{"id":2220115,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2220115/?format=json","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.0/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260406113010.38193-3-massimiliano.pellizzer@canonical.com>","date":"2026-04-06T11:30:10","name":"[SRU,J,v2,2/2] UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non initial user namespace","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"884f0687a141f9913103c9f2028a9e6809b2abfb","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/1.0/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260406113010.38193-3-massimiliano.pellizzer@canonical.com/mbox/","series":[{"id":498844,"url":"http://patchwork.ozlabs.org/api/1.0/series/498844/?format=json","date":"2026-04-06T11:30:08","name":"CVE-2023-2640 and CVE-2023-32629","version":2,"mbox":"http://patchwork.ozlabs.org/series/498844/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220115/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=jMg62RsP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq6bb4ZQyz1xy1\n\tfor ; Mon, 06 Apr 2026 21:31:23 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1w9iAn-0005ql-8d; Mon, 06 Apr 2026 11:31:17 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1w9iAm-0005pS-AV\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 11:31:16 +0000","from mail-wr1-f69.google.com (mail-wr1-f69.google.com\n [209.85.221.69])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 29EDA3F213\n for ; Mon, 6 Apr 2026 11:31:16 +0000 (UTC)","by mail-wr1-f69.google.com with SMTP id\n ffacd0b85a97d-43b8c472f3eso3077791f8f.0\n for ; Mon, 06 Apr 2026 04:31:16 -0700 (PDT)","from framework.ts.net (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488b739e00bsm36899605e9.10.2026.04.06.04.31.14\n for \n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 04:31:14 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775475076;\n bh=KCPGjFFfM57kHJCR7wC5LU+k3GSxi10Zt3Z16zcutCM=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=jMg62RsPjhhrAv8U2WukEuMEGzEFYUcVKpBIxO3LUxIbnoOYtmlVlp6uTAEhG4cLG\n EpKD3OOc8hP1tocVjl6IuBBaJ15R74QBIOuVlH143OtHYjcwm14wAQUssOaVwC8YBP\n 6BQvPXtEYEGDo7SgjvLe5daZ5WBLsa1Dpn2JBwWbfdPRHoydcWvgkA5hRNpVpwqvoP\n CVd7BeTTRmHcQyh6fN2wkQ3neiBp8tNql1vSmN7qdyCw2kJmcigMarqdtZFfxSOror\n AZ4egcBM/vqMQF3vvSo6yAzJiXWWihDQmzDIPJDlPdHhQJRY7tfaay1i3aC68ukeXM\n F6zJcrhyDQMzD33Hieyh/cyUIKbkPUEKnY8HmlBvJ3cMT5r0FCd4LHAHa4ife2MUaA\n UbvpTy95d5qcp6qPiBu6vipKBtIRisgUQjkRe8WDdJcGqkKAx28yro+UzvmsTAWfmH\n H1sLnSqaOLPO9EbgIIk2QfA/pljUBqFy9kKgt4ijr22XQmwitFfS3ukzeWyBUJoc8U\n rM2GRPQ5b/uR6o8dnCF2ojuPAA3Gdtd7P7nn7UhPH65k2he9NGQkTaSRWKpa/OTaT9\n xyR0wLKm3mdr4yb6OM4kY63q6GGUpukPf0cLny9DgeVu2v4hV/YUZA6ebZJmq6G7hS\n KrCwqku9E7jG+9+IjSxolPTQ=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775475075; x=1776079875;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=KCPGjFFfM57kHJCR7wC5LU+k3GSxi10Zt3Z16zcutCM=;\n b=OmXdMIwba+mDT1u0XWg6G8ubGSo3aoJ5CLsI76P7oM4DgneBnAcuBF3/zZ5a22c5oW\n iBewmxUcSBvPprx00sFwKagQIOuJMFGCAZ/J7BiB1LiY4EcJo0Yw9f6ZX/1JZMMLIj7E\n 9J93dJX9b9ONVR7uBaq/l/p2f+S/Gt+OchIb9fK2HImzaQEB7/QgARlUtJ0h90Ih0fLR\n YtmqVyhpg6RlZlMlF0KHTYOilbB/WydrOmOd0GMk7g2nv+Nua5NCH75sEB1XTkGOqi6v\n KUlt+uU9EpvCEsS/Icau4oQ/NuXQGD5PZNymwjxOc/8+qFs8QmFZnDh8W1Zy8BqKLNY1\n /HYA==","X-Gm-Message-State":"AOJu0Yy9KGoJZPFsS0gOAoCG3O69/DosrqjyI52xjMg/6Z+S5cz7SUIN\n E4t8TQc/BH8q/bvCt1ltKyqyfDul9BZ0LCgA7Z9P0AwFu8FPBwD21a1tbmL1kHybGWQ2xLSfPPu\n i1UdPyqp06AZLhDySGTppsrO1hMtzGGlSGQJmHo4cc0UtBPpvrGQB3qpXZyIEEOaDHN1loP1Er0\n EgR0el/ehfSvwj4g==","X-Gm-Gg":"AeBDies7HZEVIl0h7IbuW1jXf55fgccBk+W0JdQDnGPnIsMVVoet0lec5XF1UcpTLNo\n +yQuSxvvrfhOBQ/xdwvcReLGbmXDRJLfvL+8bCJ0+yaGyQo+AaBebFFZXuUDxv71gx/+N5IM0Ll\n bmkn2sECcYVF/l3486aswQ9wSlSeXv65kd8CL9LqSqiu062IouMve6PHmnR644AqF48ts8gNdoH\n +OqBiU/ux8P8WbkfgRm6dDFkjuBVXs8Qc8TY+STLLXsvvbO39x2QyPSqi281sM3o5SW1MDtdRRv\n PVrbQxSdlVggKNTFpOyfD/bi1NFOmvHHMfRx81LZIE7WR0r6f2BEZ/ft36esv8xGOr5HAo9KjhQ\n KofFEIm/vNXOmhBs7kdAl3qm9BoY03myowvsoJLgBZNvZB57HnPIemqt0ST9gEy6O+Dd05oH4j6\n HCAJoKEY9wu6C6eV10edLChIykkk21rSzhrkQmaDqbGV+qUpTkN9SGNXZF2KkbOLqDiyxkK0w=","X-Received":["by 2002:a05:600c:c8d:b0:485:4eaf:eb54 with SMTP id\n 5b1f17b1804b1-48899793093mr171037755e9.20.1775475075447;\n Mon, 06 Apr 2026 04:31:15 -0700 (PDT)","by 2002:a05:600c:c8d:b0:485:4eaf:eb54 with SMTP id\n 5b1f17b1804b1-48899793093mr171037315e9.20.1775475074967;\n Mon, 06 Apr 2026 04:31:14 -0700 (PDT)"],"From":"Massimiliano Pellizzer ","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH v2 2/2] UBUNTU: SAUCE: overlayfs: default to userxattr\n when mounted from non initial user namespace","Date":"Mon, 6 Apr 2026 13:30:10 +0200","Message-ID":"<20260406113010.38193-3-massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.51.0","In-Reply-To":"<20260406113010.38193-1-massimiliano.pellizzer@canonical.com>","References":"<20260406113010.38193-1-massimiliano.pellizzer@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"Also add a nouserxattr for the cases where it is desirable to mount without\nuserxattr under such namespaces.\n\nThis allows cases where such xattrs are necessary for certain operations to\nwork out, instead of failing due to not being able to use the\ntrusted.overlay.* xattrs.\n\nCVE-2023-2640\nCVE-2023-32629\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Massimiliano Pellizzer \n---\n fs/overlayfs/super.c | 10 ++++++++++\n 1 file changed, 10 insertions(+)","diff":"diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c\nindex e1c4449e30993..e21574191d8b4 100644\n--- a/fs/overlayfs/super.c\n+++ b/fs/overlayfs/super.c\n@@ -388,6 +388,8 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry)\n \t\tseq_puts(m, \",volatile\");\n \tif (ofs->config.userxattr)\n \t\tseq_puts(m, \",userxattr\");\n+\telse\n+\t\tseq_puts(m, \",nouserxattr\");\n \treturn 0;\n }\n \n@@ -436,6 +438,7 @@ enum {\n \tOPT_UUID_OFF,\n \tOPT_NFS_EXPORT_ON,\n \tOPT_USERXATTR,\n+\tOPT_NOUSERXATTR,\n \tOPT_NFS_EXPORT_OFF,\n \tOPT_XINO_ON,\n \tOPT_XINO_OFF,\n@@ -455,6 +458,7 @@ static const match_table_t ovl_tokens = {\n \t{OPT_INDEX_ON,\t\t\t\"index=on\"},\n \t{OPT_INDEX_OFF,\t\t\t\"index=off\"},\n \t{OPT_USERXATTR,\t\t\t\"userxattr\"},\n+\t{OPT_NOUSERXATTR,\t\t\"nouserxattr\"},\n \t{OPT_UUID_ON,\t\t\t\"uuid=on\"},\n \t{OPT_UUID_OFF,\t\t\t\"uuid=off\"},\n \t{OPT_NFS_EXPORT_ON,\t\t\"nfs_export=on\"},\n@@ -625,6 +629,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)\n \t\t\tconfig->userxattr = true;\n \t\t\tbreak;\n \n+\t\tcase OPT_NOUSERXATTR:\n+\t\t\tconfig->userxattr = false;\n+\t\t\tbreak;\n+\n \t\tdefault:\n \t\t\tpr_err(\"unrecognized mount option \\\"%s\\\" or missing value\\n\",\n \t\t\t\t\tp);\n@@ -2009,6 +2017,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)\n \tofs->config.nfs_export = ovl_nfs_export_def;\n \tofs->config.xino = ovl_xino_def();\n \tofs->config.metacopy = ovl_metacopy_def;\n+\tif (sb->s_user_ns != &init_user_ns)\n+\t\tofs->config.userxattr = true;\n \terr = ovl_parse_opt((char *) data, &ofs->config);\n \tif (err)\n \t\tgoto out_err;\n","prefixes":["SRU","J","v2","2/2"]}