* Re: [PATCH 17/61] module: Prefer IS_ERR_OR_NULL over manual NULL check
From: Aaron Tomlin @ 2026-03-10 14:45 UTC (permalink / raw)
To: Philipp Hahn
Cc: amd-gfx, apparmor, bpf, ceph-devel, cocci, dm-devel, dri-devel,
gfs2, intel-gfx, intel-wired-lan, iommu, kvm, linux-arm-kernel,
linux-block, linux-bluetooth, linux-btrfs, linux-cifs, linux-clk,
linux-erofs, linux-ext4, linux-fsdevel, linux-gpio, linux-hyperv,
linux-input, linux-kernel, linux-leds, linux-media, linux-mips,
linux-mm, linux-modules, linux-mtd, linux-nfs, linux-omap,
linux-phy, linux-pm, linux-rockchip, linux-s390, linux-scsi,
linux-sctp, linux-security-module, linux-sh, linux-sound,
linux-stm32, linux-trace-kernel, linux-usb, linux-wireless,
netdev, ntfs3, samba-technical, sched-ext, target-devel,
tipc-discussion, v9fs, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen
In-Reply-To: <20260310-b4-is_err_or_null-v1-17-bd63b656022d@avm.de>
[-- Attachment #1: Type: text/plain, Size: 1458 bytes --]
On Tue, Mar 10, 2026 at 12:48:43PM +0100, Philipp Hahn wrote:
> Prefer using IS_ERR_OR_NULL() over using IS_ERR() and a manual NULL
> check.
>
> Change generated with coccinelle.
>
> To: Luis Chamberlain <mcgrof@kernel.org>
> To: Petr Pavlu <petr.pavlu@suse.com>
> To: Daniel Gomez <da.gomez@kernel.org>
> To: Sami Tolvanen <samitolvanen@google.com>
> To: Aaron Tomlin <atomlin@atomlin.com>
> Cc: linux-modules@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Philipp Hahn <phahn-oss@avm.de>
> ---
> kernel/module/main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index c3ce106c70af165e2dc1a3c79f5a074a5c3e3d34..7f62f0620dcd75960e431f7af3d1cadf4cc41e4b 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1551,7 +1551,7 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
> case SHN_UNDEF:
> ksym = resolve_symbol_wait(mod, info, name);
> /* Ok if resolved. */
> - if (ksym && !IS_ERR(ksym)) {
> + if (!IS_ERR_OR_NULL(ksym)) {
> sym[i].st_value = kernel_symbol_value(ksym);
> break;
> }
>
> --
> 2.43.0
>
Hi Philipp,
Thank you.
Have you considered other users of IS_ERR() in kernel/module/main.c too?
Perhaps it might be best to prepare a clean up for each applicable
subsystem in isolation.
Kind regards,
--
Aaron Tomlin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply
* [PATCH v2 0/2] kthread, exit: clean up kernel thread exit paths
From: Christian Brauner @ 2026-03-10 14:56 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, linux-modules, linux-nfs, bpf, kunit-dev, linux-doc,
linux-trace-kernel, netfs, io-uring, audit, rcu, kvm,
virtualization, netdev, linux-mm, linux-security-module,
Christian Loehle, linux-fsdevel, Christian Brauner
In 28aaa9c39945 ("kthread: consolidate kthread exit paths to prevent
use-after-free") we folded kthread_exit() into do_exit() to fix a UAF
bug but left kthread_exit() around as an alias. Remove it.
While at it, rename do_exit() to task_exit() to communicate that is not
just a private api.
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
Christian Brauner (2):
kthread: remove kthread_exit()
tree-wide: rename do_exit() to task_exit()
Documentation/accounting/taskstats-struct.rst | 2 +-
Documentation/locking/robust-futexes.rst | 8 ++++----
Documentation/trace/kprobes.rst | 2 +-
fs/cachefiles/namei.c | 2 +-
include/linux/kernel.h | 2 +-
include/linux/kthread.h | 1 -
include/linux/module.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
io_uring/io-wq.c | 2 +-
io_uring/sqpoll.c | 2 +-
kernel/acct.c | 2 +-
kernel/auditsc.c | 4 ++--
kernel/bpf/verifier.c | 2 +-
kernel/exit.c | 10 +++++-----
kernel/futex/futex.h | 2 +-
kernel/futex/pi.c | 2 +-
kernel/futex/syscalls.c | 2 +-
kernel/kthread.c | 8 ++++----
kernel/locking/rwsem.c | 2 +-
kernel/module/main.c | 2 +-
kernel/pid_namespace.c | 2 +-
kernel/rcu/tasks.h | 12 ++++++------
kernel/reboot.c | 6 +++---
kernel/seccomp.c | 8 ++++----
kernel/signal.c | 4 ++--
kernel/time/posix-timers.c | 2 +-
kernel/umh.c | 2 +-
kernel/vhost_task.c | 2 +-
lib/kunit/try-catch.c | 2 +-
mm/hugetlb.c | 2 +-
security/tomoyo/gc.c | 2 +-
tools/objtool/noreturns.h | 3 +--
tools/testing/selftests/bpf/prog_tests/tracing_failure.c | 2 +-
tools/testing/selftests/bpf/progs/tracing_failure.c | 2 +-
.../selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc | 2 +-
.../selftests/ftrace/test.d/kprobe/kprobe_multiprobe.tc | 2 +-
.../selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc | 2 +-
37 files changed, 58 insertions(+), 60 deletions(-)
---
base-commit: 1f318b96cc84d7c2ab792fcc0bfd42a7ca890681
change-id: 20260306-work-kernel-exit-2e8fd9e2c2a1
^ permalink raw reply
* [PATCH v2 1/2] kthread: remove kthread_exit()
From: Christian Brauner @ 2026-03-10 14:56 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, linux-modules, linux-nfs, bpf, kunit-dev, linux-doc,
linux-trace-kernel, netfs, io-uring, audit, rcu, kvm,
virtualization, netdev, linux-mm, linux-security-module,
Christian Loehle, linux-fsdevel, Christian Brauner
In-Reply-To: <20260310-work-kernel-exit-v2-0-30711759d87b@kernel.org>
In 28aaa9c39945 ("kthread: consolidate kthread exit paths to prevent use-after-free")
we folded kthread_exit() into do_exit() when we fixed a nasty UAF bug.
We left kthread_exit() around as an alias to do_exit(). Remove it
completely.
Reported-by: Christian Loehle <christian.loehle@arm.com>
Link: https://lore.kernel.org/1ff1bce2-8bb4-463c-a631-16e14f4ea7e2@arm.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
include/linux/kthread.h | 1 -
include/linux/module.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
kernel/kthread.c | 8 ++++----
kernel/module/main.c | 2 +-
lib/kunit/try-catch.c | 2 +-
tools/objtool/noreturns.h | 1 -
7 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/include/linux/kthread.h b/include/linux/kthread.h
index a01a474719a7..37982eca94f1 100644
--- a/include/linux/kthread.h
+++ b/include/linux/kthread.h
@@ -116,7 +116,6 @@ void *kthread_probe_data(struct task_struct *k);
int kthread_park(struct task_struct *k);
void kthread_unpark(struct task_struct *k);
void kthread_parkme(void);
-#define kthread_exit(result) do_exit(result)
void kthread_complete_and_exit(struct completion *, long) __noreturn;
int kthreads_update_housekeeping(void);
void kthread_do_exit(struct kthread *, long);
diff --git a/include/linux/module.h b/include/linux/module.h
index 14f391b186c6..79ac4a700b39 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -855,7 +855,7 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
return 0;
}
-#define module_put_and_kthread_exit(code) kthread_exit(code)
+#define module_put_and_kthread_exit(code) do_exit(code)
static inline void print_modules(void)
{
diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index 4dc14c7a711b..c86fc8a87eae 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -338,7 +338,7 @@ static inline void svc_thread_init_status(struct svc_rqst *rqstp, int err)
{
store_release_wake_up(&rqstp->rq_err, err);
if (err)
- kthread_exit(1);
+ do_exit(1);
}
struct svc_deferred_req {
diff --git a/kernel/kthread.c b/kernel/kthread.c
index 791210daf8b4..1447c14c8540 100644
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -323,7 +323,7 @@ void __noreturn kthread_complete_and_exit(struct completion *comp, long code)
if (comp)
complete(comp);
- kthread_exit(code);
+ do_exit(code);
}
EXPORT_SYMBOL(kthread_complete_and_exit);
@@ -395,7 +395,7 @@ static int kthread(void *_create)
if (!done) {
kfree(create->full_name);
kfree(create);
- kthread_exit(-EINTR);
+ do_exit(-EINTR);
}
self->full_name = create->full_name;
@@ -435,7 +435,7 @@ static int kthread(void *_create)
__kthread_parkme(self);
ret = threadfn(data);
}
- kthread_exit(ret);
+ do_exit(ret);
}
/* called from kernel_clone() to get node information for about to be created task */
@@ -738,7 +738,7 @@ EXPORT_SYMBOL_GPL(kthread_park);
* instead of calling wake_up_process(): the thread will exit without
* calling threadfn().
*
- * If threadfn() may call kthread_exit() itself, the caller must ensure
+ * If threadfn() may call do_exit() itself, the caller must ensure
* task_struct can't go away.
*
* Returns the result of threadfn(), or %-EINTR if wake_up_process()
diff --git a/kernel/module/main.c b/kernel/module/main.c
index c3ce106c70af..340b4dc5c692 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -228,7 +228,7 @@ static int mod_strncmp(const char *str_a, const char *str_b, size_t n)
void __noreturn __module_put_and_kthread_exit(struct module *mod, long code)
{
module_put(mod);
- kthread_exit(code);
+ do_exit(code);
}
EXPORT_SYMBOL(__module_put_and_kthread_exit);
diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
index d84a879f0a78..99d9603a2cfd 100644
--- a/lib/kunit/try-catch.c
+++ b/lib/kunit/try-catch.c
@@ -18,7 +18,7 @@
void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch)
{
try_catch->try_result = -EFAULT;
- kthread_exit(0);
+ do_exit(0);
}
EXPORT_SYMBOL_GPL(kunit_try_catch_throw);
diff --git a/tools/objtool/noreturns.h b/tools/objtool/noreturns.h
index 14f8ab653449..40c0b05c6726 100644
--- a/tools/objtool/noreturns.h
+++ b/tools/objtool/noreturns.h
@@ -30,7 +30,6 @@ NORETURN(ex_handler_msr_mce)
NORETURN(hlt_play_dead)
NORETURN(hv_ghcb_terminate)
NORETURN(kthread_complete_and_exit)
-NORETURN(kthread_exit)
NORETURN(kunit_try_catch_throw)
NORETURN(machine_real_restart)
NORETURN(make_task_dead)
--
2.47.3
^ permalink raw reply related
* [PATCH v2 2/2] tree-wide: rename do_exit() to task_exit()
From: Christian Brauner @ 2026-03-10 14:56 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, linux-modules, linux-nfs, bpf, kunit-dev, linux-doc,
linux-trace-kernel, netfs, io-uring, audit, rcu, kvm,
virtualization, netdev, linux-mm, linux-security-module,
Christian Loehle, linux-fsdevel, Christian Brauner
In-Reply-To: <20260310-work-kernel-exit-v2-0-30711759d87b@kernel.org>
Rename do_exit() to task_exit() so it's clear that this is an api and
not a hidden internal helper.
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
Documentation/accounting/taskstats-struct.rst | 2 +-
Documentation/locking/robust-futexes.rst | 8 ++++----
Documentation/trace/kprobes.rst | 2 +-
fs/cachefiles/namei.c | 2 +-
include/linux/kernel.h | 2 +-
include/linux/module.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
io_uring/io-wq.c | 2 +-
io_uring/sqpoll.c | 2 +-
kernel/acct.c | 2 +-
kernel/auditsc.c | 4 ++--
kernel/bpf/verifier.c | 2 +-
kernel/exit.c | 10 +++++-----
kernel/futex/futex.h | 2 +-
kernel/futex/pi.c | 2 +-
kernel/futex/syscalls.c | 2 +-
kernel/kthread.c | 8 ++++----
kernel/locking/rwsem.c | 2 +-
kernel/module/main.c | 2 +-
kernel/pid_namespace.c | 2 +-
kernel/rcu/tasks.h | 12 ++++++------
kernel/reboot.c | 6 +++---
kernel/seccomp.c | 8 ++++----
kernel/signal.c | 4 ++--
kernel/time/posix-timers.c | 2 +-
kernel/umh.c | 2 +-
kernel/vhost_task.c | 2 +-
lib/kunit/try-catch.c | 2 +-
mm/hugetlb.c | 2 +-
security/tomoyo/gc.c | 2 +-
tools/objtool/noreturns.h | 2 +-
tools/testing/selftests/bpf/prog_tests/tracing_failure.c | 2 +-
tools/testing/selftests/bpf/progs/tracing_failure.c | 2 +-
.../selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc | 2 +-
.../selftests/ftrace/test.d/kprobe/kprobe_multiprobe.tc | 2 +-
.../selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc | 2 +-
36 files changed, 58 insertions(+), 58 deletions(-)
diff --git a/Documentation/accounting/taskstats-struct.rst b/Documentation/accounting/taskstats-struct.rst
index acca51c34157..a09ec032da81 100644
--- a/Documentation/accounting/taskstats-struct.rst
+++ b/Documentation/accounting/taskstats-struct.rst
@@ -9,7 +9,7 @@ There are three different groups of fields in the struct taskstats:
1) Common and basic accounting fields
If CONFIG_TASKSTATS is set, the taskstats interface is enabled and
the common fields and basic accounting fields are collected for
- delivery at do_exit() of a task.
+ delivery at task_exit() of a task.
2) Delay accounting fields
These fields are placed between::
diff --git a/Documentation/locking/robust-futexes.rst b/Documentation/locking/robust-futexes.rst
index 6361fb01c9c1..c10a2fabf3f9 100644
--- a/Documentation/locking/robust-futexes.rst
+++ b/Documentation/locking/robust-futexes.rst
@@ -55,7 +55,7 @@ To solve this problem, the traditional approach was to extend the vma
(virtual memory area descriptor) concept to have a notion of 'pending
robust futexes attached to this area'. This approach requires 3 new
syscall variants to sys_futex(): FUTEX_REGISTER, FUTEX_DEREGISTER and
-FUTEX_RECOVER. At do_exit() time, all vmas are searched to see whether
+FUTEX_RECOVER. At task_exit() time, all vmas are searched to see whether
they have a robust_head set. This approach has two fundamental problems
left:
@@ -89,11 +89,11 @@ New approach to robust futexes
At the heart of this new approach there is a per-thread private list of
robust locks that userspace is holding (maintained by glibc) - which
userspace list is registered with the kernel via a new syscall [this
-registration happens at most once per thread lifetime]. At do_exit()
+registration happens at most once per thread lifetime]. At task_exit()
time, the kernel checks this user-space list: are there any robust futex
locks to be cleaned up?
-In the common case, at do_exit() time, there is no list registered, so
+In the common case, at task_exit() time, there is no list registered, so
the cost of robust futexes is just a simple current->robust_list != NULL
comparison. If the thread has registered a list, then normally the list
is empty. If the thread/process crashed or terminated in some incorrect
@@ -102,7 +102,7 @@ walks the list [not trusting it], and marks all locks that are owned by
this thread with the FUTEX_OWNER_DIED bit, and wakes up one waiter (if
any).
-The list is guaranteed to be private and per-thread at do_exit() time,
+The list is guaranteed to be private and per-thread at task_exit() time,
so it can be accessed by the kernel in a lockless way.
There is one race possible though: since adding to and removing from the
diff --git a/Documentation/trace/kprobes.rst b/Documentation/trace/kprobes.rst
index 5e606730cec6..ca9c22588dff 100644
--- a/Documentation/trace/kprobes.rst
+++ b/Documentation/trace/kprobes.rst
@@ -593,7 +593,7 @@ produce undesirable results. In such a case, a line:
kretprobe BUG!: Processing kretprobe d000000000041aa8 @ c00000000004f48c
gets printed. With this information, one will be able to correlate the
exact instance of the kretprobe that caused the problem. We have the
-do_exit() case covered. do_execve() and do_fork() are not an issue.
+task_exit() case covered. do_execve() and do_fork() are not an issue.
We're unaware of other specific cases where this could be a problem.
If, upon entry to or exit from a function, the CPU is running on
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
index e5ec90dccc27..803657450f6b 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -555,7 +555,7 @@ static bool cachefiles_open_file(struct cachefiles_object *object,
}
/* We need to open a file interface onto a data file now as we can't do
- * it on demand because writeback called from do_exit() sees
+ * it on demand because writeback called from task_exit() sees
* current->fs == NULL - which breaks d_path() called from ext4 open.
*/
path.mnt = cache->mnt;
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index e5570a16cbb1..91ce3abd65ad 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -148,7 +148,7 @@ void __might_fault(const char *file, int line);
static inline void might_fault(void) { }
#endif
-void do_exit(long error_code) __noreturn;
+void task_exit(long error_code) __noreturn;
extern int core_kernel_text(unsigned long addr);
extern int __kernel_text_address(unsigned long addr);
diff --git a/include/linux/module.h b/include/linux/module.h
index 79ac4a700b39..61254c7af4b8 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -855,7 +855,7 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
return 0;
}
-#define module_put_and_kthread_exit(code) do_exit(code)
+#define module_put_and_kthread_exit(code) task_exit(code)
static inline void print_modules(void)
{
diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index c86fc8a87eae..41cc1a8bfc95 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -338,7 +338,7 @@ static inline void svc_thread_init_status(struct svc_rqst *rqstp, int err)
{
store_release_wake_up(&rqstp->rq_err, err);
if (err)
- do_exit(1);
+ task_exit(1);
}
struct svc_deferred_req {
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 7a9f94a0ce6f..6befba7b9473 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -261,7 +261,7 @@ static void io_worker_exit(struct io_worker *worker)
kfree_rcu(worker, rcu);
io_worker_ref_put(wq);
- do_exit(0);
+ task_exit(0);
}
static inline bool __io_acct_run_queue(struct io_wq_acct *acct)
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index c6bb938ec5ea..b7968a0aa748 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -423,7 +423,7 @@ static int io_sq_thread(void *data)
mutex_unlock(&sqd->lock);
err_out:
complete(&sqd->exited);
- do_exit(0);
+ task_exit(0);
}
void io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
diff --git a/kernel/acct.c b/kernel/acct.c
index 1e19722c64c3..0c9a2280b1ff 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -424,7 +424,7 @@ static u32 encode_float(u64 value)
* The acct_process() call is the workhorse of the process
* accounting system. The struct acct is built here and then written
* into the accounting file. This function should only be called from
- * do_exit() or when switching to a different output file.
+ * task_exit() or when switching to a different output file.
*/
static void fill_ac(struct bsd_acct_struct *acct)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f6af6a8f68c4..921acd5c8e77 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1797,7 +1797,7 @@ static void audit_log_exit(void)
* __audit_free - free a per-task audit context
* @tsk: task whose audit context block to free
*
- * Called from copy_process, do_exit, and the io_uring code
+ * Called from copy_process, task_exit, and the io_uring code
*/
void __audit_free(struct task_struct *tsk)
{
@@ -1810,7 +1810,7 @@ void __audit_free(struct task_struct *tsk)
if (!list_empty(&context->killed_trees))
audit_kill_trees(context);
- /* We are called either by do_exit() or the fork() error handling code;
+ /* We are called either by task_exit() or the fork() error handling code;
* in the former case tsk == current and in the latter tsk is a
* random task_struct that doesn't have any meaningful data we
* need to log via audit_log_exit().
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 159b25f8269d..4dff24eb86b0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -25289,10 +25289,10 @@ BTF_ID(func, __module_put_and_kthread_exit)
BTF_ID(func, __x64_sys_exit)
BTF_ID(func, __x64_sys_exit_group)
#endif
-BTF_ID(func, do_exit)
BTF_ID(func, do_group_exit)
BTF_ID(func, kthread_complete_and_exit)
BTF_ID(func, make_task_dead)
+BTF_ID(func, task_exit)
BTF_SET_END(noreturn_deny)
static bool can_be_sleepable(struct bpf_prog *prog)
diff --git a/kernel/exit.c b/kernel/exit.c
index ede3117fa7d4..6c5c0968da14 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -893,7 +893,7 @@ static void synchronize_group_exit(struct task_struct *tsk, long code)
coredump_task_exit(tsk, core_state);
}
-void __noreturn do_exit(long code)
+void __noreturn task_exit(long code)
{
struct task_struct *tsk = current;
struct kthread *kthread;
@@ -1018,7 +1018,7 @@ void __noreturn do_exit(long code)
lockdep_free_task(tsk);
do_task_dead();
}
-EXPORT_SYMBOL(do_exit);
+EXPORT_SYMBOL(task_exit);
void __noreturn make_task_dead(int signr)
{
@@ -1077,12 +1077,12 @@ void __noreturn make_task_dead(int signr)
do_task_dead();
}
- do_exit(signr);
+ task_exit(signr);
}
SYSCALL_DEFINE1(exit, int, error_code)
{
- do_exit((error_code&0xff)<<8);
+ task_exit((error_code&0xff)<<8);
}
/*
@@ -1115,7 +1115,7 @@ do_group_exit(int exit_code)
spin_unlock_irq(&sighand->siglock);
}
- do_exit(exit_code);
+ task_exit(exit_code);
/* NOTREACHED */
}
diff --git a/kernel/futex/futex.h b/kernel/futex/futex.h
index 30c2afa03889..00fb2fc6579c 100644
--- a/kernel/futex/futex.h
+++ b/kernel/futex/futex.h
@@ -144,7 +144,7 @@ struct futex_hash_bucket {
struct futex_pi_state {
/*
* list of 'owned' pi_state instances - these have to be
- * cleaned up in do_exit() if the task exits prematurely:
+ * cleaned up in task_exit() if the task exits prematurely:
*/
struct list_head list;
diff --git a/kernel/futex/pi.c b/kernel/futex/pi.c
index bc1f7e83a37e..735b117574af 100644
--- a/kernel/futex/pi.c
+++ b/kernel/futex/pi.c
@@ -336,7 +336,7 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval,
* CPU0 CPU1
*
* sys_exit() sys_futex()
- * do_exit() futex_lock_pi()
+ * task_exit() futex_lock_pi()
* futex_lock_pi_atomic()
* exit_signals(tsk) No waiters:
* tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 743c7a728237..0ab5af6b9caf 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -10,7 +10,7 @@
* thread exit time.
*
* Implementation: user-space maintains a per-thread list of locks it
- * is holding. Upon do_exit(), the kernel carefully walks this list,
+ * is holding. Upon task_exit(), the kernel carefully walks this list,
* and marks all locks that are owned by this thread with the
* FUTEX_OWNER_DIED bit, and wakes up a waiter (if any). The list is
* always manipulated with the lock held, so the list is private and
diff --git a/kernel/kthread.c b/kernel/kthread.c
index 1447c14c8540..e3d456e8d1e4 100644
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -323,7 +323,7 @@ void __noreturn kthread_complete_and_exit(struct completion *comp, long code)
if (comp)
complete(comp);
- do_exit(code);
+ task_exit(code);
}
EXPORT_SYMBOL(kthread_complete_and_exit);
@@ -395,7 +395,7 @@ static int kthread(void *_create)
if (!done) {
kfree(create->full_name);
kfree(create);
- do_exit(-EINTR);
+ task_exit(-EINTR);
}
self->full_name = create->full_name;
@@ -435,7 +435,7 @@ static int kthread(void *_create)
__kthread_parkme(self);
ret = threadfn(data);
}
- do_exit(ret);
+ task_exit(ret);
}
/* called from kernel_clone() to get node information for about to be created task */
@@ -738,7 +738,7 @@ EXPORT_SYMBOL_GPL(kthread_park);
* instead of calling wake_up_process(): the thread will exit without
* calling threadfn().
*
- * If threadfn() may call do_exit() itself, the caller must ensure
+ * If threadfn() may call task_exit() itself, the caller must ensure
* task_struct can't go away.
*
* Returns the result of threadfn(), or %-EINTR if wake_up_process()
diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index 24df4d98f7d2..390170de66af 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -554,7 +554,7 @@ static void rwsem_mark_wake(struct rw_semaphore *sem,
/*
* Ensure calling get_task_struct() before setting the reader
* waiter to nil such that rwsem_down_read_slowpath() cannot
- * race with do_exit() by always holding a reference count
+ * race with task_exit() by always holding a reference count
* to the task to wakeup.
*/
smp_store_release(&waiter->task, NULL);
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 340b4dc5c692..a06b6cc7402f 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -228,7 +228,7 @@ static int mod_strncmp(const char *str_a, const char *str_b, size_t n)
void __noreturn __module_put_and_kthread_exit(struct module *mod, long code)
{
module_put(mod);
- do_exit(code);
+ task_exit(code);
}
EXPORT_SYMBOL(__module_put_and_kthread_exit);
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index e48f5de41361..ef84e15530f3 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -339,7 +339,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd)
send_sig(SIGKILL, pid_ns->child_reaper, 1);
read_unlock(&tasklist_lock);
- do_exit(0);
+ task_exit(0);
/* Not reached */
return 0;
diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
index 2b55e6acf3c1..657770e8b1cc 100644
--- a/kernel/rcu/tasks.h
+++ b/kernel/rcu/tasks.h
@@ -32,7 +32,7 @@ typedef void (*postgp_func_t)(struct rcu_tasks *rtp);
* @rtp_irq_work: IRQ work queue for deferred wakeups.
* @barrier_q_head: RCU callback for barrier operation.
* @rtp_blkd_tasks: List of tasks blocked as readers.
- * @rtp_exit_list: List of tasks in the latter portion of do_exit().
+ * @rtp_exit_list: List of tasks in the latter portion of task_exit().
* @cpu: CPU number corresponding to this entry.
* @index: Index of this CPU in rtpcp_array of the rcu_tasks structure.
* @rtpp: Pointer to the rcu_tasks structure.
@@ -922,12 +922,12 @@ static void rcu_tasks_wait_gp(struct rcu_tasks *rtp)
// number of voluntary context switches, and add that task to the
// holdout list.
// rcu_tasks_postscan():
-// Gather per-CPU lists of tasks in do_exit() to ensure that all
+// Gather per-CPU lists of tasks in task_exit() to ensure that all
// tasks that were in the process of exiting (and which thus might
// not know to synchronize with this RCU Tasks grace period) have
// completed exiting. The synchronize_rcu() in rcu_tasks_postgp()
// will take care of any tasks stuck in the non-preemptible region
-// of do_exit() following its call to exit_tasks_rcu_finish().
+// of task_exit() following its call to exit_tasks_rcu_finish().
// check_all_holdout_tasks(), repeatedly until holdout list is empty:
// Scans the holdout list, attempting to identify a quiescent state
// for each task on the list. If there is a quiescent state, the
@@ -1038,10 +1038,10 @@ static void rcu_tasks_postscan(struct list_head *hop)
*
* 1) A task_struct list addition before calling exit_notify(),
* which may remove the task from the tasklist, with the
- * removal after the final preempt_disable() call in do_exit().
+ * removal after the final preempt_disable() call in task_exit().
*
* 2) An _RCU_ read side starting with the final preempt_disable()
- * call in do_exit() and ending with the final call to schedule()
+ * call in task_exit() and ending with the final call to schedule()
* with TASK_DEAD state.
*
* This handles the part 1). And postgp will handle part 2) with a
@@ -1301,7 +1301,7 @@ void exit_tasks_rcu_start(void)
}
/*
- * Remove the task from the "yet another list" because do_exit() is now
+ * Remove the task from the "yet another list" because task_exit() is now
* non-preemptible, allowing synchronize_rcu() to wait beyond this point.
*/
void exit_tasks_rcu_finish(void)
diff --git a/kernel/reboot.c b/kernel/reboot.c
index 695c33e75efd..ceaf725bb423 100644
--- a/kernel/reboot.c
+++ b/kernel/reboot.c
@@ -747,7 +747,7 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
/*
* If pid namespaces are enabled and the current task is in a child
* pid_namespace, the command is handled by reboot_pid_ns() which will
- * call do_exit().
+ * call task_exit().
*/
ret = reboot_pid_ns(pid_ns, cmd);
if (ret)
@@ -777,11 +777,11 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
case LINUX_REBOOT_CMD_HALT:
kernel_halt();
- do_exit(0);
+ task_exit(0);
case LINUX_REBOOT_CMD_POWER_OFF:
kernel_power_off();
- do_exit(0);
+ task_exit(0);
break;
case LINUX_REBOOT_CMD_RESTART2:
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 066909393c38..f55d1c242e41 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1081,7 +1081,7 @@ static void __secure_computing_strict(int this_syscall)
#endif
current->seccomp.mode = SECCOMP_MODE_DEAD;
seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL_THREAD, true);
- do_exit(SIGKILL);
+ task_exit(SIGKILL);
}
#ifndef CONFIG_HAVE_ARCH_SECCOMP_FILTER
@@ -1365,7 +1365,7 @@ static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
/* Trigger a coredump with SIGSYS */
force_sig_seccomp(this_syscall, data, true);
} else {
- do_exit(SIGSYS);
+ task_exit(SIGSYS);
}
return -1; /* skip the syscall go directly to signal handling */
}
@@ -1398,14 +1398,14 @@ int __secure_computing(void)
switch (mode) {
case SECCOMP_MODE_STRICT:
- __secure_computing_strict(this_syscall); /* may call do_exit */
+ __secure_computing_strict(this_syscall); /* may call task_exit */
return 0;
case SECCOMP_MODE_FILTER:
return __seccomp_filter(this_syscall, false);
/* Surviving SECCOMP_RET_KILL_* must be proactively impossible. */
case SECCOMP_MODE_DEAD:
WARN_ON_ONCE(1);
- do_exit(SIGKILL);
+ task_exit(SIGKILL);
return -1;
default:
BUG();
diff --git a/kernel/signal.c b/kernel/signal.c
index d65d0fe24bfb..675f222074e1 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2238,7 +2238,7 @@ bool do_notify_parent(struct task_struct *tsk, int sig)
* or setting the SA_NOCLDWAIT flag: we should be reaped
* automatically and not left for our parent's wait4 call.
* Rather than having the parent do it as a magic kind of
- * signal handler, we just set this to tell do_exit that we
+ * signal handler, we just set this to tell task_exit that we
* can be cleaned up without becoming a zombie. Note that
* we still call __wake_up_parent in this case, because a
* blocked sys_wait4 might now return -ECHILD.
@@ -3022,7 +3022,7 @@ bool get_signal(struct ksignal *ksig)
/*
* PF_USER_WORKER threads will catch and exit on fatal signals
* themselves. They have cleanup that must be performed, so we
- * cannot call do_exit() on their behalf. Note that ksig won't
+ * cannot call task_exit() on their behalf. Note that ksig won't
* be properly initialized, PF_USER_WORKER's shouldn't use it.
*/
if (current->flags & PF_USER_WORKER)
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index 413e2389f0a5..08657975d714 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -1063,7 +1063,7 @@ SYSCALL_DEFINE1(timer_delete, timer_t, timer_id)
}
/*
- * Invoked from do_exit() when the last thread of a thread group exits.
+ * Invoked from task_exit() when the last thread of a thread group exits.
* At that point no other task can access the timers of the dying
* task anymore.
*/
diff --git a/kernel/umh.c b/kernel/umh.c
index cffda97d961c..69ee75ca9340 100644
--- a/kernel/umh.c
+++ b/kernel/umh.c
@@ -119,7 +119,7 @@ static int call_usermodehelper_exec_async(void *data)
umh_complete(sub_info);
if (!retval)
return 0;
- do_exit(0);
+ task_exit(0);
}
/* Handles UMH_WAIT_PROC. */
diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c
index 3f1ed7ef0582..554ec8fe7f5a 100644
--- a/kernel/vhost_task.c
+++ b/kernel/vhost_task.c
@@ -64,7 +64,7 @@ static int vhost_task_fn(void *data)
mutex_unlock(&vtsk->exit_mutex);
complete(&vtsk->exited);
- do_exit(0);
+ task_exit(0);
}
/**
diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
index 99d9603a2cfd..e5de71d68ef4 100644
--- a/lib/kunit/try-catch.c
+++ b/lib/kunit/try-catch.c
@@ -18,7 +18,7 @@
void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch)
{
try_catch->try_result = -EFAULT;
- do_exit(0);
+ task_exit(0);
}
EXPORT_SYMBOL_GPL(kunit_try_catch_throw);
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 0beb6e22bc26..a7ca30d533e7 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5294,7 +5294,7 @@ void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct *vma,
* Adjust the reservation for the region that will have the
* reserve restored. Keep in mind that vma_needs_reservation() changes
* resv->adds_in_progress if it succeeds. If this is not done,
- * do_exit() will not see it, and will keep the reservation
+ * task_exit() will not see it, and will keep the reservation
* forever.
*/
if (adjust_reservation) {
diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c
index 8e2008863af8..e0b72661d6bf 100644
--- a/security/tomoyo/gc.c
+++ b/security/tomoyo/gc.c
@@ -640,7 +640,7 @@ static int tomoyo_gc_thread(void *unused)
}
mutex_unlock(&tomoyo_gc_mutex);
out:
- /* This acts as do_exit(0). */
+ /* This acts as task_exit(0). */
return 0;
}
diff --git a/tools/objtool/noreturns.h b/tools/objtool/noreturns.h
index 40c0b05c6726..48fc90f30769 100644
--- a/tools/objtool/noreturns.h
+++ b/tools/objtool/noreturns.h
@@ -23,7 +23,6 @@ NORETURN(bch2_trans_restart_error)
NORETURN(bch2_trans_unlocked_or_in_restart_error)
NORETURN(cpu_bringup_and_idle)
NORETURN(cpu_startup_entry)
-NORETURN(do_exit)
NORETURN(do_group_exit)
NORETURN(do_task_dead)
NORETURN(ex_handler_msr_mce)
@@ -47,6 +46,7 @@ NORETURN(rust_helper_BUG)
NORETURN(sev_es_terminate)
NORETURN(start_kernel)
NORETURN(stop_this_cpu)
+NORETURN(task_exit)
NORETURN(usercopy_abort)
NORETURN(x86_64_start_kernel)
NORETURN(x86_64_start_reservations)
diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_failure.c b/tools/testing/selftests/bpf/prog_tests/tracing_failure.c
index f9f9e1cb87bf..1a97e71fd68d 100644
--- a/tools/testing/selftests/bpf/prog_tests/tracing_failure.c
+++ b/tools/testing/selftests/bpf/prog_tests/tracing_failure.c
@@ -73,7 +73,7 @@ static void test_tracing_deny(void)
static void test_fexit_noreturns(void)
{
test_tracing_fail_prog("fexit_noreturns",
- "Attaching fexit/fsession/fmod_ret to __noreturn function 'do_exit' is rejected.");
+ "Attaching fexit/fsession/fmod_ret to __noreturn function 'task_exit' is rejected.");
}
void test_tracing_failure(void)
diff --git a/tools/testing/selftests/bpf/progs/tracing_failure.c b/tools/testing/selftests/bpf/progs/tracing_failure.c
index 65e485c4468c..5144f4cc5787 100644
--- a/tools/testing/selftests/bpf/progs/tracing_failure.c
+++ b/tools/testing/selftests/bpf/progs/tracing_failure.c
@@ -25,7 +25,7 @@ int BPF_PROG(tracing_deny)
return 0;
}
-SEC("?fexit/do_exit")
+SEC("?fexit/task_exit")
int BPF_PROG(fexit_noreturns)
{
return 0;
diff --git a/tools/testing/selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc b/tools/testing/selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc
index fee479295e2f..7e00d8ecd110 100644
--- a/tools/testing/selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc
+++ b/tools/testing/selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc
@@ -82,7 +82,7 @@ check_error 'f vfs_read arg1=^' # NO_ARG_BODY
# multiprobe errors
if grep -q "Create/append/" README && grep -q "imm-value" README; then
echo "f:fprobes/testevent $FUNCTION_FORK" > dynamic_events
-check_error '^f:fprobes/testevent do_exit%return' # DIFF_PROBE_TYPE
+check_error '^f:fprobes/testevent task_exit%return' # DIFF_PROBE_TYPE
# Explicitly use printf "%s" to not interpret \1
printf "%s" "f:fprobes/testevent $FUNCTION_FORK abcd=\\1" > dynamic_events
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_multiprobe.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_multiprobe.tc
index f0d5b7777ed7..a95e3824690a 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_multiprobe.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_multiprobe.tc
@@ -5,7 +5,7 @@
# Choose 2 symbols for target
SYM1=$FUNCTION_FORK
-SYM2=do_exit
+SYM2=task_exit
EVENT_NAME=kprobes/testevent
DEF1="p:$EVENT_NAME $SYM1"
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc
index 8f1c58f0c239..b55ea3c05cfa 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc
@@ -87,7 +87,7 @@ esac
# multiprobe errors
if grep -q "Create/append/" README && grep -q "imm-value" README; then
echo "p:kprobes/testevent $FUNCTION_FORK" > kprobe_events
-check_error '^r:kprobes/testevent do_exit' # DIFF_PROBE_TYPE
+check_error '^r:kprobes/testevent task_exit' # DIFF_PROBE_TYPE
# Explicitly use printf "%s" to not interpret \1
printf "%s" "p:kprobes/testevent $FUNCTION_FORK abcd=\\1" > kprobe_events
--
2.47.3
^ permalink raw reply related
* RE: [EXTERNAL] [PATCH 38/61] net: Prefer IS_ERR_OR_NULL over manual NULL check
From: Elad Nachman @ 2026-03-10 15:07 UTC (permalink / raw)
To: Philipp Hahn, amd-gfx@lists.freedesktop.org,
apparmor@lists.ubuntu.com, bpf@vger.kernel.org,
ceph-devel@vger.kernel.org, cocci@inria.fr,
dm-devel@lists.linux.dev, dri-devel@lists.freedesktop.org,
gfs2@lists.linux.dev, intel-gfx@lists.freedesktop.org,
intel-wired-lan@lists.osuosl.org, iommu@lists.linux.dev,
kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-block@vger.kernel.org, linux-bluetooth@vger.kernel.org,
linux-btrfs@vger.kernel.org, linux-cifs@vger.kernel.org,
linux-clk@vger.kernel.org, linux-erofs@lists.ozlabs.org,
linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-gpio@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-leds@vger.kernel.org, linux-media@vger.kernel.org,
linux-mips@vger.kernel.org, linux-mm@kvack.org,
linux-modules@vger.kernel.org, linux-mtd@lists.infradead.org,
linux-nfs@vger.kernel.org, linux-omap@vger.kernel.org,
linux-phy@lists.infradead.org, linux-pm@vger.kernel.org,
linux-rockchip@lists.infradead.org, linux-s390@vger.kernel.org,
linux-scsi@vger.kernel.org, linux-sctp@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-sh@vger.kernel.org,
linux-sound@vger.kernel.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-trace-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
ntfs3@lists.linux.dev, samba-technical@lists.samba.org,
sched-ext@lists.linux.dev, target-devel@vger.kernel.org,
tipc-discussion@lists.sourceforge.net, v9fs@lists.linux.dev
Cc: Igor Russkikh, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Pavan Chebbi, Michael Chan,
Potnuri Bharat Teja, Tony Nguyen, Przemek Kitszel, Taras Chornyi,
Maxime Coquelin, Alexandre Torgue, Iyappan Subramanian,
Keyur Chudgar, Quan Nguyen, Heiner Kallweit, Russell King
In-Reply-To: <20260310-b4-is_err_or_null-v1-38-bd63b656022d@avm.de>
>
>
> From: Philipp Hahn <phahn-oss@avm.de>
> Sent: Tuesday, March 10, 2026 1:49 PM
> To: amd-gfx@lists.freedesktop.org; apparmor@lists.ubuntu.com; bpf@vger.kernel.org; ceph-devel@vger.kernel.org; cocci@inria.fr; dm-devel@lists.linux.dev; dri-devel@lists.freedesktop.org; gfs2@lists.linux.dev; intel-gfx@lists.freedesktop.org; intel-wired-lan@lists.osuosl.org; iommu@lists.linux.dev; kvm@vger.kernel.org; linux-arm-kernel@lists.infradead.org; linux-block@vger.kernel.org; linux-bluetooth@vger.kernel.org; linux-btrfs@vger.kernel.org; linux-cifs@vger.kernel.org; linux-clk@vger.kernel.org; linux-erofs@lists.ozlabs.org; linux-ext4@vger.kernel.org; linux-fsdevel@vger.kernel.org; linux-gpio@vger.kernel.org; linux-hyperv@vger.kernel.org; linux-input@vger.kernel.org; linux-kernel@vger.kernel.org; linux-leds@vger.kernel.org; linux-media@vger.kernel.org; linux-mips@vger.kernel.org; linux-mm@kvack.org; linux-modules@vger.kernel.org; linux-mtd@lists.infradead.org; linux-nfs@vger.kernel.org; linux-omap@vger.kernel.org; linux-phy@lists.infradead.org; linux-pm@vger.kernel.org; linux-rockchip@lists.infradead.org; linux-s390@vger.kernel.org; linux-scsi@vger.kernel.org; linux-sctp@vger.kernel.org; linux-security-module@vger.kernel.org; linux-sh@vger.kernel.org; linux-sound@vger.kernel.org; linux-stm32@st-md-mailman.stormreply.com; linux-trace-kernel@vger.kernel.org; linux-usb@vger.kernel.org; linux-wireless@vger.kernel.org; netdev@vger.kernel.org; ntfs3@lists.linux.dev; samba-technical@lists.samba.org; sched-ext@lists.linux.dev; target-devel@vger.kernel.org; tipc-discussion@lists.sourceforge.net; v9fs@lists.linux.dev; Philipp Hahn <phahn-oss@avm.de>
> Cc: Igor Russkikh <irusskikh@marvell.com>; Andrew Lunn <andrew+netdev@lunn.ch>; David S. Miller <davem@davemloft.net>; Eric Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo Abeni <pabeni@redhat.com>; Pavan Chebbi <pavan.chebbi@broadcom.com>; Michael Chan <mchan@broadcom.com>; Potnuri Bharat Teja <bharat@chelsio.com>; Tony Nguyen <anthony.l.nguyen@intel.com>; Przemek Kitszel <przemyslaw.kitszel@intel.com>; Taras Chornyi <taras.chornyi@plvision.eu>; Maxime Coquelin <mcoquelin.stm32@gmail.com>; Alexandre Torgue <alexandre.torgue@foss.st.com>; Iyappan Subramanian <iyappan@os.amperecomputing.com>; Keyur Chudgar <keyur@os.amperecomputing.com>; Quan Nguyen <quan@os.amperecomputing.com>; Heiner Kallweit <hkallweit1@gmail.com>; Russell King <linux@armlinux.org.uk>
> Subject: [EXTERNAL] [PATCH 38/61] net: Prefer IS_ERR_OR_NULL over manual NULL check
> ZjQcmQRYFpfptBannerEnd
> Prefer using IS_ERR_OR_NULL() over using IS_ERR() and a manual NULL
> check.
>
> Change generated with coccinelle.
>
> To: Igor Russkikh <mailto:irusskikh@marvell.com>
> To: Andrew Lunn <mailto:andrew+netdev@lunn.ch>
> To: "David S. Miller" <mailto:davem@davemloft.net>
> To: Eric Dumazet <mailto:edumazet@google.com>
> To: Jakub Kicinski <mailto:kuba@kernel.org>
> To: Paolo Abeni <mailto:pabeni@redhat.com>
> To: Pavan Chebbi <mailto:pavan.chebbi@broadcom.com>
> To: Michael Chan <mailto:mchan@broadcom.com>
> To: Potnuri Bharat Teja <mailto:bharat@chelsio.com>
> To: Tony Nguyen <mailto:anthony.l.nguyen@intel.com>
> To: Przemek Kitszel <mailto:przemyslaw.kitszel@intel.com>
> To: Taras Chornyi <mailto:taras.chornyi@plvision.eu>
> To: Maxime Coquelin <mailto:mcoquelin.stm32@gmail.com>
> To: Alexandre Torgue <mailto:alexandre.torgue@foss.st.com>
> To: Iyappan Subramanian <mailto:iyappan@os.amperecomputing.com>
> To: Keyur Chudgar <mailto:keyur@os.amperecomputing.com>
> To: Quan Nguyen <mailto:quan@os.amperecomputing.com>
> To: Heiner Kallweit <mailto:hkallweit1@gmail.com>
> To: Russell King <mailto:linux@armlinux.org.uk>
> Cc: mailto:netdev@vger.kernel.org
> Cc: mailto:linux-kernel@vger.kernel.org
> Cc: mailto:intel-wired-lan@lists.osuosl.org
> Cc: mailto:linux-stm32@st-md-mailman.stormreply.com
> Cc: mailto:linux-arm-kernel@lists.infradead.org
> Cc: mailto:linux-usb@vger.kernel.org
> Signed-off-by: Philipp Hahn <mailto:phahn-oss@avm.de>
> ---
> drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 2 +-
> drivers/net/ethernet/broadcom/tg3.c | 2 +-
> drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 3 +--
> drivers/net/ethernet/intel/ice/devlink/devlink.c | 2 +-
> drivers/net/ethernet/marvell/prestera/prestera_router.c | 2 +-
> drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
> drivers/net/mdio/mdio-xgene.c | 2 +-
> drivers/net/usb/r8152.c | 2 +-
> 8 files changed, 8 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> index e270327e47fd804cc8ee5cfd53ed1b993c955c41..43edef35c4b1ff606b2f1519a07fad4c9a990ad4 100644
> --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> @@ -810,7 +810,7 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring,
> }
>
> skb = aq_xdp_run_prog(aq_nic, &xdp, rx_ring, buff);
> - if (IS_ERR(skb) || !skb)
> + if (IS_ERR_OR_NULL(skb))
> continue;
>
> if (ptp_hwtstamp_len > 0)
> diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
> index 2328fce336447eb4a796f9300ccc0ab536ff0a35..8ed79f34f03d81184dcc12e6eaff009cb8f7756e 100644
> --- a/drivers/net/ethernet/broadcom/tg3.c
> +++ b/drivers/net/ethernet/broadcom/tg3.c
> @@ -7943,7 +7943,7 @@ static int tg3_tso_bug(struct tg3 *tp, struct tg3_napi *tnapi,
>
> segs = skb_gso_segment(skb, tp->dev->features &
> ~(NETIF_F_TSO | NETIF_F_TSO6));
> - if (IS_ERR(segs) || !segs) {
> + if (IS_ERR_OR_NULL(segs)) {
> tnapi->tx_dropped++;
> goto tg3_tso_bug_end;
> }
> diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
> index 3307e50426819087ad985178c4a5383f16b8e7b4..1c8a6445d4b2e3535d8f1b7908dd02d8dd2f23fa 100644
> --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
> +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
> @@ -1032,8 +1032,7 @@ static void ch_flower_stats_handler(struct work_struct *work)
> do {
> rhashtable_walk_start(&iter);
>
> - while ((flower_entry = rhashtable_walk_next(&iter)) &&
> - !IS_ERR(flower_entry)) {
> + while (!IS_ERR_OR_NULL((flower_entry = rhashtable_walk_next(&iter)))) {
> ret = cxgb4_get_filter_counters(adap->port[0],
> flower_entry->filter_id,
> &packets, &bytes,
> diff --git a/drivers/net/ethernet/intel/ice/devlink/devlink.c b/drivers/net/ethernet/intel/ice/devlink/devlink.c
> index 6c72bd15db6d75a1d4fa04ef8fefbd26fb6e84bd..3d08b9187fd76ca3198af28111b6f1c1765ea01e 100644
> --- a/drivers/net/ethernet/intel/ice/devlink/devlink.c
> +++ b/drivers/net/ethernet/intel/ice/devlink/devlink.c
> @@ -791,7 +791,7 @@ static void ice_traverse_tx_tree(struct devlink *devlink, struct ice_sched_node
> node->parent->rate_node);
> }
>
> - if (rate_node && !IS_ERR(rate_node))
> + if (!IS_ERR_OR_NULL(rate_node))
> node->rate_node = rate_node;
>
> traverse_children:
> diff --git a/drivers/net/ethernet/marvell/prestera/prestera_router.c b/drivers/net/ethernet/marvell/prestera/prestera_router.c
> index b036b173a308b5f994ad8538eb010fa27196988c..4492938e8a3da91d32efe8d45ccbe2eb437c0e49 100644
> --- a/drivers/net/ethernet/marvell/prestera/prestera_router.c
> +++ b/drivers/net/ethernet/marvell/prestera/prestera_router.c
> @@ -1061,7 +1061,7 @@ static void __prestera_k_arb_hw_state_upd(struct prestera_switch *sw,
> n = NULL;
> }
>
> - if (!IS_ERR(n) && n) {
> + if (!IS_ERR_OR_NULL(n)) {
> neigh_event_send(n, NULL);
> neigh_release(n);
> } else {
> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
> index 6827c99bde8c22db42b363d2d36ad6f26075ed50..356a4e9ce04b1fcf8786d7274d31ace404be2cf6 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
> @@ -1275,7 +1275,7 @@ static int stmmac_init_phy(struct net_device *dev)
> /* Some DT bindings do not set-up the PHY handle. Let's try to
> * manually parse it
> */
> - if (!phy_fwnode || IS_ERR(phy_fwnode)) {
> + if (IS_ERR_OR_NULL(phy_fwnode)) {
> int addr = priv->plat->phy_addr;
> struct phy_device *phydev;
>
> diff --git a/drivers/net/mdio/mdio-xgene.c b/drivers/net/mdio/mdio-xgene.c
> index a8f91a4b7fed0927ee14e408000cd3a2bfb9b09a..09b30b563295c6085dc1358ac361301e5cf6b2a8 100644
> --- a/drivers/net/mdio/mdio-xgene.c
> +++ b/drivers/net/mdio/mdio-xgene.c
> @@ -265,7 +265,7 @@ struct phy_device *xgene_enet_phy_register(struct mii_bus *bus, int phy_addr)
> struct phy_device *phy_dev;
>
> phy_dev = get_phy_device(bus, phy_addr, false);
> - if (!phy_dev || IS_ERR(phy_dev))
> + if (IS_ERR_OR_NULL(phy_dev))
> return NULL;
>
> if (phy_device_register(phy_dev))
> diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
> index 0c83bbbea2e7c322ee6339893e281237663bd3ae..73f17ebd7d40007eec5004f887a46249defd28ab 100644
> --- a/drivers/net/usb/r8152.c
> +++ b/drivers/net/usb/r8152.c
> @@ -2218,7 +2218,7 @@ static void r8152_csum_workaround(struct r8152 *tp, struct sk_buff *skb,
>
> features &= ~(NETIF_F_SG | NETIF_F_IPV6_CSUM | NETIF_F_TSO6);
> segs = skb_gso_segment(skb, features);
> - if (IS_ERR(segs) || !segs)
> + if (IS_ERR_OR_NULL(segs))
> goto drop;
>
> __skb_queue_head_init(&seg_list);
>
> --
> 2.43.0
>
>
Acked-by: Elad Nachman <enachman@marvell.com>
^ permalink raw reply
* Re: [PATCH v5 2/9] landlock: Control pathname UNIX domain socket resolution by path
From: Sebastian Andrzej Siewior @ 2026-03-10 15:19 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Günther Noack, Eric Dumazet, Kuniyuki Iwashima, Paolo Abeni,
Willem de Bruijn, Jason Xing, John Johansen, Tingmao Wang,
Justin Suess, Jann Horn, linux-security-module,
Samasth Norway Ananda, Matthieu Buffet, Mikhail Ivanov,
konstantin.meskhidze, Demi Marie Obenour, Alyssa Ross,
Tahera Fahimi, netdev
In-Reply-To: <20260308.AiYoh5KooBei@digikod.net>
On 2026-03-08 10:18:04 [+0100], Mickaël Salaün wrote:
> > > dom_other, but please double check. This lockless call should be made
> > > clear in the LSM hook. It's OK to not lock the socket before
> > > security_unix_find() (1) because no LSM might implement and (2) they
> > > might not need to lock the socket (e.g. if the caller is not sandboxed).
> > >
> > > The updated code should look something like this:
> > >
> > > unix_state_unlock(other);
>
> unix_state_lock(other) of course...
>
> > > if (unlikely(sock_flag(other, SOCK_DEAD) || !other->sk_socket)) {
> > > unix_state_unlock(other);
> > > return 0;
> > > }
> > >
> > > dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
> > > unix_state_unlock(other);
> >
> > Thank you for spotting the locking concern!
> >
> > @anyone from netdev, could you please advise on the correct locking
> > approach here?
It is hard to tell where your "other" is from. So it is not clear to me
if the sock can be closed from the other side. If it can then sk_socket
becomes NULL and everything afterwards will be gone.
Therefore checking for SOCK_DEAD under unix_state_lock() looks sane.
> > * Do we need ot check SOCK_DEAD?
> >
> > You are saying that we need to do that, but it's not clear to me
> > why.
> >
> > If you look at the places where unix_find_other() is called in
> > af_unix.c, then you'll find that all of them check for SOCK_DEAD and
> > then restart from unix_find_other() if they do actually discover
> > that the socket is dead. I think that this is catching this race
> > condition scenario:
> >
> > * a server socket exists and is alive
> > * A client connects: af_unix.c's unix_stream_connect() calls
> > unix_find_other() and finds the server socket...
> > * (Concurrently): The server closes the socket and enters
> > unix_release_sock(). This function:
> > 1. disassociates the server sock from the named socket inode
> > number in the hash table (=> future unix_find_other() calls
> > will fail).
> > 2. calls sock_orphan(), which sets SOCK_DEAD.
> > * ...(client connection resuming): unix_stream_connect() continues,
> > grabs the unix_state_lock(), which apparently protects everything
> > here, checks that the socket is not dead - and discovers that it
> > IS suddenly dead. This was not supposed to happen. The code
> > recovers from that by retrying everything starting with the
> > unix_find_other() call. From unix_release_sock(), we know that
> > the inode is not associated with the sock any more -- so the
> > unix_find_socket_by_inode() call should be failing on the next
> > attempt.
> >
> > (This works with unix_dgram_connect() and unix_dgram_sendmsg() as
> > well.)
> >
> > The comments next to the SOCK_DEAD checks are also suggesting this.
Sure. You are not the owner I guess. So you hold a reference on it but
the owner can still close it.
> >
> > * What lock to use
> >
> > I am having trouble reasoning about what lock is used for what in
> > this code.
>
> It's not clear to me neither, and it looks like it's not consistent
> across protocols.
>
> >
> > Is it possible that the lock protecting ->sk_socket is the
> > ->sk_callback_lock, not the unix_state_lock()? The only callers to
> > sk_set_socket are either sock_orphan/sock_graft (both grabbing
> > sk_callback_lock), or they are creating new struct sock objects that
> > they own exclusively, and don't need locks yet.
> >
> > Admittedly, in af_unix.c, sock_orphan() and sock_graft() only get
> > called in contexts where the unix_state_lock() is held, so it would
> > probably work as well to lock that, but it is maybe a more
> > fine-grained approach to use sk_callback_lock?
This is correct. Since only sock_orphan() is used you could go for
sk_callback_lock. For simplicity you could stick to the former lock
which will be accessed later any way. Either of the two block setting of
DEAD.
> > So... how about a scheme where we only check for ->sk_socket not being
> > NULL:
> >
> > read_lock_bh(&other->sk_callback_lock);
> > struct sock *other_sk = other->sk_socket;
> > if (!other_sk) {
> > read_unlock_bh(&other->sk_callback_lock);
> > return 0;
> > }
> > /* XXX double check whether we need a lock here too */
> > struct file *file = other_sk->file;
> > if (!other_file) {
> > read_unlock_bh(&other->sk_callback_lock);
> > return 0;
> > }
> > read_unlock_bh(&other->sk_callback_lock);
> >
> > If this fails, that would in my understanding also be because the
> > socket has died after the path lookup. We'd then return 0 (success),
> > because we know that the surrounding SOCK_DEAD logic will repeat
> > everything starting from the path lookup operation (this time likely
> > failing with ECONNREFUSED, but maybe also with a success, if another
> > server process was quick enough).
> >
> > Does this sound reasonable?
So if SOCK_DEAD is not set while the lock is held you can reference the
chain without second thoughts.
> Actually, since commit 983512f3a87f ("net: Drop the lock in
> skb_may_tx_timestamp()"), we can just use RCU + READ_ONCE(sk_socket) +
> READ_ONCE(file). The socket and file should only be freed after the RCU
> grace periode. As a safeguard, this commit should be a Depends-on.
This is what I concluded. The commit in question did not change the
situation. But if this spreads more I would suggest a helper so that all
user of this short cut can be easily identified. And yes, RCU would be a
key requirement.
> However, it is safer to return -ECONNREFULED when sk_socket or file are
> NULL.
>
> I would be good to hear from netdev folks though.
>
> TIL, there is an LSM hook for sock_graft().
>
> > –Günther
Sebastian
^ permalink raw reply
* Re: [PATCH 01/61] Coccinelle: Prefer IS_ERR_OR_NULL over manual NULL check
From: Markus Elfring @ 2026-03-10 15:41 UTC (permalink / raw)
To: Philipp Hahn, cocci, Julia Lawall
Cc: amd-gfx, apparmor, bpf, ceph-devel, dm-devel, dri-devel, gfs2,
intel-gfx, intel-wired-lan, iommu, kvm, linux-arm-kernel,
linux-block, linux-bluetooth, linux-btrfs, linux-cifs, linux-clk,
linux-erofs, linux-ext4, linux-fsdevel, linux-gpio, linux-hyperv,
linux-input, linux-kernel, linux-leds, linux-media, linux-mips,
linux-mm, linux-modules, linux-mtd, linux-nfs, linux-omap,
linux-phy, linux-pm, linux-rockchip, linux-s390, linux-scsi,
linux-sctp, linux-security-module, linux-sh, linux-sound,
linux-stm32, linux-trace-kernel, linux-usb, linux-wireless,
netdev, nicolas.palix, ntfs3, samba-technical, sched-ext,
target-devel, tipc-discussion, v9fs
In-Reply-To: <20260310-b4-is_err_or_null-v1-1-bd63b656022d@avm.de>
> Find and convert uses of IS_ERR() plus NULL check to IS_ERR_OR_NULL().
…
Can this information trigger any more consequences on corresponding summary phrases?
…
> +++ b/scripts/coccinelle/api/is_err_or_null.cocci
> @@ -0,0 +1,125 @@
…
> +virtual patch
> +virtual report
> +virtual org
How will interests evolve further for the support of the operation mode “context”?
> +@p1 depends on patch@
> +expression E;
> +@@
> +(
> +- E != NULL && !IS_ERR(E)
> ++ !IS_ERR_OR_NULL(E)
> +|
> +- E == NULL || IS_ERR(E)
> ++ IS_ERR_OR_NULL(E)
> +|
> +- !IS_ERR(E) && E != NULL
> ++ !IS_ERR_OR_NULL(E)
> +|
> +- IS_ERR(E) || E == NULL
> ++ IS_ERR_OR_NULL(E)
> +)
Did you eventually check probabilities for the occurrence of mentioned case distinctions?
> +@p2 depends on patch@
…
I suggest to reconsider “side effects” according to the splitting of these SmPL rules
once more.
…
> +@r2 depends on report || org@
> +identifier I;
> +expression E;
> +position p;
> +@@
> +(
> +* (I = E) != NULL && ... && !IS_ERR@p(I)
> +|
> +* (I = E) == NULL || ... || IS_ERR@p(I)
> +)
I doubt that the usage of SmPL asterisks fits to these two operation modes.
…
> +@p5 depends on patch disable unlikely @
> +expression E;
> +@@
> +-\( likely \| unlikely \)(
> +(
> + IS_ERR_OR_NULL(E)
> +|
> + !IS_ERR_OR_NULL(E)
> +)
> +-)
* Would it be nicer to move such SmPL code to the end of the patch rule listing?
* Can this source code search pattern matter also for further operation modes?
Regards,
Markus
^ permalink raw reply
* Re: [PATCH 2/2] EVM: add comment describing why ino field is still unsigned long
From: Mimi Zohar @ 2026-03-10 16:05 UTC (permalink / raw)
To: Jeff Layton, Christian Brauner, Ryusuke Konishi,
Viacheslav Dubeyko, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn
Cc: linux-nilfs, linux-kernel, linux-integrity, linux-security-module
In-Reply-To: <20260310-iino-u64-v1-2-18422a053b04@kernel.org>
On Tue, 2026-03-10 at 07:43 -0400, Jeff Layton wrote:
> Mimi pointed out that we didn't widen the inode number field in struct
> h_misc alongside the inode->i_ino widening. While we could make an
> equivalent change there, that would force EVM remeasurement on all
> 32-bit hosts.
Instead of saying "force EVM remeasurement" say, "require EVM resigning".
>
> Instead, leave the field as an unsigned long. This should have no effect
> on 64-bit hosts, and allow things to continue working on 32-bit hosts in
> the cases where the i_ino fits in 32-bits.
>
> Add a comment explaining why it's being left as unsigned long.
>
> Cc: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
> security/integrity/evm/evm_crypto.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
> index c0ca4eedb0fe5d5c30f45f515a4bc90248ec64ea..3445f4c2097f7e8af61de6299b721fc4a1d8afb4 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -144,6 +144,12 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
> char type, char *digest)
> {
> struct h_misc {
> + /*
> + * Although inode->i_ino is now u64, this field remains
> + * unsigned long to allow existing hashes from 32-bit hosts
> + * to continue working when i_ino hasn't changed and fitsxi
> + * in a u32.
security.evm contains either an HMAC or signature. Change "hashes" -> HMAC and
signatures"
Mimi
> + */
> unsigned long ino;
> __u32 generation;
> uid_t uid;
^ permalink raw reply
* Re: [v2,net-next,07/15] udp: Remove partial csum code in RX.
From: Kuniyuki Iwashima @ 2026-03-10 16:17 UTC (permalink / raw)
To: Paolo Abeni
Cc: willemb, serge, linux-security-module, netdev, davem, edumazet,
kuba, dsahern, jmorris, casey, paul, kuni1840, fw, horms,
willemdebruijn.kernel
In-Reply-To: <20260310102555.147680-1-pabeni@redhat.com>
On Tue, Mar 10, 2026 at 3:26 AM Paolo Abeni <pabeni@redhat.com> wrote:
>
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
>
> For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
> ---
> udp: Remove partial csum code in RX.
>
> This commit removes UDP-Lite specific partial checksum handling from UDP
> receive paths, including removal of UDP_SKB_CB fields, simplification of
> checksum initialization functions, and elimination of UDP-Lite guards.
>
> Link: https://lore.kernel.org/netdev/20260305215013.2984628-8-kuniyu@google.com/
>
> > diff --git a/include/net/udp.h b/include/net/udp.h
> > --- a/include/net/udp.h
> > +++ b/include/net/udp.h
>
> [ ... ]
>
> > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > --- a/net/ipv4/udp.c
> > +++ b/net/ipv4/udp.c
>
> [ ... ]
>
> > @@ -2703,14 +2647,15 @@ static int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
> > if (ulen > skb->len)
> > goto short_packet;
> >
> > - if (proto == IPPROTO_UDP) {
> > - /* UDP validates ulen. */
> > - if (ulen < sizeof(*uh) || pskb_trim_rcsum(skb, ulen))
> > + /* UDP validates ulen. */
> > + if (ulen < sizeof(*uh)) {
> > + if (pskb_trim_rcsum(skb, ulen))
> > goto short_packet;
> > +
> > uh = udp_hdr(skb);
> > }
> >
> > - if (udp4_csum_init(skb, uh, proto))
> > + if (udp4_csum_init(skb, uh))
> > goto csum_error;
> >
>
> Does this refactoring introduce two bugs?
>
> The old code checked both conditions with short-circuit OR:
> if (ulen < sizeof(*uh) || pskb_trim_rcsum(skb, ulen))
> goto short_packet;
>
> This correctly (1) rejected packets where ulen < 8, and (2) trimmed the
> SKB to the declared UDP length when ulen < skb->len.
>
> The new code changes the logic structure:
> if (ulen < sizeof(*uh)) {
> if (pskb_trim_rcsum(skb, ulen))
> goto short_packet;
> uh = udp_hdr(skb);
> }
>
> First potential bug: When sizeof(*uh) <= ulen < skb->len, the entire block
> is skipped. This means pskb_trim_rcsum() is never called, so the SKB
> retains trailing data beyond the declared UDP length. Won't this cause
> checksum calculations to include extraneous bytes, leading to valid packets
> being incorrectly rejected?
>
> This scenario occurs when UDP length < IP payload length, which can happen
> with malformed or crafted packets.
>
> Second potential bug: When ulen < sizeof(*uh), the old code would
> immediately goto short_packet via the || short-circuit. The new code enters
> the block and tries to trim the SKB to a sub-header-size length. If
> pskb_trim_rcsum() succeeds, processing continues with skb->len <
> sizeof(struct udphdr). Is this safe?
>
> Looking at the IPv6 counterpart __udp6_lib_rcv(), it handles this
> differently:
>
> if (ulen < sizeof(*uh))
> goto short_packet;
>
> if (ulen < skb->len) {
> if (pskb_trim_rcsum(skb, ulen))
> goto short_packet;
> saddr = &ipv6_hdr(skb)->saddr;
> daddr = &ipv6_hdr(skb)->daddr;
> uh = udp_hdr(skb);
> }
>
> Should the IPv4 code follow the same pattern, or should it preserve the
> original short-circuit logic:
Indeed, I'll follow the IPv6 pattern there.
Thanks !
^ permalink raw reply
* Re: [PATCH 0/3] Firmware LSM hook
From: Stephen Smalley @ 2026-03-10 16:29 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Paul Moore, James Morris, Serge E. Hallyn, Jason Gunthorpe,
Saeed Mahameed, Itay Avraham, Dave Jiang, Jonathan Cameron,
linux-security-module, linux-kernel, linux-rdma, Chiara Meiohas,
Maher Sanalla, Edward Srouji
In-Reply-To: <20260310090733.GA12611@unreal>
On Tue, Mar 10, 2026 at 5:14 AM Leon Romanovsky <leon@kernel.org> wrote:
> 1140 MLX5_SET(general_obj_in_cmd_hdr, cmd_in, uid, uid);
> 1141 err = security_fw_validate_cmd(cmd_in, cmd_in_len, &dev->ib_dev.dev,
> 1142 FW_CMD_CLASS_UVERBS, RDMA_DRIVER_MLX5);
> 1143 if (err)
> 1144 return err;
> 1145
> 1146 err = mlx5_cmd_do(dev->mdev, cmd_in, cmd_in_len, cmd_out, cmd_out_len);
>
> Could you point me to the LSM that would be best suited for performing
> checks of this kind?
If you just want to filter on opcodes, then the SELinux extended
permissions (xperms) support may suffice, see:
https://blog.siphos.be/2017/11/selinux-and-extended-permissions/
https://kernsec.org/files/lss2015/vanderstoep.pdf
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/xperm_rules.md
This was originally added to SELinux to support filtering ioctl
commands and later extended to netlink as well.
If you truly need/want filtering of arbitrary variable-length command
buffers, then I'm not sure any LSM does that today.
Might be best suited to Landlock but not sure even of that one.
^ permalink raw reply
* Re: [PATCH 1/2] nilfs2: fix 64-bit division operations in nilfs_bmap_find_target_in_group()
From: Viacheslav Dubeyko @ 2026-03-10 16:54 UTC (permalink / raw)
To: Jeff Layton, Christian Brauner, Ryusuke Konishi, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
James Morris, Serge E. Hallyn
Cc: linux-nilfs, linux-kernel, linux-integrity, linux-security-module,
kernel test robot
In-Reply-To: <20260310-iino-u64-v1-1-18422a053b04@kernel.org>
On Tue, 2026-03-10 at 07:43 -0400, Jeff Layton wrote:
> With the change to make inode->i_ino a u64, the build started failing
> on
> 32-bit ARM with:
>
> ERROR: modpost: "__aeabi_uldivmod" [fs/nilfs2/nilfs2.ko]
> undefined!
>
> Fix this by using the 64-bit division interfaces in
> nilfs_bmap_find_target_in_group().
>
> Fixes: 998a59d371c2 ("treewide: fix missed i_ino format specifier
> conversions")
> Reported-by: kernel test robot <lkp@intel.com>
> Closes:
> https://lore.kernel.org/oe-kbuild-all/202603100602.KPxiClIO-lkp@intel.com/
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
> fs/nilfs2/bmap.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/fs/nilfs2/bmap.c b/fs/nilfs2/bmap.c
> index
> 824f2bd91c167965ec3a660202b6e6c5f1fe007e..4ce9a93149a5af13bc215cc1877
> a757e2c6cf49b 100644
> --- a/fs/nilfs2/bmap.c
> +++ b/fs/nilfs2/bmap.c
> @@ -455,11 +455,14 @@ __u64 nilfs_bmap_find_target_in_group(const
> struct nilfs_bmap *bmap)
> {
> struct inode *dat = nilfs_bmap_get_dat(bmap);
> unsigned long entries_per_group =
> nilfs_palloc_entries_per_group(dat);
> - unsigned long group = bmap->b_inode->i_ino /
> entries_per_group;
> + unsigned long group;
> + u32 rem;
> +
> + group = div_u64(bmap->b_inode->i_ino, entries_per_group);
> + div_u64_rem(bmap->b_inode->i_ino, NILFS_BMAP_GROUP_DIV,
> &rem);
>
> return group * entries_per_group +
> - (bmap->b_inode->i_ino % NILFS_BMAP_GROUP_DIV) *
> - (entries_per_group / NILFS_BMAP_GROUP_DIV);
> + rem * (entries_per_group / NILFS_BMAP_GROUP_DIV);
> }
>
> static struct lock_class_key nilfs_bmap_dat_lock_key;
Makes sense. :) Maybe, rem is not very good variable name, but the
whole logic looks good.
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Thanks,
Slava.
^ permalink raw reply
* Re: [PATCH v1 1/4] landlock: Fix kernel-doc warning for pointer-to-array parameters
From: Mickaël Salaün @ 2026-03-10 17:13 UTC (permalink / raw)
To: Günther Noack; +Cc: linux-security-module
In-Reply-To: <abAaPmuYskAkubF9@google.com>
On Tue, Mar 10, 2026 at 02:18:54PM +0100, Günther Noack wrote:
> On Wed, Mar 04, 2026 at 08:31:24PM +0100, Mickaël Salaün wrote:
> > The insert_rule() and create_rule() functions take a
> > pointer-to-flexible-array parameter declared as:
> >
> > const struct landlock_layer (*const layers)[]
> >
> > The kernel-doc parser cannot handle a qualifier between * and the
> > parameter name in this syntax, producing spurious "Invalid param" and
> > "not described" warnings.
> >
> > Introduce landlock_layer_array_t as a typedef for the flexible array
> > type so the parameter can be written as:
> >
> > const landlock_layer_array_t *const layers
> >
> > This is the same type but kernel-doc parses it correctly, while
> > preserving the pointer-to-array type safety that prevents callers from
> > accidentally passing a pointer to a single element.
> >
> > Cc: Günther Noack <gnoack@google.com>
> > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > ---
> > security/landlock/ruleset.c | 4 ++--
> > security/landlock/ruleset.h | 8 ++++++++
> > 2 files changed, 10 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> > index 419b237de635..a61ced492f41 100644
> > --- a/security/landlock/ruleset.c
> > +++ b/security/landlock/ruleset.c
> > @@ -108,7 +108,7 @@ static bool is_object_pointer(const enum landlock_key_type key_type)
> >
> > static struct landlock_rule *
> > create_rule(const struct landlock_id id,
> > - const struct landlock_layer (*const layers)[], const u32 num_layers,
> > + const landlock_layer_array_t *const layers, const u32 num_layers,
> > const struct landlock_layer *const new_layer)
> > {
> > struct landlock_rule *new_rule;
> > @@ -205,7 +205,7 @@ static void build_check_ruleset(void)
> > */
> > static int insert_rule(struct landlock_ruleset *const ruleset,
> > const struct landlock_id id,
> > - const struct landlock_layer (*const layers)[],
> > + const landlock_layer_array_t *const layers,
> > const size_t num_layers)
> > {
> > struct rb_node **walker_node;
> > diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> > index 9d6dc632684c..87d52031fb5a 100644
> > --- a/security/landlock/ruleset.h
> > +++ b/security/landlock/ruleset.h
> > @@ -37,6 +37,14 @@ struct landlock_layer {
> > access_mask_t access;
> > };
> >
> > +/*
> > + * Flexible array of Landlock layers, used for pointer-to-array function
> > + * parameters that reference either a stack-allocated layer array or a rule's
> > + * flexible array member (struct landlock_rule.layers). This typedef avoids
> > + * the complex (*const name)[] syntax that the kernel-doc parser cannot handle.
> > + */
> > +typedef struct landlock_layer landlock_layer_array_t[];
> > +
> > /**
> > * union landlock_key - Key of a ruleset's red-black tree
> > */
> > --
> > 2.53.0
> >
>
> Thanks for the reminder on the other thread; I skipped over this one
> indeed. I am hesitant about this patch because it seems to be at odds
> with the Linux kernel coding style on the use of typedef:
>
> https://www.kernel.org/doc/html/v4.17/process/coding-style.html#typedefs
>
> It says:
>
> the rule should basically be to NEVER EVER use a typedef unless
> you can clearly match one of those rules.
>
> The rules being:
>
> (a) totally opaque object whose contents we want to hide
> (I don't think that is the purpose here; the example in
> the style guide is to keep generic code from playing with
> hardware-specific page table entry structures)
> (b) integer types (not applicable)
> (c) when using sparse (not applicable)
> (d) some types identical to C99 types (not applicable)
> (e) types safe for use in userspace (not applicable)
>
> It seems that the easier option might be to drop the "const" between
> the pointer and the type, if apparently we are the only ones doing
> this?
Yeah, this is simpler.
>
> FWIW, I have put these consts as well to be consistent with Landlock
> style, but I am also not convinced that they buy us much;
>
> * In a type like "const u8 *buf", when the type is part of a function
> signature, that is a guarantee to the caller that the function won't
> modify the buffer contents through the pointer.
>
> * However, in a type like "u8 *const buf", the const is not a
> guarantee to the caller, but only a constraint on the function
> implementation that the pointer is not rewired to point elsewhere.
> It is not clear to me that this adds much in implementation safety.
I prefer to have const variables where possible to look for changes in
patches that could then have indirect impact on initial invariants.
But for this case, I prefer to have the doc linter covering C files.
I'll send a v2 for this change only, I'll merge the other patches.
>
> WDYT?
>
> —Günther
>
^ permalink raw reply
* [PATCH v2] landlock: Fix kernel-doc warning for pointer-to-array parameters
From: Mickaël Salaün @ 2026-03-10 17:20 UTC (permalink / raw)
To: Günther Noack
Cc: Mickaël Salaün, linux-security-module, Jonathan Corbet
The insert_rule() and create_rule() functions take a
pointer-to-flexible-array parameter declared as:
const struct landlock_layer (*const layers)[]
The kernel-doc parser cannot handle a qualifier between * and the
parameter name in this syntax, producing spurious "Invalid param" and
"not described" warnings.
Remove the const qualifier of the "layers" argument to avoid this
parsing issue.
Cc: Günther Noack <gnoack@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
Changes since v1:
https://lore.kernel.org/r/20260304193134.250495-1-mic@digikod.net
- Remove const instead of using a typedef (suggested by Günther).
---
security/landlock/ruleset.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 3234a5bc11ff..181df7736bb9 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -107,7 +107,7 @@ static bool is_object_pointer(const enum landlock_key_type key_type)
static struct landlock_rule *
create_rule(const struct landlock_id id,
- const struct landlock_layer (*const layers)[], const u32 num_layers,
+ const struct landlock_layer (*layers)[], const u32 num_layers,
const struct landlock_layer *const new_layer)
{
struct landlock_rule *new_rule;
@@ -206,7 +206,7 @@ static void build_check_ruleset(void)
*/
static int insert_rule(struct landlock_ruleset *const ruleset,
const struct landlock_id id,
- const struct landlock_layer (*const layers)[],
+ const struct landlock_layer (*layers)[],
const size_t num_layers)
{
struct rb_node **walker_node;
--
2.53.0
^ permalink raw reply related
* Re: [PATCH 1/2] nilfs2: fix 64-bit division operations in nilfs_bmap_find_target_in_group()
From: Jeff Layton @ 2026-03-10 17:28 UTC (permalink / raw)
To: Viacheslav Dubeyko, Christian Brauner, Ryusuke Konishi,
Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn
Cc: linux-nilfs, linux-kernel, linux-integrity, linux-security-module,
kernel test robot
In-Reply-To: <b0225cff966425a16213e2dae7cd30ba438e5af7.camel@dubeyko.com>
On Tue, 2026-03-10 at 09:54 -0700, Viacheslav Dubeyko wrote:
> On Tue, 2026-03-10 at 07:43 -0400, Jeff Layton wrote:
> > With the change to make inode->i_ino a u64, the build started failing
> > on
> > 32-bit ARM with:
> >
> > ERROR: modpost: "__aeabi_uldivmod" [fs/nilfs2/nilfs2.ko]
> > undefined!
> >
> > Fix this by using the 64-bit division interfaces in
> > nilfs_bmap_find_target_in_group().
> >
> > Fixes: 998a59d371c2 ("treewide: fix missed i_ino format specifier
> > conversions")
> > Reported-by: kernel test robot <lkp@intel.com>
> > Closes:
> > https://lore.kernel.org/oe-kbuild-all/202603100602.KPxiClIO-lkp@intel.com/
> > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > ---
> > fs/nilfs2/bmap.c | 9 ++++++---
> > 1 file changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/fs/nilfs2/bmap.c b/fs/nilfs2/bmap.c
> > index
> > 824f2bd91c167965ec3a660202b6e6c5f1fe007e..4ce9a93149a5af13bc215cc1877
> > a757e2c6cf49b 100644
> > --- a/fs/nilfs2/bmap.c
> > +++ b/fs/nilfs2/bmap.c
> > @@ -455,11 +455,14 @@ __u64 nilfs_bmap_find_target_in_group(const
> > struct nilfs_bmap *bmap)
> > {
> > struct inode *dat = nilfs_bmap_get_dat(bmap);
> > unsigned long entries_per_group =
> > nilfs_palloc_entries_per_group(dat);
> > - unsigned long group = bmap->b_inode->i_ino /
> > entries_per_group;
> > + unsigned long group;
> > + u32 rem;
> > +
> > + group = div_u64(bmap->b_inode->i_ino, entries_per_group);
> > + div_u64_rem(bmap->b_inode->i_ino, NILFS_BMAP_GROUP_DIV,
> > &rem);
> >
> > return group * entries_per_group +
> > - (bmap->b_inode->i_ino % NILFS_BMAP_GROUP_DIV) *
> > - (entries_per_group / NILFS_BMAP_GROUP_DIV);
> > + rem * (entries_per_group / NILFS_BMAP_GROUP_DIV);
> > }
> >
> > static struct lock_class_key nilfs_bmap_dat_lock_key;
>
> Makes sense. :) Maybe, rem is not very good variable name, but the
> whole logic looks good.
>
> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
>
Thanks. My thinking was "remainder" but I don't have an objection if
you guys want to change it.
--
Jeff Layton <jlayton@kernel.org>
^ permalink raw reply
* [PATCH v6] ima_fs: Correctly create securityfs files for unsupported hash algos
From: Dmitry Safonov via B4 Relay @ 2026-03-10 17:40 UTC (permalink / raw)
To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Silvia Sisinni,
Enrico Bravi
Cc: Jonathan McDowell, linux-integrity, linux-security-module,
linux-kernel, stable, Dmitry Safonov, Dmitry Safonov
From: Dmitry Safonov <dima@arista.com>
ima_tpm_chip->allocated_banks[i].crypto_id is initialized to
HASH_ALGO__LAST if the TPM algorithm is not supported. However there
are places relying on the algorithm to be valid because it is accessed
by hash_algo_name[].
On 6.12.40 I observe the following read out-of-bounds in hash_algo_name:
==================================================================
BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440
Read of size 8 at addr ffffffff83e18138 by task swapper/0/1
CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3
Call Trace:
<TASK>
dump_stack_lvl+0x61/0x90
print_report+0xc4/0x580
? kasan_addr_to_slab+0x26/0x80
? create_securityfs_measurement_lists+0x396/0x440
kasan_report+0xc2/0x100
? create_securityfs_measurement_lists+0x396/0x440
create_securityfs_measurement_lists+0x396/0x440
ima_fs_init+0xa3/0x300
ima_init+0x7d/0xd0
init_ima+0x28/0x100
do_one_initcall+0xa6/0x3e0
kernel_init_freeable+0x455/0x740
kernel_init+0x24/0x1d0
ret_from_fork+0x38/0x80
ret_from_fork_asm+0x11/0x20
</TASK>
The buggy address belongs to the variable:
hash_algo_name+0xb8/0x420
Memory state around the buggy address:
ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
^
ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
==================================================================
Seems like the TPM chip supports sha3_256, which isn't yet in
tpm_algorithms:
tpm tpm0: TPM with unsupported bank algorithm 0x0027
That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0
Library Part 2: Structures", page 51 [1].
See also the related U-Boot algorithms update [2].
Thus solve the problem by creating a file name with "_tpm_alg_<ID>"
postfix if the crypto algorithm isn't initialized.
This is how it looks on the test machine (patch ported to v6.12 release):
# ls -1 /sys/kernel/security/ima/
ascii_runtime_measurements
ascii_runtime_measurements_tpm_alg_27
ascii_runtime_measurements_sha1
ascii_runtime_measurements_sha256
binary_runtime_measurements
binary_runtime_measurements_tpm_alg_27
binary_runtime_measurements_sha1
binary_runtime_measurements_sha256
policy
runtime_measurements_count
violations
[1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf
[2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html
Fixes: 9fa8e7625008 ("ima: add crypto agility support for template-hash algorithm")
Signed-off-by: Dmitry Safonov <dima@arista.com>
Cc: Enrico Bravi <enrico.bravi@polito.it>
Cc: Silvia Sisinni <silvia.sisinni@polito.it>
Cc: Roberto Sassu <roberto.sassu@huawei.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
---
Changes in v6:
- Change subject now that securityfs files are created (Mimi Zohar)
- Added a link to TCG document and the related U-Boot changes
- Link to v5: https://lore.kernel.org/r/20260223-ima-oob-v5-1-91cc1064e767@arista.com
Changes in v5:
- Use lower-case for sysfs file name (as suggested-by Jonathan and Roberto)
- Don't use email quotes for patch description (Roberto)
- Re-word the patch description (suggested-by Roberto)
- Link to v4: https://lore.kernel.org/r/20260127-ima-oob-v4-1-bf0cd7f9b4d4@arista.com
Changes in v4:
- Use ima_tpm_chip->allocated_banks[algo_idx].digest_size instead of hash_digest_size[algo]
(Roberto Sassu)
- Link to v3: https://lore.kernel.org/r/20260127-ima-oob-v3-1-1dd09f4c2a6a@arista.com
Testing note: I test it on v6.12.40 kernel backport, which slightly differs as
lookup_template_data_hash_algo() was yet present.
Changes in v3:
- Now fix the spelling *for real* (sorry, messed it up in v2)
- Link to v2: https://lore.kernel.org/r/20260127-ima-oob-v2-1-f38a18c850cf@arista.com
Changes in v2:
- Instead of skipping unknown algorithms, add files under their TPM_ALG_ID (Roberto Sassu)
- Fix spelling (Roberto Sassu)
- Copy @stable on the fix
- Link to v1: https://lore.kernel.org/r/20260127-ima-oob-v1-1-2d42f3418e57@arista.com
---
security/integrity/ima/ima_fs.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 23d3a14b8ce3..ca4931a95098 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -398,16 +398,24 @@ static int __init create_securityfs_measurement_lists(void)
char file_name[NAME_MAX + 1];
struct dentry *dentry;
- sprintf(file_name, "ascii_runtime_measurements_%s",
- hash_algo_name[algo]);
+ if (algo == HASH_ALGO__LAST)
+ sprintf(file_name, "ascii_runtime_measurements_tpm_alg_%x",
+ ima_tpm_chip->allocated_banks[i].alg_id);
+ else
+ sprintf(file_name, "ascii_runtime_measurements_%s",
+ hash_algo_name[algo]);
dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
ima_dir, (void *)(uintptr_t)i,
&ima_ascii_measurements_ops);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
- sprintf(file_name, "binary_runtime_measurements_%s",
- hash_algo_name[algo]);
+ if (algo == HASH_ALGO__LAST)
+ sprintf(file_name, "binary_runtime_measurements_tpm_alg_%x",
+ ima_tpm_chip->allocated_banks[i].alg_id);
+ else
+ sprintf(file_name, "binary_runtime_measurements_%s",
+ hash_algo_name[algo]);
dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
ima_dir, (void *)(uintptr_t)i,
&ima_measurements_ops);
---
base-commit: 343f51842f4ed7143872f3aa116a214a5619a4b9
change-id: 20260127-ima-oob-9fa83a634d7b
Best regards,
--
Dmitry Safonov <dima@arista.com>
^ permalink raw reply related
* Re: [PATCH 0/3] Firmware LSM hook
From: Leon Romanovsky @ 2026-03-10 17:57 UTC (permalink / raw)
To: Stephen Smalley
Cc: Paul Moore, James Morris, Serge E. Hallyn, Jason Gunthorpe,
Saeed Mahameed, Itay Avraham, Dave Jiang, Jonathan Cameron,
linux-security-module, linux-kernel, linux-rdma, Chiara Meiohas,
Maher Sanalla, Edward Srouji
In-Reply-To: <CAEjxPJ4nTmovpgkzC+3=Oh7EAhpi1vHLwJfjezu-vzX_Q2OCug@mail.gmail.com>
On Tue, Mar 10, 2026 at 12:29:40PM -0400, Stephen Smalley wrote:
> On Tue, Mar 10, 2026 at 5:14 AM Leon Romanovsky <leon@kernel.org> wrote:
> > 1140 MLX5_SET(general_obj_in_cmd_hdr, cmd_in, uid, uid);
> > 1141 err = security_fw_validate_cmd(cmd_in, cmd_in_len, &dev->ib_dev.dev,
> > 1142 FW_CMD_CLASS_UVERBS, RDMA_DRIVER_MLX5);
> > 1143 if (err)
> > 1144 return err;
> > 1145
> > 1146 err = mlx5_cmd_do(dev->mdev, cmd_in, cmd_in_len, cmd_out, cmd_out_len);
> >
> > Could you point me to the LSM that would be best suited for performing
> > checks of this kind?
>
> If you just want to filter on opcodes, then the SELinux extended
> permissions (xperms) support may suffice, see:
> https://blog.siphos.be/2017/11/selinux-and-extended-permissions/
> https://kernsec.org/files/lss2015/vanderstoep.pdf
> https://github.com/SELinuxProject/selinux-notebook/blob/main/src/xperm_rules.md
>
> This was originally added to SELinux to support filtering ioctl
> commands and later extended to netlink as well.
>
> If you truly need/want filtering of arbitrary variable-length command
> buffers.
Yes. The opcode alone is not sufficient for any real‑world use.
It is not reliable because different firmware versions place different
parameters into the same mailbox entry under the same opcode.
Without inspecting the mailbox contents, you cannot properly filter them.
Thanks
^ permalink raw reply
* Re: [PATCH 03/61] ceph: Prefer IS_ERR_OR_NULL over manual NULL check
From: Viacheslav Dubeyko @ 2026-03-10 18:13 UTC (permalink / raw)
To: dm-devel@lists.linux.dev, phahn-oss@avm.de,
intel-wired-lan@lists.osuosl.org, linux-erofs@lists.ozlabs.org,
linux-security-module@vger.kernel.org, kvm@vger.kernel.org,
linux-sctp@vger.kernel.org, linux-pm@vger.kernel.org,
apparmor@lists.ubuntu.com, linux-ext4@vger.kernel.org,
amd-gfx@lists.freedesktop.org, linux-clk@vger.kernel.org,
linux-mips@vger.kernel.org, linux-media@vger.kernel.org,
netdev@vger.kernel.org, iommu@lists.linux.dev,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-usb@vger.kernel.org,
sched-ext@lists.linux.dev, linux-btrfs@vger.kernel.org,
linux-bluetooth@vger.kernel.org, linux-s390@vger.kernel.org,
samba-technical@lists.samba.org, intel-gfx@lists.freedesktop.org,
linux-trace-kernel@vger.kernel.org, ntfs3@lists.linux.dev,
linux-phy@lists.infradead.org, v9fs@lists.linux.dev,
ceph-devel@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
linux-mtd@lists.infradead.org, linux-scsi@vger.kernel.org,
target-devel@vger.kernel.org, linux-gpio@vger.kernel.org,
cocci@inria.fr, linux-sh@vger.kernel.org,
linux-rockchip@lists.infradead.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-cifs@vger.kernel.org, linux-modules@vger.kernel.org,
linux-sound@vger.kernel.org, bpf@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-input@vger.kernel.org,
linux-leds@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-hyperv@vger.kernel.org, linux-mm@kvack.org,
linux-nfs@vger.kernel.org, gfs2@lists.linux.dev,
linux-wireless@vger.kernel.org, linux-omap@vger.kernel.org
Cc: idryomov@gmail.com, Alex Markuze, slava@dubeyko.com
In-Reply-To: <20260310-b4-is_err_or_null-v1-3-bd63b656022d@avm.de>
On Tue, 2026-03-10 at 12:48 +0100, Philipp Hahn wrote:
> Prefer using IS_ERR_OR_NULL() over using IS_ERR() and a manual NULL
> check.
>
> Change generated with coccinelle.
>
> To: Ilya Dryomov <idryomov@gmail.com>
> To: Alex Markuze <amarkuze@redhat.com>
> To: Viacheslav Dubeyko <slava@dubeyko.com>
> Cc: ceph-devel@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Philipp Hahn <phahn-oss@avm.de>
> ---
> fs/ceph/dir.c | 2 +-
> fs/ceph/snap.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
> index 86d7aa594ea99335af3e91a95c0a418fdc1b8a8a..934250748ae4fd4c148fd27bdf91175047c2877d 100644
> --- a/fs/ceph/dir.c
> +++ b/fs/ceph/dir.c
> @@ -889,7 +889,7 @@ int ceph_handle_notrace_create(struct inode *dir, struct dentry *dentry)
> {
> struct dentry *result = ceph_lookup(dir, dentry, 0);
>
> - if (result && !IS_ERR(result)) {
> + if (!IS_ERR_OR_NULL(result)) {
> /*
> * We created the item, then did a lookup, and found
> * it was already linked to another inode we already
> diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
> index 52b4c2684f922bfed39550311e793bfe3622cd26..528ad581be160713f91416115659e2dc6f259576 100644
> --- a/fs/ceph/snap.c
> +++ b/fs/ceph/snap.c
> @@ -902,7 +902,7 @@ int ceph_update_snap_trace(struct ceph_mds_client *mdsc,
> bad:
> err = -EIO;
> fail:
> - if (realm && !IS_ERR(realm))
> + if (!IS_ERR_OR_NULL(realm))
> ceph_put_snap_realm(mdsc, realm);
> if (first_realm)
> ceph_put_snap_realm(mdsc, first_realm);
Looks good.
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Thanks,
Slava.
^ permalink raw reply
* Re: [PATCH 0/3] Firmware LSM hook
From: Paul Moore @ 2026-03-10 18:24 UTC (permalink / raw)
To: Leon Romanovsky
Cc: James Morris, Serge E. Hallyn, Jason Gunthorpe, Saeed Mahameed,
Itay Avraham, Dave Jiang, Jonathan Cameron, linux-security-module,
linux-kernel, linux-rdma, Chiara Meiohas, Maher Sanalla,
Edward Srouji
In-Reply-To: <20260310090733.GA12611@unreal>
On Tue, Mar 10, 2026 at 5:07 AM Leon Romanovsky <leon@kernel.org> wrote:
> On Mon, Mar 09, 2026 at 07:10:25PM -0400, Paul Moore wrote:
> > On Mon, Mar 9, 2026 at 3:37 PM Leon Romanovsky <leon@kernel.org> wrote:
> > > On Mon, Mar 09, 2026 at 02:32:39PM -0400, Paul Moore wrote:
> > > > On Mon, Mar 9, 2026 at 7:15 AM Leon Romanovsky <leon@kernel.org> wrote:
...
> > > > Hi Leon,
> > > >
> > > > At the link below, you'll find guidance on submitting new LSM hooks.
> > > > Please take a look and let me know if you have any questions.
> > > >
> > > > https://github.com/LinuxSecurityModule/kernel/blob/main/README.md#new-lsm-hooks
> > >
> > > I assume that you are referring to this part:
> >
> > I'm referring to all of the guidance, but yes, at the very least that
> > is something that I think we need to see in a future revision of this
> > patchset.
> >
> > > * New LSM hooks must demonstrate their usefulness by providing a meaningful
> > > implementation for at least one in-kernel LSM. The goal is to demonstrate
> > > the purpose and expected semantics of the hooks. Out of tree kernel code,
> > > and pass through implementations, such as the BPF LSM, are not eligible
> > > for LSM hook reference implementations.
> > >
> > > The point is that we are not inspecting a kernel call, but the FW mailbox,
> > > which has very little meaning to the kernel. From the kernel's perspective,
> > > all relevant checks have already been performed, but the existing capability
> > > granularity does not allow us to distinguish between FW_CMD1 and FW_CMD2.
> >
> > It might help if you could phrase this differently, as I'm not
> > entirely clear on your argument. LSMs are not limited to enforcing
> > access controls on requests the kernel understands (see the SELinux
> > userspace object manager concept), and the idea of access controls
> > with greater granularity than capabilities is one of the main reasons
> > people look to LSMs for access control (SELinux, AppArmor, Smack,
> > etc.).
>
> I should note that my understanding of LSM is limited, so some parts of my
> answers may be inaccurate.
>
> What I am referring to is a different level of granularity — specifically,
> the internals of the firmware commands. In the proposed approach, BPF
> programs would make decisions based on data passed through the mailbox.
> That mailbox format varies across vendors, and may even differ between
> firmware versions from the same vendor.
That helps, thank you.
> > > Here we propose a generic interface that can be applied to all FWCTL
> > > devices without out-of-tree kernel code at all.
> >
> > I expected to see a patch implementing some meaningful support for
> > access controls using these hooks in one of the existing LSMs, I did
> > not see that in this patchset.
>
> In some cases, the mailbox is forwarded from user space unchanged, but
> in others the kernel modifies it before submitting it to the FW.
Without a standard format, opcode definitions, etc. I suspect
integrating this into an LSM will present a number of challenges.
Instead of performing an LSM access control check before submitting
the firmware command, it might be easier from an LSM perspective to
have the firmware call into the kernel/LSM for an access control
decision before performing a security-relevant action. This removes
the challenge of parsing/interpreting the arbitrary firmware commands,
but it does add some additional complexity of having to generically
represent the security relevant actions the firmware might request
(this is somewhat similar to how the LSM framework doesn't necessarily
hook the syscalls, but the actions the syscalls perform). Yes, one
does have to trust the firmware in this approach, but given the
relationship between the firmware and associated hardware, I think
users are implicitly required to trust their firmware in the vast
majority of cases.
--
paul-moore.com
^ permalink raw reply
* Re: [PATCH 00/61] treewide: Use IS_ERR_OR_NULL over manual NULL check - refactor
From: Kuan-Wei Chiu @ 2026-03-10 18:40 UTC (permalink / raw)
To: Philipp Hahn
Cc: amd-gfx, apparmor, bpf, ceph-devel, cocci, dm-devel, dri-devel,
gfs2, intel-gfx, intel-wired-lan, iommu, kvm, linux-arm-kernel,
linux-block, linux-bluetooth, linux-btrfs, linux-cifs, linux-clk,
linux-erofs, linux-ext4, linux-fsdevel, linux-gpio, linux-hyperv,
linux-input, linux-kernel, linux-leds, linux-media, linux-mips,
linux-mm, linux-modules, linux-mtd, linux-nfs, linux-omap,
linux-phy, linux-pm, linux-rockchip, linux-s390, linux-scsi,
linux-sctp, linux-security-module, linux-sh, linux-sound,
linux-stm32, linux-trace-kernel, linux-usb, linux-wireless,
netdev, ntfs3, samba-technical, sched-ext, target-devel,
tipc-discussion, v9fs
In-Reply-To: <20260310-b4-is_err_or_null-v1-0-bd63b656022d@avm.de>
Hi Philipp,
On Tue, Mar 10, 2026 at 12:48:26PM +0100, Philipp Hahn wrote:
> While doing some static code analysis I stumbled over a common pattern,
> where IS_ERR() is combined with a NULL check. For that there is
> IS_ERR_OR_NULL().
>
> I've written a Coccinelle patch to find and patch those instances.
> The patches follow grouped by subsystem.
>
> Patches 55-58 may be dropped as they have a (minor?) semantic change:
> They use WARN_ON() or WARN_ON_ONCE(), but only in the IS_ERR() path, not
> for the NULL check. Iff it is okay to print the warning also for NULL,
> then the patches can be applied.
>
> While generating the patch set `checkpatch` complained about mixing
> [un]likely() with IS_ERR_OR_NULL(), which already uses likely()
> internally. I found and fixed several locations, where that combination
> has been used.
Thanks for the patchset. However, I think we need a explanation for why
switching to IS_ERR_OR_NULL() is an improvement over the existing code.
IMHO, the necessity of IS_ERR_OR_NULL() often highlights a confusing or
flawed API design. It usually implies that the caller is unsure whether
a failure results in an error pointer or a NULL pointer. Rather than
doing a treewide conversion of this pattern, I believe it would be much
more meaningful to review these instances case-by-case and fix the
underlying APIs or caller logic instead.
Additionally, a treewide refactoring like this has the practical
drawback of creating unnecessary merge conflicts when backporting to
stable trees.
Regards,
Kuan-Wei
^ permalink raw reply
* [PATCH v1] selftests/landlock: Test tsync interruption and cancellation paths
From: Mickaël Salaün @ 2026-03-10 19:04 UTC (permalink / raw)
To: Günther Noack
Cc: Mickaël Salaün, linux-security-module, Justin Suess,
Tingmao Wang, Yihan Ding
Add tsync_interrupt test to exercise the signal interruption path in
landlock_restrict_sibling_threads(). When a signal interrupts
wait_for_completion_interruptible() while the calling thread waits for
sibling threads to finish credential preparation, the kernel:
1. Sets ERESTARTNOINTR to request a transparent syscall restart.
2. Calls cancel_tsync_works() to opportunistically dequeue task works
that have not started running yet.
3. Breaks out of the preparation loop, then unblocks remaining
task works via complete_all() and waits for them to finish.
4. Returns the error, causing abort_creds() in the syscall handler.
Specifically, cancel_tsync_works() in its entirety, the ERESTARTNOINTR
error branch in landlock_restrict_sibling_threads(), and the
abort_creds() error branch in the landlock_restrict_self() syscall
handler are timing-dependent and not exercised by the existing tsync
tests, making code coverage measurements non-deterministic.
The test spawns a signaler thread that rapidly sends SIGUSR1 to the
calling thread while it performs landlock_restrict_self() with
LANDLOCK_RESTRICT_SELF_TSYNC. Since ERESTARTNOINTR causes a
transparent restart, userspace always sees the syscall succeed.
This is a best-effort coverage test: the interruption path is exercised
when the signal lands during the preparation wait, which depends on
thread scheduling. The test creates enough idle sibling threads (200)
to ensure multiple serialized waves of credential preparation even on
machines with many cores (e.g., 64), widening the window for the
signaler. Deterministic coverage would require wrapping the wait call
with ALLOW_ERROR_INJECTION() and using CONFIG_FAIL_FUNCTION.
Cc: Günther Noack <gnoack@google.com>
Cc: Justin Suess <utilityemal77@gmail.com>
Cc: Tingmao Wang <m@maowtm.org>
Cc: Yihan Ding <dingyihan@uniontech.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
tools/testing/selftests/landlock/tsync_test.c | 91 ++++++++++++++++++-
1 file changed, 90 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/landlock/tsync_test.c b/tools/testing/selftests/landlock/tsync_test.c
index 37ef0d2270db..2b9ad4f154f4 100644
--- a/tools/testing/selftests/landlock/tsync_test.c
+++ b/tools/testing/selftests/landlock/tsync_test.c
@@ -6,9 +6,10 @@
*/
#define _GNU_SOURCE
+#include <linux/landlock.h>
#include <pthread.h>
+#include <signal.h>
#include <sys/prctl.h>
-#include <linux/landlock.h>
#include "common.h"
@@ -158,4 +159,92 @@ TEST(competing_enablement)
EXPECT_EQ(0, close(ruleset_fd));
}
+static void signal_nop_handler(int sig)
+{
+}
+
+struct signaler_data {
+ pthread_t target;
+ volatile bool stop;
+};
+
+static void *signaler_thread(void *data)
+{
+ struct signaler_data *sd = data;
+
+ while (!sd->stop)
+ pthread_kill(sd->target, SIGUSR1);
+
+ return NULL;
+}
+
+/*
+ * Number of idle sibling threads. This must be large enough that even on
+ * machines with many cores, the sibling threads cannot all complete their
+ * credential preparation in a single parallel wave, otherwise the signaler
+ * thread has no window to interrupt wait_for_completion_interruptible().
+ * 200 threads on a 64-core machine yields ~3 serialized waves, giving the
+ * tight signal loop enough time to land an interruption.
+ */
+#define NUM_IDLE_THREADS 200
+
+/*
+ * Exercises the tsync interruption and cancellation paths in tsync.c.
+ *
+ * When a signal interrupts the calling thread while it waits for sibling
+ * threads to finish their credential preparation
+ * (wait_for_completion_interruptible in landlock_restrict_sibling_threads),
+ * the kernel sets ERESTARTNOINTR, cancels queued task works that have not
+ * started yet (cancel_tsync_works), then waits for the remaining works to
+ * finish. On the error return, syscalls.c aborts the prepared credentials.
+ * The kernel automatically restarts the syscall, so userspace sees success.
+ */
+TEST(tsync_interrupt)
+{
+ size_t i;
+ pthread_t threads[NUM_IDLE_THREADS];
+ pthread_t signaler;
+ struct signaler_data sd;
+ struct sigaction sa = {};
+ const int ruleset_fd = create_ruleset(_metadata);
+
+ disable_caps(_metadata);
+
+ /* Install a no-op SIGUSR1 handler so the signal does not kill us. */
+ sa.sa_handler = signal_nop_handler;
+ sigemptyset(&sa.sa_mask);
+ ASSERT_EQ(0, sigaction(SIGUSR1, &sa, NULL));
+
+ ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
+
+ for (i = 0; i < NUM_IDLE_THREADS; i++)
+ ASSERT_EQ(0, pthread_create(&threads[i], NULL, idle, NULL));
+
+ /*
+ * Start a signaler thread that continuously sends SIGUSR1 to the
+ * calling thread. This maximizes the chance of interrupting
+ * wait_for_completion_interruptible() in the kernel's tsync path.
+ */
+ sd.target = pthread_self();
+ sd.stop = false;
+ ASSERT_EQ(0, pthread_create(&signaler, NULL, signaler_thread, &sd));
+
+ /*
+ * The syscall may be interrupted and transparently restarted by the
+ * kernel (ERESTARTNOINTR). From userspace, it should always succeed.
+ */
+ EXPECT_EQ(0, landlock_restrict_self(ruleset_fd,
+ LANDLOCK_RESTRICT_SELF_TSYNC));
+
+ sd.stop = true;
+ ASSERT_EQ(0, pthread_join(signaler, NULL));
+
+ for (i = 0; i < NUM_IDLE_THREADS; i++) {
+ ASSERT_EQ(0, pthread_cancel(threads[i]));
+ ASSERT_EQ(0, pthread_join(threads[i], NULL));
+ }
+
+ EXPECT_EQ(0, close(ruleset_fd));
+}
+
TEST_HARNESS_MAIN
--
2.53.0
^ permalink raw reply related
* Re: [PATCH 0/3] Firmware LSM hook
From: Leon Romanovsky @ 2026-03-10 19:30 UTC (permalink / raw)
To: Paul Moore
Cc: James Morris, Serge E. Hallyn, Jason Gunthorpe, Saeed Mahameed,
Itay Avraham, Dave Jiang, Jonathan Cameron, linux-security-module,
linux-kernel, linux-rdma, Chiara Meiohas, Maher Sanalla,
Edward Srouji
In-Reply-To: <CAHC9VhTKsOYrs8Wh-O548=2gE7N_gkBy+q05+atcR=D+30uQ=w@mail.gmail.com>
On Tue, Mar 10, 2026 at 02:24:40PM -0400, Paul Moore wrote:
> On Tue, Mar 10, 2026 at 5:07 AM Leon Romanovsky <leon@kernel.org> wrote:
> > On Mon, Mar 09, 2026 at 07:10:25PM -0400, Paul Moore wrote:
> > > On Mon, Mar 9, 2026 at 3:37 PM Leon Romanovsky <leon@kernel.org> wrote:
> > > > On Mon, Mar 09, 2026 at 02:32:39PM -0400, Paul Moore wrote:
> > > > > On Mon, Mar 9, 2026 at 7:15 AM Leon Romanovsky <leon@kernel.org> wrote:
>
> ...
>
> > > > > Hi Leon,
> > > > >
> > > > > At the link below, you'll find guidance on submitting new LSM hooks.
> > > > > Please take a look and let me know if you have any questions.
> > > > >
> > > > > https://github.com/LinuxSecurityModule/kernel/blob/main/README.md#new-lsm-hooks
> > > >
> > > > I assume that you are referring to this part:
> > >
> > > I'm referring to all of the guidance, but yes, at the very least that
> > > is something that I think we need to see in a future revision of this
> > > patchset.
> > >
> > > > * New LSM hooks must demonstrate their usefulness by providing a meaningful
> > > > implementation for at least one in-kernel LSM. The goal is to demonstrate
> > > > the purpose and expected semantics of the hooks. Out of tree kernel code,
> > > > and pass through implementations, such as the BPF LSM, are not eligible
> > > > for LSM hook reference implementations.
> > > >
> > > > The point is that we are not inspecting a kernel call, but the FW mailbox,
> > > > which has very little meaning to the kernel. From the kernel's perspective,
> > > > all relevant checks have already been performed, but the existing capability
> > > > granularity does not allow us to distinguish between FW_CMD1 and FW_CMD2.
> > >
> > > It might help if you could phrase this differently, as I'm not
> > > entirely clear on your argument. LSMs are not limited to enforcing
> > > access controls on requests the kernel understands (see the SELinux
> > > userspace object manager concept), and the idea of access controls
> > > with greater granularity than capabilities is one of the main reasons
> > > people look to LSMs for access control (SELinux, AppArmor, Smack,
> > > etc.).
> >
> > I should note that my understanding of LSM is limited, so some parts of my
> > answers may be inaccurate.
> >
> > What I am referring to is a different level of granularity — specifically,
> > the internals of the firmware commands. In the proposed approach, BPF
> > programs would make decisions based on data passed through the mailbox.
> > That mailbox format varies across vendors, and may even differ between
> > firmware versions from the same vendor.
>
> That helps, thank you.
>
> > > > Here we propose a generic interface that can be applied to all FWCTL
> > > > devices without out-of-tree kernel code at all.
> > >
> > > I expected to see a patch implementing some meaningful support for
> > > access controls using these hooks in one of the existing LSMs, I did
> > > not see that in this patchset.
> >
> > In some cases, the mailbox is forwarded from user space unchanged, but
> > in others the kernel modifies it before submitting it to the FW.
>
> Without a standard format, opcode definitions, etc. I suspect
> integrating this into an LSM will present a number of challenges.
The opcode is relatively easy to extract from the mailbox and pass to the LSM.
All drivers implement some variant of mlx5ctl_validate_rpc()/devx_is_general_cmd()
to validate the opcode. The problem is that this check alone is not sufficient.
> Instead of performing an LSM access control check before submitting
> the firmware command, it might be easier from an LSM perspective to
> have the firmware call into the kernel/LSM for an access control
> decision before performing a security-relevant action.
Ultimately, the LSM must make a decision for each executed firmware
command. This will need to be handled one way or another, and will
likely require parsing the mailbox again.
> This removes the challenge of parsing/interpreting the arbitrary firmware commands,
> but it does add some additional complexity of having to generically
> represent the security relevant actions the firmware might request
The difference here is that the proposed LSM hook is intended to disable
certain functionality provided by the firmware, effectively depending on
the operator’s preferences.
This is not a security‑sensitive operation that requires strict
restriction.
> (this is somewhat similar to how the LSM framework doesn't necessarily
> hook the syscalls, but the actions the syscalls perform). Yes, one
> does have to trust the firmware in this approach, but given the
> relationship between the firmware and associated hardware, I think
> users are implicitly required to trust their firmware in the vast
> majority of cases.
They trust the firmware and the kernel, but they do not trust the actual
non‑privileged users of that firmware.
Thanks
>
> --
> paul-moore.com
>
^ permalink raw reply
* Re: [PATCH v4 02/17] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
From: Eric Biggers @ 2026-03-10 21:11 UTC (permalink / raw)
To: Thomas Weißschuh
Cc: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng,
Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity
In-Reply-To: <20260113-module-hashes-v4-2-0b932db9b56b@weissschuh.net>
On Tue, Jan 13, 2026 at 01:28:46PM +0100, Thomas Weißschuh wrote:
> When CONFIG_MODULE_SIG is disabled set_module_sig_enforced() is defined
> as an empty stub, so the check is unnecessary.
> The specific configuration option for set_module_sig_enforced() is
> about to change and removing the check avoids some later churn.
>
> Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> ---
> arch/powerpc/kernel/ima_arch.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
- Eric
^ permalink raw reply
* Re: [PATCH v4 03/17] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
From: Eric Biggers @ 2026-03-10 21:11 UTC (permalink / raw)
To: Thomas Weißschuh
Cc: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng,
Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity
In-Reply-To: <20260113-module-hashes-v4-3-0b932db9b56b@weissschuh.net>
On Tue, Jan 13, 2026 at 01:28:47PM +0100, Thomas Weißschuh wrote:
> When configuration settings are disabled the guarded functions are
> defined as empty stubs, so the check is unnecessary.
> The specific configuration option for set_module_sig_enforced() is
> about to change and removing the checks avoids some later churn.
>
> Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> ---
> security/integrity/ima/ima_efi.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
- Eric
^ permalink raw reply
* Re: [PATCH v4 04/17] module: Make mod_verify_sig() static
From: Eric Biggers @ 2026-03-10 21:12 UTC (permalink / raw)
To: Thomas Weißschuh
Cc: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng,
Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity
In-Reply-To: <20260113-module-hashes-v4-4-0b932db9b56b@weissschuh.net>
On Tue, Jan 13, 2026 at 01:28:48PM +0100, Thomas Weißschuh wrote:
> It is not used outside of signing.c.
>
> Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> ---
> kernel/module/internal.h | 1 -
> kernel/module/signing.c | 2 +-
> 2 files changed, 1 insertion(+), 2 deletions(-)
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
- Eric
^ permalink raw reply
* Re: [PATCH v2] landlock: Fix kernel-doc warning for pointer-to-array parameters
From: Günther Noack @ 2026-03-10 21:13 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Günther Noack, linux-security-module, Jonathan Corbet
In-Reply-To: <20260310172004.1839864-1-mic@digikod.net>
On Tue, Mar 10, 2026 at 06:20:03PM +0100, Mickaël Salaün wrote:
> The insert_rule() and create_rule() functions take a
> pointer-to-flexible-array parameter declared as:
>
> const struct landlock_layer (*const layers)[]
>
> The kernel-doc parser cannot handle a qualifier between * and the
> parameter name in this syntax, producing spurious "Invalid param" and
> "not described" warnings.
>
> Remove the const qualifier of the "layers" argument to avoid this
> parsing issue.
>
> Cc: Günther Noack <gnoack@google.com>
> Cc: Jonathan Corbet <corbet@lwn.net>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
>
> Changes since v1:
> https://lore.kernel.org/r/20260304193134.250495-1-mic@digikod.net
> - Remove const instead of using a typedef (suggested by Günther).
> ---
> security/landlock/ruleset.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index 3234a5bc11ff..181df7736bb9 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -107,7 +107,7 @@ static bool is_object_pointer(const enum landlock_key_type key_type)
>
> static struct landlock_rule *
> create_rule(const struct landlock_id id,
> - const struct landlock_layer (*const layers)[], const u32 num_layers,
> + const struct landlock_layer (*layers)[], const u32 num_layers,
> const struct landlock_layer *const new_layer)
> {
> struct landlock_rule *new_rule;
> @@ -206,7 +206,7 @@ static void build_check_ruleset(void)
> */
> static int insert_rule(struct landlock_ruleset *const ruleset,
> const struct landlock_id id,
> - const struct landlock_layer (*const layers)[],
> + const struct landlock_layer (*layers)[],
> const size_t num_layers)
> {
> struct rb_node **walker_node;
> --
> 2.53.0
>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox