Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=master 2026-04-24T16:22:21+00:00 2026-04-24T16:22:21+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-24T16:22:21+00:00 urn:sha1:eefe0b9dee5db64ec87707c8e44f31851f257389 Pull apparmor updates from John Johansen: "Cleanups - Use sysfs_emit in param_get_{audit,mode} - Remove redundant if check in sk_peer_get_label - Replace memcpy + NUL termination with kmemdup_nul in do_setattr Bug Fixes: - Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine - Fix string overrun due to missing termination - Fix wrong dentry in RENAME_EXCHANGE uid check - fix unpack_tags to properly return error in failure cases - fix dfa size check - return error on namespace mismatch in verify_header - use target task's context in apparmor_getprocattr()" * tag 'apparmor-pr-2026-04-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor/lsm: Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine apparmor: Fix string overrun due to missing termination apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check apparmor: fix unpack_tags to properly return error in failure cases apparmor: fix dfa size check apparmor: Use sysfs_emit in param_get_{audit,mode} apparmor: Remove redundant if check in sk_peer_get_label apparmor: Replace memcpy + NUL termination with kmemdup_nul in do_setattr apparmor: return error on namespace mismatch in verify_header apparmor: use target task's context in apparmor_getprocattr() 2026-04-23T03:11:08+00:00 GONG Ruiqi gongruiqi1@huawei.com 2026-04-23T03:10:56+00:00 urn:sha1:11b7df0952663f20ce72c9a22a3cf9278cf84db7 aa_dfa_unpack returns ERR_PTR not NULL when it fails, but aa_put_dfa only checks NULL for its input, which would cause invalid memory access in aa_put_dfa. Set nulldfa to NULL explicitly to fix that. Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-23T03:09:05+00:00 Daniel J Blueman daniel@quora.org 2026-03-27T11:58:32+00:00 urn:sha1:828bf7929bedcb79b560b5b4e44f22abee07d31b When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun: BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120 CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: show_stack (arch/arm64/kernel/stacktrace.c:501) (C) dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) aa_dfa_match (security/apparmor/match.c:535) match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336) match_mnt (security/apparmor/mount.c:371) aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4)) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) Allocated by task 2120: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_alloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aa_get_buffer (security/apparmor/lsm.c:2201) aa_bind_mount (security/apparmor/mount.c:442) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) page_type: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008901cbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0008901cc000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0008901cc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0008901cc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc This was introduced by previous incorrect conversion from strcpy(). Fix it by adding the missing terminator. Cc: stable@vger.kernel.org Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: Daniel J Blueman <daniel@quora.org> Fixes: 93d4dbdc8da0 ("apparmor: Replace deprecated strcpy in d_namespace_path") Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-23T03:08:09+00:00 Dudu Lu phx0fer@gmail.com 2026-04-13T09:03:13+00:00 urn:sha1:ef78fdc4724190fbd4e66d80bcdf4d08045f5e98 In apparmor_path_rename(), when handling RENAME_EXCHANGE, the cond_exchange structure is supposed to carry the attributes of the *new* dentry (since it is used to authorize moving new_dentry to the old location). However, line 412 reads: vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); This fetches the uid of old_dentry instead of new_dentry. As a result, the RENAME_EXCHANGE permission check uses the wrong file owner, which can allow a rename that should be denied (if old_dentry's owner has more privileges) or deny one that should be allowed. Note that cond_exchange.mode on the line above correctly uses new_dentry. Only the uid lookup is wrong. Fix by changing old_dentry to new_dentry in the i_uid_into_vfsuid call. Fixes: 5e26a01e56fd ("apparmor: use type safe idmapping helpers") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: Dudu Lu <phx0fer@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-23T03:02:46+00:00 John Johansen john.johansen@canonical.com 2026-04-14T02:56:26+00:00 urn:sha1:72971e6f745ad5c366629b0affbe3a6b619dcd8b error is initialized to -EPROTO but set by some of the internal functions, unfortunately the last two checks assume error is set to -EPROTO already for the failure case. Ensure it is by setting it before these checks. Fixes: 3d28e2397af7a ("apparmor: add support loading per permission tagging") Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-23T02:28:14+00:00 John Johansen john.johansen@canonical.com 2026-03-05T02:24:01+00:00 urn:sha1:f17b68f0c33ff184713c356cd024035d437bac8c AppArmor dfas need a minimum of two states to be valid. State 0 is the default trap state, and State 1 the default start state. When verifying the dfa ensure that this is the case. Fixes: c27c6bd2c4d6b ("apparmor: ensure that dfa state tables have entries") Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-22T21:22:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-22T21:22:26+00:00 urn:sha1:87d03777eb5dff5ea03802933e9045e64ebf004d Pull tomoyo update from Tetsuo Handa: "Handle 64-bit inode numbers" * tag 'tomoyo-pr-20260422' of git://git.code.sf.net/p/tomoyo/tomoyo: tomoyo: use u64 for holding inode->i_ino value 2026-04-22T17:57:52+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-02-22T21:40:38+00:00 urn:sha1:497ad4be355b70a6786dd9344710d98b14b92848 Replace sprintf() with sysfs_emit() in param_get_audit() and param_get_mode(). sysfs_emit() is preferred for formatting sysfs output because it provides safer bounds checking. Add terminating newlines as suggested by checkpatch. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-22T17:57:52+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-02-04T22:07:35+00:00 urn:sha1:e6a522c5b4803b8f5632d5ce8f27431a1ae73222 Remove the redundant if check in sk_peer_get_label() and return ERR_PTR(-ENOPROTOOPT) directly. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: John Johansen <john.johansen@canonical.com> 2026-04-22T17:57:52+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-01-25T21:00:15+00:00 urn:sha1:46401cc99c6237ba825cfd65ef023955ce2a6316 Use kmemdup_nul() to copy 'value' instead of using memcpy() followed by a manual NUL termination. No functional changes. Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: John Johansen <john.johansen@canonical.com>