Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.92 2026-06-01T15:46:33+00:00 2026-06-01T15:46:33+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-28T18:45:41+00:00 urn:sha1:5659e6923cb72f8e18e8b539109ab512455fe195 commit 43a1e3744548e6fd85873e6fb43e293eb4010694 upstream. Nicholas Carlini reports that the keyring code calls assoc_array_find() in find_key_to_update() without holding the RCU read lock, while the assoc_array_gc() code really is designed around removing the node from the tree and then freeing it after an RCU grace-period. The regular key handling doesn't see this because holding the keyring semaphore hides any lifetime issues, but the persistent key handling uses a different model. Instead of extending the keyring locking, just do the simple RCU locking that the assoc_array was designed for. Reported-by: Nicholas Carlini <npc@anthropic.com> Cc: David Howells <dhowells@redhat.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Cc: Paul Moore <paul@paul-moore.com> Cc: James Morris James Morris <jmorris@namei.org> Cc: Serge E. Hallyn <serge@hallyn.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-01T15:46:33+00:00 Matthieu Buffet matthieu@buffet.re 2026-05-28T12:14:26+00:00 urn:sha1:a366a9e54effbebb176e4fe701978e338e42edff [ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ] current_check_access_socket() treats AF_UNSPEC addresses as AF_INET ones, and only later adds special case handling to allow connect(AF_UNSPEC), and on IPv4 sockets bind(AF_UNSPEC+INADDR_ANY). This would be fine except AF_UNSPEC addresses can be as short as a bare AF_UNSPEC sa_family_t field, and nothing more. The AF_INET code path incorrectly enforces a length of sizeof(struct sockaddr_in) instead. Move AF_UNSPEC edge case handling up inside the switch-case, before the address is (potentially incorrectly) treated as AF_INET. Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> [ There was a conflict due to missing commit 9f74411a40ce ("landlock: Log TCP bind and connect denials") ] Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:46:20+00:00 Stephen Smalley stephen.smalley.work@gmail.com 2026-05-13T18:05:06+00:00 urn:sha1:82d3acee88593e3d9e71cad4b7d6b3cf70de9d07 commit 4a9b16541ad3faf8bccb398532bf3f8b6bbf1188 upstream. Just as proc_pid_attr_write() already does before calling the LSM hook. This only matters for SELinux and AppArmor which check whether the process is being ptraced and if so, whether to allow the transition. Cc: stable@vger.kernel.org Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-23T11:04:40+00:00 Dmitry Safonov dima@arista.com 2026-03-10T17:40:39+00:00 urn:sha1:081b557cb56e1cfa8d1619b2601b01c53e3f418c [ Upstream commit d7bd8cf0b348d3edae7bee33e74a32b21668b181 ] ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html Fixes: 9fa8e7625008 ("ima: add crypto agility support for template-hash algorithm") Signed-off-by: Dmitry Safonov <dima@arista.com> Cc: Enrico Bravi <enrico.bravi@polito.it> Cc: Silvia Sisinni <silvia.sisinni@polito.it> Cc: Roberto Sassu <roberto.sassu@huawei.com> Cc: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Tested-by: Roberto Sassu <roberto.sassu@huawei.com> Link: https://github.com/linux-integrity/linux/issues/14 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:04:40+00:00 Al Viro viro@zeniv.linux.org.uk 2025-03-10T16:30:20+00:00 urn:sha1:3eb6e087e36a615f89cc5322d69915c08ed5257b [ Upstream commit d15ffbbf4d32a9007c4a339a9fecac90ce30432a ] lookup_template_data_hash_algo() machinery is used to locate the matching ima_algo_array[] element at read time; securityfs allows to stash that into inode->i_private at object creation time, so there's no need to bother Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Stable-dep-of: d7bd8cf0b348 ("ima_fs: Correctly create securityfs files for unsupported hash algos") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:04:40+00:00 Al Viro viro@zeniv.linux.org.uk 2024-05-14T05:41:51+00:00 urn:sha1:1ebac91b1e39867ca33521bf6cebacf46c00358f [ Upstream commit 22260a99d791163f7697a240dfc48e4e5a91ecfe ] removal of parent takes all children out Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Stable-dep-of: d7bd8cf0b348 ("ima_fs: Correctly create securityfs files for unsupported hash algos") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:04:40+00:00 Daniel Hodges hodgesd@meta.com 2026-02-01T02:40:15+00:00 urn:sha1:3fa64772ea4c121e3e20f6438195ca3094af1360 [ Upstream commit 870819434c8dfcc3158033b66e7851b81bb17e21 ] The return value of crypto_shash_final() is not checked in ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the function returns success and a corrupted boot aggregate digest could be used for IMA measurements. Capture the return value and propagate any error to the caller. Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash") Signed-off-by: Daniel Hodges <hodgesd@meta.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:04:35+00:00 Al Viro viro@zeniv.linux.org.uk 2024-07-20T00:17:58+00:00 urn:sha1:0879970e72fbaae11b89a2f7b6b191c2a0997370 [ Upstream commit 6348be02eead77bdd1562154ed6b3296ad3b3750 ] fdget() is the first thing done in scope, all matching fdput() are immediately followed by leaving the scope. Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Stable-dep-of: 66052a768d47 ("fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-14T13:29:20+00:00 Stephen Smalley stephen.smalley.work@gmail.com 2026-05-05T12:49:49+00:00 urn:sha1:7719fda876b6a9c8c4bcbdd5ae054eb4086363bb commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream. Commit f22f9aaf6c3d ("selinux: remove the runtime disable functionality") removed the underlying SELinux runtime disable functionality but left everything else intact and started logging an error message to warn any residual users. Prune it to just log an error message once and to return count (i.e. all bytes written successfully) to avoid breaking userspace. This also fixes a local DoS from logspam. Cc: stable@vger.kernel.org Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-14T13:29:20+00:00 Stephen Smalley stephen.smalley.work@gmail.com 2026-04-30T18:36:52+00:00 urn:sha1:6509d775d86e9ac4d9f831c7fb05c011f6a4c11d commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream. Currently sel_write_load() takes the policy mutex earlier than necessary. Move the taking of the mutex later. This avoids holding it unnecessarily across the vmalloc() and copy_from_user() of the policy data. Cc: stable@vger.kernel.org Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>