From: Matt Bobrowski <mattbobrowski@google.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Paul Moore <paul@paul-moore.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Jiri Olsa <jolsa@kernel.org>, oxsignal <awo@kakao.com>
Subject: Re: [PATCH bpf-next] bpf: reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized
Date: Thu, 2 Jul 2026 20:55:32 +0000 [thread overview]
Message-ID: <akbQRG_Kp6ms7pTr@google.com> (raw)
In-Reply-To: <e3c95beb-8b74-4037-8520-9f3c18a35606@iogearbox.net>
On Tue, Jun 30, 2026 at 05:31:13PM +0200, Daniel Borkmann wrote:
> On 6/28/26 10:11 PM, Matt Bobrowski wrote:
> > When CONFIG_BPF_LSM=y is set, BPF inode storage maps
> > (BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
> > if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
> > from the "lsm=" boot parameter), lsm_prepare() is never executed for
> > the BPF LSM.
> >
> > Consequently, the BPF inode security blob offset
> > (bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at its
> > default compiled size of 8 bytes instead of being updated to a valid
> > offset past the reserved struct rcu_head (typically 16 bytes or more).
> >
> > When a privileged user creates and updates a
> > BPF_MAP_TYPE_INODE_STORAGE map, bpf_inode() evaluates
> > inode->i_security + 8. This erroneously aliases the struct
> > rcu_head.func callback pointer at the beginning of the
> > inode->i_security blob. During subsequent map element cleanup or inode
> > destruction, writing NULL to owner_storage clears the queued RCU
> > callback pointer. When rcu_do_batch() later executes the queued
> > callback, it attempts an instruction fetch at address 0x0, triggering
> > an immediate kernel panic.
> >
> > Fix this by introducing a global bpf_lsm_initialized boolean flag
> > marked with __ro_after_init. Set this flag to true inside
> > bpf_lsm_init() when the LSM framework successfully registers the BPF
> > LSM. Gate map allocation in inode_storage_map_alloc() on this flag,
> > returning -EOPNOTSUPP if the BPF LSM is in turn uninitialized.
> >
> > This fail-fast approach prevents userspace from allocating inode
> > storage maps when the supporting BPF LSM infrastructure is absent,
> > avoiding zombie map states.
> >
> > Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
> > Reported-by: oxsignal <awo@kakao.com>
> > Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
>
> (Looks like pwbot is asleep; applied to bpf.)
Thank you Daniel!
prev parent reply other threads:[~2026-07-02 20:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 20:11 [PATCH bpf-next] bpf: reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized Matt Bobrowski
2026-06-29 5:25 ` Emil Tsalapatis
2026-06-29 6:30 ` Amery Hung
2026-06-30 15:31 ` Daniel Borkmann
2026-07-02 20:55 ` Matt Bobrowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akbQRG_Kp6ms7pTr@google.com \
--to=mattbobrowski@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=awo@kakao.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=jolsa@kernel.org \
--cc=martin.lau@linux.dev \
--cc=paul@paul-moore.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox