1 files changed, 29 insertions, 0 deletions

diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
new file mode 100644
index 000000000..88a2b15b3
--- /dev/null
+++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
+Date: Wed, 13 Jul 2016 01:37:22 +0100
+Forwarded: not-needed
+
+Various free and proprietary AV products use this feature and users
+apparently want it.  But punting access checks to userland seems like
+an easy way to deadlock the system, and there will be nothing we can
+do about that.  So warn and taint the kernel if this feature is
+actually used.
+
+---
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -1661,6 +1661,14 @@ static int do_fanotify_mark(int fanotify
+ 		umask = FANOTIFY_EVENT_FLAGS;
+ 	}
+ 
++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
++	if (mask & FANOTIFY_PERM_EVENTS) {
++		pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
++			     current->comm, current->pid);
++		add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
++	}
++#endif
++
+ 	f = fdget(fanotify_fd);
+ 	if (unlikely(!f.file))
+ 		return -EBADF;