Hello, I would like to request the backport of the commit below to address a kernel panic in ocfs2 that was identified by Valentin Vidić in this thread: https://lore.kernel.org/linux-security-module/20230401214151.1243189-1-vvidic@xxxxxxxxxxxxxxxxxxxxxx While Valentin provides his own patch in the original message, the preferred patch is one that went up to Linus during the last merge window; Valentin has tested the patch and confirmed that it resolved the reported problem. commit de3004c874e740304cc4f4a83d6200acb511bbda Author: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Date: Tue Mar 14 09:17:16 2023 +0100 ocfs2: Switch to security_inode_init_security() In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs. As fs_info was not used before, ocfs2_initxattrs() can now handle the case of replicating the behavior of security_old_inode_init_security(), i.e. just obtaining the xattr, in addition to setting all xattrs provided by LSMs. Supporting multiple xattrs is not currently supported where security_old_inode_init_security() was called (mknod, symlink), as it requires non-trivial changes that can be done at a later time. Like for reiserfs, even if EVM is invoked, it will not provide an xattr (if it is not the first to set it, its xattr will be discarded; if it is the first, it does not have xattrs to calculate the HMAC on). Finally, since security_inode_init_security(), unlike security_old_inode_init_security(), returns zero instead of -EOPNOTSUPP if no xattrs were provided by LSMs or if inodes are private, additionally check in ocfs2_init_security_get() if the xattr name is set. If not, act as if security_old_inode_init_security() returned -EOPNOTSUPP, and set si->enable to zero to notify to the functions following ocfs2_init_security_get() that no xattrs are available. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Reviewed-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> Acked-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
