cel@xxxxxxxxxx writes: > From: Chuck Lever <chuck.lever@xxxxxxxxxx> > > Gabriel says: >> 9709bd548f11 just enabled a new feature - >> which seems against stable rules. Considering that "anything is >> a CVE", we really need to be cautious about this kind of stuff in >> stable kernels. >> >> Is it possible to drop 9709bd548f11 from stable instead? > > The revert wasn't clean, but adjusting it to fit was straightforward. > This passes NFSD CI, and adds no new failures to the fanotify ltp > tests. > > Reported-by: Gabriel Krisman Bertazi <gabriel@xxxxxxxxxx> > Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> > --- > fs/notify/fanotify/fanotify_user.c | 4 ---- > include/linux/fanotify.h | 6 +----- > 2 files changed, 1 insertion(+), 9 deletions(-) > > Gabriel, is this what you were thinking? Thanks Chuck. This looks good to me as a way to disable it in stable and prevent userspace from trying to use it. Up to fanotify maintainers to decide whether to brign the rest of the series or merge this, but either way: Reviewed-by: Gabriel Krisman Bertazi <gabriel@xxxxxxxxxx> > > diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c > index d93418f21386..0d91db1c7249 100644 > --- a/fs/notify/fanotify/fanotify_user.c > +++ b/fs/notify/fanotify/fanotify_user.c > @@ -1701,10 +1701,6 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask, > group->priority == FS_PRIO_0) > goto fput_and_out; > > - if (mask & FAN_FS_ERROR && > - mark_type != FAN_MARK_FILESYSTEM) > - goto fput_and_out; > - > /* > * Evictable is only relevant for inode marks, because only inode object > * can be evicted on memory pressure. > diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h > index 558844c8d259..df60b46971c9 100644 > --- a/include/linux/fanotify.h > +++ b/include/linux/fanotify.h > @@ -97,13 +97,9 @@ extern struct ctl_table fanotify_table[]; /* for sysctl */ > #define FANOTIFY_INODE_EVENTS (FANOTIFY_DIRENT_EVENTS | \ > FAN_ATTRIB | FAN_MOVE_SELF | FAN_DELETE_SELF) > > -/* Events that can only be reported with data type FSNOTIFY_EVENT_ERROR */ > -#define FANOTIFY_ERROR_EVENTS (FAN_FS_ERROR) > - > /* Events that user can request to be notified on */ > #define FANOTIFY_EVENTS (FANOTIFY_PATH_EVENTS | \ > - FANOTIFY_INODE_EVENTS | \ > - FANOTIFY_ERROR_EVENTS) > + FANOTIFY_INODE_EVENTS) > > /* Events that require a permission response from user */ > #define FANOTIFY_PERM_EVENTS (FAN_OPEN_PERM | FAN_ACCESS_PERM | \ -- Gabriel Krisman Bertazi