 ("ovl: support encoding
non-decodable file handles"), which didn't take the lower-only
configuration into account.

Fix by checking the no-upper-layer case up-front.

Reported-and-tested-by: Youzhong Yang &lt;youzhong@gmail.com&gt;
Closes: https://lore.kernel.org/all/CADpNCvaBimi+zCYfRJHvCOhMih8OU0rmZkwLuh24MKKroRuT8Q@mail.gmail.com/
Fixes: 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles")
Cc: &lt;stable@vger.kernel.org&gt; # v6.6
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ovl_check_encode_origin() should return a positive number if the lower
dentry is to be encoded, zero otherwise.  If there's no upper layer at all
(read-only overlay), then it obviously needs to return positive.

This was broken by commit 16aac5ad1fa9 ("ovl: support encoding
non-decodable file handles"), which didn't take the lower-only
configuration into account.

Fix by checking the no-upper-layer case up-front.

Reported-and-tested-by: Youzhong Yang &lt;youzhong@gmail.com&gt;
Closes: https://lore.kernel.org/all/CADpNCvaBimi+zCYfRJHvCOhMih8OU0rmZkwLuh24MKKroRuT8Q@mail.gmail.com/
Fixes: 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles")
Cc: &lt;stable@vger.kernel.org&gt; # v6.6
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovl: fix copy-up in tmpfile</title>
<updated>2024-05-28T08:06:55+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2024-05-27T13:44:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=db03d39053a97d2f2a6baec025ebdacbab5886d2'/>
<id>db03d39053a97d2f2a6baec025ebdacbab5886d2</id>
<content type='text'>
Move ovl_copy_up() call outside of ovl_want_write()/ovl_drop_write()
region, since copy up may also call ovl_want_write() resulting in recursive
locking on sb-&gt;s_writers.

Reported-and-tested-by: syzbot+85e58cdf5b3136471d4b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000f6865106191c3e58@google.com/
Fixes: 9a87907de359 ("ovl: implement tmpfile")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Move ovl_copy_up() call outside of ovl_want_write()/ovl_drop_write()
region, since copy up may also call ovl_want_write() resulting in recursive
locking on sb-&gt;s_writers.

Reported-and-tested-by: syzbot+85e58cdf5b3136471d4b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000f6865106191c3e58@google.com/
Fixes: 9a87907de359 ("ovl: implement tmpfile")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'ovl-update-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs</title>
<updated>2024-05-22T16:23:18+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2024-05-22T16:23:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0e22bedd758643bc2cc161d54aa181e329da0ab3'/>
<id>0e22bedd758643bc2cc161d54aa181e329da0ab3</id>
<content type='text'>
Pull overlayfs updates from Miklos Szeredi:

 - Add tmpfile support

 - Clean up include

* tag 'ovl-update-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs:
  ovl: remove duplicate included header
  ovl: remove upper umask handling from ovl_create_upper()
  ovl: implement tmpfile
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull overlayfs updates from Miklos Szeredi:

 - Add tmpfile support

 - Clean up include

* tag 'ovl-update-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs:
  ovl: remove duplicate included header
  ovl: remove upper umask handling from ovl_create_upper()
  ovl: implement tmpfile
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'pull-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs</title>
<updated>2024-05-21T20:11:44+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2024-05-21T20:11:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b6394d6f715919c053c1450ef0d7c5e517b53764'/>
<id>b6394d6f715919c053c1450ef0d7c5e517b53764</id>
<content type='text'>
Pull misc vfs updates from Al Viro:
 "Assorted commits that had missed the last merge window..."

* tag 'pull-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  remove call_{read,write}_iter() functions
  do_dentry_open(): kill inode argument
  kernel_file_open(): get rid of inode argument
  get_file_rcu(): no need to check for NULL separately
  fd_is_open(): move to fs/file.c
  close_on_exec(): pass files_struct instead of fdtable
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull misc vfs updates from Al Viro:
 "Assorted commits that had missed the last merge window..."

* tag 'pull-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  remove call_{read,write}_iter() functions
  do_dentry_open(): kill inode argument
  kernel_file_open(): get rid of inode argument
  get_file_rcu(): no need to check for NULL separately
  fd_is_open(): move to fs/file.c
  close_on_exec(): pass files_struct instead of fdtable
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'integrity-v6.10' of ssh://ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity</title>
<updated>2024-05-15T15:43:02+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2024-05-15T15:43:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=353ad6c0839431146fdee3ff16f9dd17a2809ee4'/>
<id>353ad6c0839431146fdee3ff16f9dd17a2809ee4</id>
<content type='text'>
Pull integrity updates from Mimi Zohar:
 "Two IMA changes, one EVM change, a use after free bug fix, and a code
  cleanup to address "-Wflex-array-member-not-at-end" warnings:

   - The existing IMA {ascii, binary}_runtime_measurements lists include
     a hard coded SHA1 hash. To address this limitation, define per TPM
     enabled hash algorithm {ascii, binary}_runtime_measurements lists

   - Close an IMA integrity init_module syscall measurement gap by
     defining a new critical-data record

   - Enable (partial) EVM support on stacked filesystems (overlayfs).
     Only EVM portable &amp; immutable file signatures are copied up, since
     they do not contain filesystem specific metadata"

* tag 'integrity-v6.10' of ssh://ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: add crypto agility support for template-hash algorithm
  evm: Rename is_unsupported_fs to is_unsupported_hmac_fs
  fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
  evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
  ima: re-evaluate file integrity on file metadata change
  evm: Store and detect metadata inode attributes changes
  ima: Move file-change detection variables into new structure
  evm: Use the metadata inode to calculate metadata hash
  evm: Implement per signature type decision in security_inode_copy_up_xattr
  security: allow finer granularity in permitting copy-up of security xattrs
  ima: Rename backing_inode to real_inode
  integrity: Avoid -Wflex-array-member-not-at-end warnings
  ima: define an init_module critical data record
  ima: Fix use-after-free on a dentry's dname.name
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull integrity updates from Mimi Zohar:
 "Two IMA changes, one EVM change, a use after free bug fix, and a code
  cleanup to address "-Wflex-array-member-not-at-end" warnings:

   - The existing IMA {ascii, binary}_runtime_measurements lists include
     a hard coded SHA1 hash. To address this limitation, define per TPM
     enabled hash algorithm {ascii, binary}_runtime_measurements lists

   - Close an IMA integrity init_module syscall measurement gap by
     defining a new critical-data record

   - Enable (partial) EVM support on stacked filesystems (overlayfs).
     Only EVM portable &amp; immutable file signatures are copied up, since
     they do not contain filesystem specific metadata"

* tag 'integrity-v6.10' of ssh://ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: add crypto agility support for template-hash algorithm
  evm: Rename is_unsupported_fs to is_unsupported_hmac_fs
  fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
  evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
  ima: re-evaluate file integrity on file metadata change
  evm: Store and detect metadata inode attributes changes
  ima: Move file-change detection variables into new structure
  evm: Use the metadata inode to calculate metadata hash
  evm: Implement per signature type decision in security_inode_copy_up_xattr
  security: allow finer granularity in permitting copy-up of security xattrs
  ima: Rename backing_inode to real_inode
  integrity: Avoid -Wflex-array-member-not-at-end warnings
  ima: define an init_module critical data record
  ima: Fix use-after-free on a dentry's dname.name
</pre>
</div>
</content>
</entry>
<entry>
<title>ovl: remove duplicate included header</title>
<updated>2024-05-10T11:22:46+00:00</updated>
<author>
<name>Thorsten Blum</name>
<email>thorsten.blum@toblux.com</email>
</author>
<published>2024-05-02T21:26:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e9229c18dae3b3c2556cea8413edd1f76c78d767'/>
<id>e9229c18dae3b3c2556cea8413edd1f76c78d767</id>
<content type='text'>
Remove duplicate included header file linux/posix_acl.h

Signed-off-by: Thorsten Blum &lt;thorsten.blum@toblux.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove duplicate included header file linux/posix_acl.h

Signed-off-by: Thorsten Blum &lt;thorsten.blum@toblux.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovl: remove upper umask handling from ovl_create_upper()</title>
<updated>2024-05-02T18:35:57+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2024-05-02T18:35:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=096802748ea1dea8b476938e0a8dc16f4bd2f1ad'/>
<id>096802748ea1dea8b476938e0a8dc16f4bd2f1ad</id>
<content type='text'>
This is already done by vfs_prepare_mode() when creating the upper object
by vfs_create(), vfs_mkdir() and vfs_mknod().

No regressions have been observed in xfstests run with posix acls turned
off for the upper filesystem.

Fixes: 1639a49ccdce ("fs: move S_ISGID stripping into the vfs_*() helpers")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is already done by vfs_prepare_mode() when creating the upper object
by vfs_create(), vfs_mkdir() and vfs_mknod().

No regressions have been observed in xfstests run with posix acls turned
off for the upper filesystem.

Fixes: 1639a49ccdce ("fs: move S_ISGID stripping into the vfs_*() helpers")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovl: implement tmpfile</title>
<updated>2024-05-02T18:35:57+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2024-05-02T18:35:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9a87907de3597a339cc129229d1a20bc7365ea5f'/>
<id>9a87907de3597a339cc129229d1a20bc7365ea5f</id>
<content type='text'>
Combine inode creation with opening a file.

There are six separate objects that are being set up: the backing inode,
dentry and file, and the overlay inode, dentry and file.  Cleanup in case
of an error is a bit of a challenge and is difficult to test, so careful
review is needed.

All tmpfile testcases except generic/509 now run/pass, and no regressions
are observed with full xfstests.

Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Reviewed-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Combine inode creation with opening a file.

There are six separate objects that are being set up: the backing inode,
dentry and file, and the overlay inode, dentry and file.  Cleanup in case
of an error is a bit of a challenge and is difficult to test, so careful
review is needed.

All tmpfile testcases except generic/509 now run/pass, and no regressions
are observed with full xfstests.

Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Reviewed-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
