<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git/security, branch master</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>Merge tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux</title>
<updated>2026-07-17T18:04:46+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-17T18:04:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=8fc574321e59a2484063b2e75016772815038608'/>
<id>8fc574321e59a2484063b2e75016772815038608</id>
<content type='text'>
Pull selinux fix from Paul Moore:
 "A single SELinux patch to correct a problem with the overlayfs mmap()
  and mprotect() fixes from earlier this year where we inadvertenly
  included an additional SELinux execmem permission check on some
  operations"

* tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix incorrect execmem checks on overlayfs
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull selinux fix from Paul Moore:
 "A single SELinux patch to correct a problem with the overlayfs mmap()
  and mprotect() fixes from earlier this year where we inadvertenly
  included an additional SELinux execmem permission check on some
  operations"

* tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix incorrect execmem checks on overlayfs
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux</title>
<updated>2026-07-16T20:22:17+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-16T20:22:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=481ed5dd3ed7136f627b8ec372ba39f5b2e7d27f'/>
<id>481ed5dd3ed7136f627b8ec372ba39f5b2e7d27f</id>
<content type='text'>
Pull landlock fix from Mickaël Salaün:
 "This fixes TCP Fast Open support, specific test environments, and doc
  warnings"

* tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
  selftests/landlock: Skip scoped_signal subtest with MSG_OOB if not available
  selftests/landlock: Fix screwed up pointers in the scoped_signal_test
  landlock: Update formatting
  landlock: Fix kernel-doc for the nested quiet layer flag
  selftests/landlock: Add test for TCP fast open
  landlock: Fix TCP Fast Open connection bypass
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull landlock fix from Mickaël Salaün:
 "This fixes TCP Fast Open support, specific test environments, and doc
  warnings"

* tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
  selftests/landlock: Skip scoped_signal subtest with MSG_OOB if not available
  selftests/landlock: Fix screwed up pointers in the scoped_signal_test
  landlock: Update formatting
  landlock: Fix kernel-doc for the nested quiet layer flag
  selftests/landlock: Add test for TCP fast open
  landlock: Fix TCP Fast Open connection bypass
</pre>
</div>
</content>
</entry>
<entry>
<title>selinux: fix incorrect execmem checks on overlayfs</title>
<updated>2026-07-14T22:10:20+00:00</updated>
<author>
<name>Ondrej Mosnacek</name>
<email>omosnace@redhat.com</email>
</author>
<published>2026-07-14T12:57:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=9fe595fad54d4ac6a402edb3f60bec859d52cea6'/>
<id>9fe595fad54d4ac6a402edb3f60bec859d52cea6</id>
<content type='text'>
The commit fixing the overlayfs mmap() and mprotect() access checks
failed to skip the execmem check in __file_map_prot_check() for the case
where the "mounter check" is being performed. This check should be
performed only against the credentials of the task that is calling
mmap()/mprotect(), since it doesn't pertain to the file itself, but
rather just gates the ability of the calling task to get an executable
memory mapping in general.

The purpose of the "mounter check" is to guard against using an
overlayfs mount to gain file access that would otherwise be denied to
the mounter. For execmem this is not relevant, as there is no further
file access granted based on it (notice that the file's context is not
used as the target in the check), so checking it also against the
mounter credentials would be incorrect.

Fix this by passing a boolean to [__]file_map_prot_check() and
selinux_mmap_file_common() that indicates if we are doing the "mounter
check" and skiping the execmem check in that case. Since this boolean
also indicates if we use current_cred() or the mounter cred as the
subject, also remove the "cred" argument from these functions and
determine it based on the boolean and the file struct.

Cc: stable@vger.kernel.org
Fixes: 82544d36b172 ("selinux: fix overlayfs mmap() and mprotect() access checks")
Signed-off-by: Ondrej Mosnacek &lt;omosnace@redhat.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The commit fixing the overlayfs mmap() and mprotect() access checks
failed to skip the execmem check in __file_map_prot_check() for the case
where the "mounter check" is being performed. This check should be
performed only against the credentials of the task that is calling
mmap()/mprotect(), since it doesn't pertain to the file itself, but
rather just gates the ability of the calling task to get an executable
memory mapping in general.

The purpose of the "mounter check" is to guard against using an
overlayfs mount to gain file access that would otherwise be denied to
the mounter. For execmem this is not relevant, as there is no further
file access granted based on it (notice that the file's context is not
used as the target in the check), so checking it also against the
mounter credentials would be incorrect.

Fix this by passing a boolean to [__]file_map_prot_check() and
selinux_mmap_file_common() that indicates if we are doing the "mounter
check" and skiping the execmem check in that case. Since this boolean
also indicates if we use current_cred() or the mounter cred as the
subject, also remove the "cred" argument from these functions and
determine it based on the boolean and the file struct.

Cc: stable@vger.kernel.org
Fixes: 82544d36b172 ("selinux: fix overlayfs mmap() and mprotect() access checks")
Signed-off-by: Ondrej Mosnacek &lt;omosnace@redhat.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux</title>
<updated>2026-07-11T01:59:29+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T01:59:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=ccce5f6e7c86f103d76534e2d06d1c903dce551c'/>
<id>ccce5f6e7c86f103d76534e2d06d1c903dce551c</id>
<content type='text'>
Pull selinux fixes from Paul Moore:
 "Two small SELinux patches to fix a missing permission check for TCP
  Fast Open operations and fix a socket lookup issue with SCTP ASCONF
  operations"

* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
  selinux: check connect-related permissions on TCP Fast Open
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull selinux fixes from Paul Moore:
 "Two small SELinux patches to fix a missing permission check for TCP
  Fast Open operations and fix a socket lookup issue with SCTP ASCONF
  operations"

* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
  selinux: check connect-related permissions on TCP Fast Open
</pre>
</div>
</content>
</entry>
<entry>
<title>landlock: Update formatting</title>
<updated>2026-07-10T10:59:10+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2026-07-08T11:06:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=97c0e344e03818dbf3116e77d3d7fe81f1fbe795'/>
<id>97c0e344e03818dbf3116e77d3d7fe81f1fbe795</id>
<content type='text'>
Following commit 99df2a8eba34 ("clang-format: fix formatting of guard()
and scoped_guard() statements"), update scoped_guard() formatting.
Also, see the related fix [1].

Cc: Günther Noack &lt;gnoack@google.com&gt;
Cc: Miguel Ojeda &lt;ojeda@kernel.org&gt;
Link: https://lore.kernel.org/r/20260708105713.2073335-1-mic@digikod.net [1]
Link: https://patch.msgid.link/20260708110635.2083515-1-mic@digikod.net
Reviewed-by: Günther Noack &lt;gnoack@google.com&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Following commit 99df2a8eba34 ("clang-format: fix formatting of guard()
and scoped_guard() statements"), update scoped_guard() formatting.
Also, see the related fix [1].

Cc: Günther Noack &lt;gnoack@google.com&gt;
Cc: Miguel Ojeda &lt;ojeda@kernel.org&gt;
Link: https://lore.kernel.org/r/20260708105713.2073335-1-mic@digikod.net [1]
Link: https://patch.msgid.link/20260708110635.2083515-1-mic@digikod.net
Reviewed-by: Günther Noack &lt;gnoack@google.com&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>landlock: Fix kernel-doc for the nested quiet layer flag</title>
<updated>2026-07-10T10:59:09+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2026-07-03T14:17:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=592a37889f97d60debf6a442684ba4d13435c817'/>
<id>592a37889f97d60debf6a442684ba4d13435c817</id>
<content type='text'>
kernel-doc emits "Excess struct member 'quiet' description in
'landlock_layer'" because "quiet" is a bitfield inside the named nested
struct "flags", but its inline comment used the bare member name
"@quiet:", which kernel-doc attributes to the enclosing landlock_layer.

Use the canonical dotted notation "@flags.quiet:" so kernel-doc resolves
the nested member, and include it in the generated documentation.

Cc: Justin Suess &lt;utilityemal77@gmail.com&gt;
Cc: Tingmao Wang &lt;m@maowtm.org&gt;
Fixes: a260c0055665 ("landlock: Add a place for flags to layer rules")
Link: https://patch.msgid.link/20260703141711.2016964-1-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
kernel-doc emits "Excess struct member 'quiet' description in
'landlock_layer'" because "quiet" is a bitfield inside the named nested
struct "flags", but its inline comment used the bare member name
"@quiet:", which kernel-doc attributes to the enclosing landlock_layer.

Use the canonical dotted notation "@flags.quiet:" so kernel-doc resolves
the nested member, and include it in the generated documentation.

Cc: Justin Suess &lt;utilityemal77@gmail.com&gt;
Cc: Tingmao Wang &lt;m@maowtm.org&gt;
Fixes: a260c0055665 ("landlock: Add a place for flags to layer rules")
Link: https://patch.msgid.link/20260703141711.2016964-1-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>landlock: Fix TCP Fast Open connection bypass</title>
<updated>2026-07-10T10:59:07+00:00</updated>
<author>
<name>Matthieu Buffet</name>
<email>matthieu@buffet.re</email>
</author>
<published>2026-07-01T21:46:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=33cb713db0161b54f04fe830e062c9e102c29a04'/>
<id>33cb713db0161b54f04fe830e062c9e102c29a04</id>
<content type='text'>
The documentation of the socket_connect() LSM hook states that it
controls connecting a socket to a remote address. It has not been the
case since the addition of TCP Fast Open (RFC 7413) support, which
allows opening a TCP connection (thus, setting a socket's destination
address) via the MSG_FASTOPEN flag passed to
sendto()/sendmsg()/sendmmsg(). The problem then got duplicated into
MPTCP.

Landlock did not take it into account when its TCP support was added,
leaving a bypass of TCP connect policy.

Ideally a call to the LSM hook would be added in the fastopen code path,
in order to fix this generically. But connect() hooks are designed to
run with the socket locked, unlike sendmsg() hooks.

Closes: https://github.com/landlock-lsm/linux/issues/41
Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
Signed-off-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Link: https://patch.msgid.link/20260701214628.33319-1-matthieu@buffet.re
Cc: stable@vger.kernel.org
[mic: Wrap commit message]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The documentation of the socket_connect() LSM hook states that it
controls connecting a socket to a remote address. It has not been the
case since the addition of TCP Fast Open (RFC 7413) support, which
allows opening a TCP connection (thus, setting a socket's destination
address) via the MSG_FASTOPEN flag passed to
sendto()/sendmsg()/sendmmsg(). The problem then got duplicated into
MPTCP.

Landlock did not take it into account when its TCP support was added,
leaving a bypass of TCP connect policy.

Ideally a call to the LSM hook would be added in the fastopen code path,
in order to fix this generically. But connect() hooks are designed to
run with the socket locked, unlike sendmsg() hooks.

Closes: https://github.com/landlock-lsm/linux/issues/41
Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
Signed-off-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Link: https://patch.msgid.link/20260701214628.33319-1-matthieu@buffet.re
Cc: stable@vger.kernel.org
[mic: Wrap commit message]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()</title>
<updated>2026-07-01T22:22:22+00:00</updated>
<author>
<name>Tristan Madani</name>
<email>tristan@talencesecurity.com</email>
</author>
<published>2026-06-25T23:53:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=56acfeb10019e200ab6787d01f8d7cbe0f01526f'/>
<id>56acfeb10019e200ab6787d01f8d7cbe0f01526f</id>
<content type='text'>
selinux_sctp_bind_connect() dereferences sk-&gt;sk_socket to pass a
struct socket * to selinux_socket_bind() and
selinux_socket_connect_helper().  However, when the hook is invoked
from the ASCONF softirq path (sctp_process_asconf), there is no file
reference guaranteeing that sk-&gt;sk_socket is non-NULL.  The setsockopt
callers (bindx, connectx, set_primary, sendmsg connect) hold a file
reference and are not affected.

Both selinux_socket_bind() and selinux_socket_connect_helper()
immediately resolve sock-&gt;sk, never using the struct socket * for
anything else.  Refactor the inner logic into helpers that take a
struct sock * directly so that selinux_sctp_bind_connect() never needs
to touch sk-&gt;sk_socket at all.

Cc: stable@vger.kernel.org
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Suggested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Tristan Madani &lt;tristan@talencesecurity.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
selinux_sctp_bind_connect() dereferences sk-&gt;sk_socket to pass a
struct socket * to selinux_socket_bind() and
selinux_socket_connect_helper().  However, when the hook is invoked
from the ASCONF softirq path (sctp_process_asconf), there is no file
reference guaranteeing that sk-&gt;sk_socket is non-NULL.  The setsockopt
callers (bindx, connectx, set_primary, sendmsg connect) hold a file
reference and are not affected.

Both selinux_socket_bind() and selinux_socket_connect_helper()
immediately resolve sock-&gt;sk, never using the struct socket * for
anything else.  Refactor the inner logic into helpers that take a
struct sock * directly so that selinux_sctp_bind_connect() never needs
to touch sk-&gt;sk_socket at all.

Cc: stable@vger.kernel.org
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Suggested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Tristan Madani &lt;tristan@talencesecurity.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selinux: check connect-related permissions on TCP Fast Open</title>
<updated>2026-07-01T21:09:53+00:00</updated>
<author>
<name>Stephen Smalley</name>
<email>stephen.smalley.work@gmail.com</email>
</author>
<published>2026-06-18T17:55:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=44c74d27d1b9aaa99fa8a83640c1223575262b80'/>
<id>44c74d27d1b9aaa99fa8a83640c1223575262b80</id>
<content type='text'>
Similar to Landlock, SELinux was not updated when TCP Fast Open
support was introduced to ensure connect-related permissions are
checked when using TCP Fast Open. Update its socket_sendmsg() hook to
call selinux_socket_connect() when MSG_FASTOPEN is passed.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-security-module/20260616201615.275032-1-hexlabsecurity@proton.me/
Link: https://lore.kernel.org/linux-security-module/20260617180526.15627-2-matthieu@buffet.re/
Reported-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Reported-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Reported-by: Mikhail Ivanov &lt;ivanov.mikhail1@huawei-partners.com&gt;
Signed-off-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Similar to Landlock, SELinux was not updated when TCP Fast Open
support was introduced to ensure connect-related permissions are
checked when using TCP Fast Open. Update its socket_sendmsg() hook to
call selinux_socket_connect() when MSG_FASTOPEN is passed.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-security-module/20260616201615.275032-1-hexlabsecurity@proton.me/
Link: https://lore.kernel.org/linux-security-module/20260617180526.15627-2-matthieu@buffet.re/
Reported-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Reported-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Reported-by: Mikhail Ivanov &lt;ivanov.mikhail1@huawei-partners.com&gt;
Signed-off-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized</title>
<updated>2026-06-30T14:31:56+00:00</updated>
<author>
<name>Matt Bobrowski</name>
<email>mattbobrowski@google.com</email>
</author>
<published>2026-06-28T20:11:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4'/>
<id>a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4</id>
<content type='text'>
When CONFIG_BPF_LSM=y is set, BPF inode storage maps
(BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
from the "lsm=" boot parameter), lsm_prepare() is never executed for
the BPF LSM.

Consequently, the BPF inode security blob offset
(bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at
its default compiled size of 8 bytes instead of being updated to a
valid offset past the reserved struct rcu_head (typically 16 bytes
or more).

When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE
map, bpf_inode() evaluates inode-&gt;i_security + 8. This erroneously
aliases the struct rcu_head.func callback pointer at the beginning
of the inode-&gt;i_security blob. During subsequent map element cleanup
or inode destruction, writing NULL to owner_storage clears the queued
RCU callback pointer. When rcu_do_batch() later executes the queued
callback, it attempts an instruction fetch at address 0x0, triggering
an immediate kernel panic.

Fix this by introducing a global bpf_lsm_initialized boolean flag
marked with __ro_after_init. Set this flag to true inside bpf_lsm_init()
when the LSM framework successfully registers the BPF LSM. Gate map
allocation in inode_storage_map_alloc() on this flag, returning
-EOPNOTSUPP if the BPF LSM is in turn uninitialized.

This fail-fast approach prevents userspace from allocating inode
storage maps when the supporting BPF LSM infrastructure is absent,
avoiding zombie map states.

Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Reported-by: oxsignal &lt;awo@kakao.com&gt;
Signed-off-by: Matt Bobrowski &lt;mattbobrowski@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Emil Tsalapatis &lt;emil@etsalapatis.com&gt;
Reviewed-by: Amery Hung &lt;ameryhung@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When CONFIG_BPF_LSM=y is set, BPF inode storage maps
(BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
from the "lsm=" boot parameter), lsm_prepare() is never executed for
the BPF LSM.

Consequently, the BPF inode security blob offset
(bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at
its default compiled size of 8 bytes instead of being updated to a
valid offset past the reserved struct rcu_head (typically 16 bytes
or more).

When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE
map, bpf_inode() evaluates inode-&gt;i_security + 8. This erroneously
aliases the struct rcu_head.func callback pointer at the beginning
of the inode-&gt;i_security blob. During subsequent map element cleanup
or inode destruction, writing NULL to owner_storage clears the queued
RCU callback pointer. When rcu_do_batch() later executes the queued
callback, it attempts an instruction fetch at address 0x0, triggering
an immediate kernel panic.

Fix this by introducing a global bpf_lsm_initialized boolean flag
marked with __ro_after_init. Set this flag to true inside bpf_lsm_init()
when the LSM framework successfully registers the BPF LSM. Gate map
allocation in inode_storage_map_alloc() on this flag, returning
-EOPNOTSUPP if the BPF LSM is in turn uninitialized.

This fail-fast approach prevents userspace from allocating inode
storage maps when the supporting BPF LSM infrastructure is absent,
avoiding zombie map states.

Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Reported-by: oxsignal &lt;awo@kakao.com&gt;
Signed-off-by: Matt Bobrowski &lt;mattbobrowski@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Emil Tsalapatis &lt;emil@etsalapatis.com&gt;
Reviewed-by: Amery Hung &lt;ameryhung@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
</pre>
</div>
</content>
</entry>
</feed>
