From: Cai Xinchen <caixinchen1@huawei.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: <viro@zeniv.linux.org.uk>, <brauner@kernel.org>, <jack@suse.cz>,
<miklos@szeredi.hu>, <paul@paul-moore.com>, <jmorris@namei.org>,
<serge@hallyn.com>, <stephen.smalley.work@gmail.com>,
<omosnace@redhat.com>, <gregkh@linuxfoundation.org>,
<sashal@kernel.org>, <bboscaccy@linux.microsoft.com>,
<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-unionfs@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<selinux@vger.kernel.org>, <bpf@vger.kernel.org>,
<stable@vger.kernel.org>, <lujialin4@huawei.com>
Subject: Re: [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls
Date: Tue, 30 Jun 2026 11:06:05 +0800 [thread overview]
Message-ID: <f4c8f5fe-30c3-4e7f-8512-7a2befdd1ed3@huawei.com> (raw)
In-Reply-To: <CAOQ4uxjcD0-PHqqmrpEvkLRgtKJGe8-n+6DQyBngjN2TorwU+g@mail.gmail.com>
Thank you for your reply. Regarding the two points of feedback:
First, 6.1 is still in the process of being adapted.
Second, this patch set is primarily intended to fix CVE-2026-46054, but
it seems that for lower versions to implement SELinux checks for overlay
mmap/mprotect checks, some dependencies are unavoidable. In such cases,
should we add more tests to reduce the risk and integrate the changes,
or should we simply not fix this issue? If more tests are needed, are
there any recommended test suites?
On 6/30/2026 1:31 AM, Amir Goldstein wrote:
> On Mon, Jun 29, 2026 at 8:38 AM Cai Xinchen <caixinchen1@huawei.com> wrote:
>> ackport the patch series
>> "Fix incorrect overlayfs mmap() and mprotect() LSM access controls" [1]
>> to 5.10 lts
> Chai,
>
> First of all, I don't think that stable maintainers are picking backports
> to 5.10 that were not backported to 6.1 and 5.15.
>
> Second, backporting backing_file as a dependency to LTS kernels is a pretty
> intrusive change, so your description above is very much lacking.
>
> Please do not backport backing_file to any of the LTS kernels without providing
> detailed explanation to try and convince the vfs maintainers that you
> verified this
> bacport is safe for the LTS kernel, because honestly, this looks a bit
> risky for me.
>
> Thanks,
> Amir.
prev parent reply other threads:[~2026-06-30 3:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 7:06 [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 1/7] ovl: pass layer mnt to ovl_open_realfile() Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 4/7] lsm: constify the 'file' parameter in security_binder_transfer_file() Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 6/7] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 7/7] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29 17:31 ` [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Amir Goldstein
2026-06-30 3:06 ` Cai Xinchen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4c8f5fe-30c3-4e7f-8512-7a2befdd1ed3@huawei.com \
--to=caixinchen1@huawei.com \
--cc=amir73il@gmail.com \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=lujialin4@huawei.com \
--cc=miklos@szeredi.hu \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox