linux.git/security, branch v7.2-rc1 Linux kernel source tree Merge tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor 2026-06-24T19:33:40+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-24T19:33:40+00:00 6535a84bfdc4ab56fc901cbd9bd0d1a22315aa93 Pull apparmor updates from John Johansen: "Another round of bug fixing and some code cleanups, there are no new features. The biggest thing to note is Georgia is being added to help co-maintain apparmor. Cleanups: - replace get_zeroed_page() with kzalloc() - remove unnecessary goto and associated label - change fn_label_build() to return err on failure instead of NULL or err - free rawdata as soon as possible - use explicit instead of implicit flex array in rawdata_f_data - use __label_make_stale in __aa_proxy_redirect - return correct error by propagate -ENOMEM correctly in unpack_table - aa_label_alloc use aa_label_free on alloc failure - add a conditional version of get_newest_label Bug Fixes: - mediate the implicit connect of TCP fast open sendmsg - fix C23ism of label immediately before a declaration - fix kernel-doc warnings - fix spelling mistakes - fix use-after-free in rawdata dedup loop - Fix inverted comparison in cache_hold_inc() - fix uninitialized pointer passed to audit_log_untrustedstring() - don't audit files pointing to aa_null.dentry - put secmark label after secid lookup - fix aa_getprocattr free procattr leak on format failure - release exe file resources on path failure - fail policy unpack on accept2 allocation failure - Fix return in ns_mkdir_op - remove or add symlinks to rawdata according to export_binary - fix NULL pointer dereference in unpack_pdb - fix potential UAF in aa_replace_profiles - grab ns lock and refresh when looking up changehat child profiles - enable differential encoding - check label build before no_new_privs test - conditionally compile get_loaddata_common_ref() - fix unix socket mediation cache update, and leak" * tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (35 commits) apparmor: advertise the tcp fast open fix is applied apparmor: mediate the implicit connect of TCP fast open sendmsg apparmor: fix label can not be immediately before a declaration apparmor: fix kernel-doc warnings apparmor: replace get_zeroed_page() with kzalloc() security: apparmor: fix two spelling mistakes apparmor: fix use-after-free in rawdata dedup loop apparmor: Fix inverted comparison in cache_hold_inc() apparmor: fix uninitialised pointer passed to audit_log_untrustedstring() apparmor: don't audit files pointing to aa_null.dentry apparmor: put secmark label after secid lookup apparmor: aa_getprocattr free procattr leak on format failure apparmor: remove unnecessary goto and associated label apparmor: release exe file resources on path failure apparmor: fail policy unpack on accept2 allocation failure apparmor: Fix return in ns_mkdir_op apparmor: remove or add symlinks to rawdata according to export_binary apparmor: fix NULL pointer dereference in unpack_pdb apparmor: make fn_label_build() capable of handling not supported apparmor: change fn_label_build() call to not return NULL ... 
Pull apparmor updates from John Johansen:
 "Another round of bug fixing and some code cleanups, there are no new
  features. The biggest thing to note is Georgia is being added to help
  co-maintain apparmor.

  Cleanups:
   - replace get_zeroed_page() with kzalloc()
   - remove unnecessary goto and associated label
   - change fn_label_build() to return err on failure instead of NULL or
     err
   - free rawdata as soon as possible
   - use explicit instead of implicit flex array in rawdata_f_data
   - use __label_make_stale in __aa_proxy_redirect
   - return correct error by propagate -ENOMEM correctly in unpack_table
   - aa_label_alloc use aa_label_free on alloc failure
   - add a conditional version of get_newest_label

  Bug Fixes:
   - mediate the implicit connect of TCP fast open sendmsg
   - fix C23ism of label immediately before a declaration
   - fix kernel-doc warnings
   - fix spelling mistakes
   - fix use-after-free in rawdata dedup loop
   - Fix inverted comparison in cache_hold_inc()
   - fix uninitialized pointer passed to audit_log_untrustedstring()
   - don't audit files pointing to aa_null.dentry
   - put secmark label after secid lookup
   - fix aa_getprocattr free procattr leak on format failure
   - release exe file resources on path failure
   - fail policy unpack on accept2 allocation failure
   - Fix return in ns_mkdir_op
   - remove or add symlinks to rawdata according to export_binary
   - fix NULL pointer dereference in unpack_pdb
   - fix potential UAF in aa_replace_profiles
   - grab ns lock and refresh when looking up changehat child profiles
   - enable differential encoding
   - check label build before no_new_privs test
   - conditionally compile get_loaddata_common_ref()
   - fix unix socket mediation cache update, and leak"

* tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (35 commits)
  apparmor: advertise the tcp fast open fix is applied
  apparmor: mediate the implicit connect of TCP fast open sendmsg
  apparmor: fix label can not be immediately before a declaration
  apparmor: fix kernel-doc warnings
  apparmor: replace get_zeroed_page() with kzalloc()
  security: apparmor: fix two spelling mistakes
  apparmor: fix use-after-free in rawdata dedup loop
  apparmor: Fix inverted comparison in cache_hold_inc()
  apparmor: fix uninitialised pointer passed to audit_log_untrustedstring()
  apparmor: don't audit files pointing to aa_null.dentry
  apparmor: put secmark label after secid lookup
  apparmor: aa_getprocattr free procattr leak on format failure
  apparmor: remove unnecessary goto and associated label
  apparmor: release exe file resources on path failure
  apparmor: fail policy unpack on accept2 allocation failure
  apparmor: Fix return in ns_mkdir_op
  apparmor: remove or add symlinks to rawdata according to export_binary
  apparmor: fix NULL pointer dereference in unpack_pdb
  apparmor: make fn_label_build() capable of handling not supported
  apparmor: change fn_label_build() call to not return NULL
  ...
apparmor: advertise the tcp fast open fix is applied 2026-06-24T05:15:15+00:00 John Johansen john.johansen@canonical.com 2026-06-22T23:34:13+00:00 2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8 The fix for tcp-fast-open ensures that the connect permission is being mediated correctly but it didn't add an artifact to the feature set to advertise the fix is available. Add an artifact so that the test suite can identify if the fix has not been properly applied or a new unexpected regression has occurred. Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg") Signed-off-by: John Johansen <john.johansen@canonical.com> 
The fix for tcp-fast-open ensures that the connect permission is being
mediated correctly but it didn't add an artifact to the feature set to
advertise the fix is available. Add an artifact so that the test suite
can identify if the fix has not been properly applied or a new
unexpected regression has occurred.

Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg")
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: mediate the implicit connect of TCP fast open sendmsg 2026-06-23T07:16:59+00:00 Bryam Vargas hexlabsecurity@proton.me 2026-06-22T20:57:38+00:00 4d587cd8a72155089a627130bbd4716ec0856e21 sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and write(2): it opens the connection in the SYN. apparmor_socket_sendmsg() only checks AA_MAY_SEND, so a profile that grants send but denies connect lets a confined task open an outbound TCP/MPTCP connection that connect(2) would have refused, bypassing connect mediation. Mediate the implicit connect when MSG_FASTOPEN is set and a destination is supplied. Add it to apparmor_socket_sendmsg() (not the shared aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm() directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit. Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Signed-off-by: John Johansen <john.johansen@canonical.com> 
sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and
write(2): it opens the connection in the SYN. apparmor_socket_sendmsg()
only checks AA_MAY_SEND, so a profile that grants send but denies connect
lets a confined task open an outbound TCP/MPTCP connection that connect(2)
would have refused, bypassing connect mediation.

Mediate the implicit connect when MSG_FASTOPEN is set and a destination
is supplied. Add it to apparmor_socket_sendmsg() (not the shared
aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm()
directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not
cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit.

Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Merge tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux 2026-06-19T19:20:25+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T19:20:25+00:00 5e2e14749c3d969e263a879db104db6e9f0eb484 Pull landlock updates from Mickaël Salaün: "This adds new Landlock access rights to control UDP bind and connect/send operations, and a new "quiet" feature to mute specific specific audit logs (and other future observability events). A few commits also fix Landlock issues" * tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits) selftests/landlock: Add tests for invalid use of quiet flag selftests/landlock: Add tests for quiet flag with scope selftests/landlock: Add tests for quiet flag with net rules selftests/landlock: Add tests for quiet flag with fs rules selftests/landlock: Replace hard-coded 16 with a constant samples/landlock: Add quiet flag support to sandboxer landlock: Suppress logging when quiet flag is present landlock: Add API support and docs for the quiet flags landlock: Add a place for flags to layer rules landlock: Add documentation for UDP support samples/landlock: Add sandboxer UDP access control selftests/landlock: Add tests for UDP send selftests/landlock: Add tests for UDP bind/connect landlock: Add UDP send+connect access control landlock: Add UDP bind() access control landlock: Fix unmarked concurrent access to socket family selftests/landlock: Explicitly disable audit in teardowns selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path landlock: Demonstrate best-effort allowed_access filtering ... 
Pull landlock updates from Mickaël Salaün:
 "This adds new Landlock access rights to control UDP bind and
  connect/send operations, and a new "quiet" feature to mute specific
  specific audit logs (and other future observability events).

  A few commits also fix Landlock issues"

* tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits)
  selftests/landlock: Add tests for invalid use of quiet flag
  selftests/landlock: Add tests for quiet flag with scope
  selftests/landlock: Add tests for quiet flag with net rules
  selftests/landlock: Add tests for quiet flag with fs rules
  selftests/landlock: Replace hard-coded 16 with a constant
  samples/landlock: Add quiet flag support to sandboxer
  landlock: Suppress logging when quiet flag is present
  landlock: Add API support and docs for the quiet flags
  landlock: Add a place for flags to layer rules
  landlock: Add documentation for UDP support
  samples/landlock: Add sandboxer UDP access control
  selftests/landlock: Add tests for UDP send
  selftests/landlock: Add tests for UDP bind/connect
  landlock: Add UDP send+connect access control
  landlock: Add UDP bind() access control
  landlock: Fix unmarked concurrent access to socket family
  selftests/landlock: Explicitly disable audit in teardowns
  selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path
  landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path
  landlock: Demonstrate best-effort allowed_access filtering
  ...
Merge tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd 2026-06-19T19:14:08+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T19:14:08+00:00 e2c0595b56e9526e67ddd228fc35fa9ff20724ec Pull keys update from Jarkko Sakkinen: "This contains only bug fixes" * tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP keys: request_key: replace BUG with return -EINVAL keys: Pin request_key_auth payload in instantiate paths keys: prevent slab cache merging for key_jar keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE) KEYS: Use acquire when reading state in keyring search keys/trusted_keys: mark 'migratable' as __ro_after_init keys: use kmalloc_flex in user_preparse KEYS: trusted: Debugging as a feature KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNG KEYS: fix overflow in keyctl_pkey_params_get_2() 
Pull keys update from Jarkko Sakkinen:
 "This contains only bug fixes"

* tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
  keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP
  keys: request_key: replace BUG with return -EINVAL
  keys: Pin request_key_auth payload in instantiate paths
  keys: prevent slab cache merging for key_jar
  keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE)
  KEYS: Use acquire when reading state in keyring search
  keys/trusted_keys: mark 'migratable' as __ro_after_init
  keys: use kmalloc_flex in user_preparse
  KEYS: trusted: Debugging as a feature
  KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNG
  KEYS: fix overflow in keyctl_pkey_params_get_2()
Merge tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2026-06-19T18:32:05+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T18:32:05+00:00 0798268aa4c26ece25020b3ddeeef9a5941209c0 Pull IMA updates from Mimi Zohar: - Introduce IMA and EVM post-quantum ML-DSA signature support ML-DSA signature support for IMA and EVM is limited to sigv3 signatures, which calculates and verifies a hash of a compact structure containing the file data/metadata hash, hash type, and hash algorithm. IMA and EVM still calculate the file data/metadata hashes respectively. - Introduce support for removing IMA measurement list records stored in kernel memory The IMA measurement list can grow large depending on policy, but removing records breaks remote attestation, unless they are safely preserved and made available for attestation requests. Until environments are prepared to preserve the measurement records, a new CONFIG_IMA_STAGING Kconfig option is introduced to guard against deletion. Several approaches for removing measurement list records were evaluated but rejected due to filesystem constraints, the introduction of a new critical data record, and locking concerns. Two methods are being upstreamed: staged deletion with confirmation, and staged deletion of N records without confirmation. Both methods minimize the period during which new measurements are blocked from being appended to the measurement list by staging the measurement list. A comparison of the two methods is included in the documentation. - Some code cleanup, and a couple of bug fixes * tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: doc: security: Add documentation of exporting and deleting IMA measurements ima: Support staging and deleting N measurements records ima: Add support for flushing the hash table when staging measurements ima: Add support for staging measurements with prompt ima: Introduce ima_dump_measurement() ima: Use snprintf() in create_securityfs_measurement_lists ima: Mediate open/release method of the measurements list ima: Introduce _ima_measurements_start() and _ima_measurements_next() ima: Introduce per binary measurements list type binary_runtime_size value ima: Introduce per binary measurements list type ima_num_records counter ima: Replace static htable queue with dynamically allocated array ima: Remove ima_h_table structure evm: terminate and bound the evm_xattrs read buffer integrity: Add support for sigv3 verification using ML-DSA keys integrity: Refactor asymmetric_verify for reusability integrity: Check that algo parameter is within valid range integrity: Check for NULL returned by asymmetric_key_public_key ima: return error early if file xattr cannot be changed ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG 
Pull IMA updates from Mimi Zohar:

 - Introduce IMA and EVM post-quantum ML-DSA signature support

   ML-DSA signature support for IMA and EVM is limited to sigv3
   signatures, which calculates and verifies a hash of a compact
   structure containing the file data/metadata hash, hash type, and hash
   algorithm. IMA and EVM still calculate the file data/metadata hashes
   respectively.

 - Introduce support for removing IMA measurement list records stored in
   kernel memory

   The IMA measurement list can grow large depending on policy, but
   removing records breaks remote attestation, unless they are safely
   preserved and made available for attestation requests. Until
   environments are prepared to preserve the measurement records, a new
   CONFIG_IMA_STAGING Kconfig option is introduced to guard against
   deletion.

   Several approaches for removing measurement list records were
   evaluated but rejected due to filesystem constraints, the
   introduction of a new critical data record, and locking concerns. Two
   methods are being upstreamed: staged deletion with confirmation, and
   staged deletion of N records without confirmation. Both methods
   minimize the period during which new measurements are blocked from
   being appended to the measurement list by staging the measurement
   list.

   A comparison of the two methods is included in the documentation.

 - Some code cleanup, and a couple of bug fixes

* tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  doc: security: Add documentation of exporting and deleting IMA measurements
  ima: Support staging and deleting N measurements records
  ima: Add support for flushing the hash table when staging measurements
  ima: Add support for staging measurements with prompt
  ima: Introduce ima_dump_measurement()
  ima: Use snprintf() in create_securityfs_measurement_lists
  ima: Mediate open/release method of the measurements list
  ima: Introduce _ima_measurements_start() and _ima_measurements_next()
  ima: Introduce per binary measurements list type binary_runtime_size value
  ima: Introduce per binary measurements list type ima_num_records counter
  ima: Replace static htable queue with dynamically allocated array
  ima: Remove ima_h_table structure
  evm: terminate and bound the evm_xattrs read buffer
  integrity: Add support for sigv3 verification using ML-DSA keys
  integrity: Refactor asymmetric_verify for reusability
  integrity: Check that algo parameter is within valid range
  integrity: Check for NULL returned by asymmetric_key_public_key
  ima: return error early if file xattr cannot be changed
  ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
Merge tag 'selinux-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 2026-06-17T11:41:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-17T11:41:00+00:00 231e9d447ea97033ae8b8dff7b910e6269d7c5af Pull selinux updates from Paul Moore: "A number of SELinux patches, almost all of which are either minor fixes or hardening patches: - Additional verifications when loading new SELinux policy Multiple patches by Christian Göttsche to add additional validations to the code responsible for loading and parsing SELinux policy as it is loaded into the kernel. - Avoid nontransitive comparisons comparisons in our sorting code Done to prevent unexpected sorting results due to overflow. Qualys documented a similar issue with glibc https://www.qualys.com/2024/01/30/qsort.txt - Consistently use u16 for SELinux security classes - Move from page allocations to kmalloc() based allocations Unfortunately one of these patches had to be reverted, but you should see a fixed version during the next merge window. - Move from kmalloc_objs() to kzalloc_objs() in the policy load code - Reorder sel_kill_sb() slightly to match other pseudo filesystems - Simplify things with QSTR() instead of QSTR_INIT() - Minor comment typo fixes" * tag 'selinux-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: revert use of __getname() in selinux_genfs_get_sid() selinux: comment spelling fix in ibpkey.c selinux: comment typo fix in selinuxfs.c selinux: hooks: use __getname() to allocate path buffer selinux: use k[mz]alloc() to allocate temporary buffers selinux: check for simple types selinux: more strict bounds check selinux: beef up isvalid checks selinux: reorder policydb_index() selinux: check type attr map overflows selinux: check length fields in policies selinux: more strict policy parsing selinux: use u16 for security classes selinux: avoid nontransitive comparison selinux: switch two allocations to use kzalloc_objs() selinux: fix sel_kill_sb() selinux: use QSTR() instead of QSTR_INIT() in init_sel_fs 
Pull selinux updates from Paul Moore:
 "A number of SELinux patches, almost all of which are either minor
  fixes or hardening patches:

   - Additional verifications when loading new SELinux policy

     Multiple patches by Christian Göttsche to add additional
     validations to the code responsible for loading and parsing SELinux
     policy as it is loaded into the kernel.

   - Avoid nontransitive comparisons comparisons in our sorting code

     Done to prevent unexpected sorting results due to overflow. Qualys
     documented a similar issue with glibc

	https://www.qualys.com/2024/01/30/qsort.txt

   - Consistently use u16 for SELinux security classes

   - Move from page allocations to kmalloc() based allocations

     Unfortunately one of these patches had to be reverted, but you
     should see a fixed version during the next merge window.

   - Move from kmalloc_objs() to kzalloc_objs() in the policy load code

   - Reorder sel_kill_sb() slightly to match other pseudo filesystems

   - Simplify things with QSTR() instead of QSTR_INIT()

   - Minor comment typo fixes"

* tag 'selinux-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: revert use of __getname() in selinux_genfs_get_sid()
  selinux: comment spelling fix in ibpkey.c
  selinux: comment typo fix in selinuxfs.c
  selinux: hooks: use __getname() to allocate path buffer
  selinux: use k[mz]alloc() to allocate temporary buffers
  selinux: check for simple types
  selinux: more strict bounds check
  selinux: beef up isvalid checks
  selinux: reorder policydb_index()
  selinux: check type attr map overflows
  selinux: check length fields in policies
  selinux: more strict policy parsing
  selinux: use u16 for security classes
  selinux: avoid nontransitive comparison
  selinux: switch two allocations to use kzalloc_objs()
  selinux: fix sel_kill_sb()
  selinux: use QSTR() instead of QSTR_INIT() in init_sel_fs
Merge tag 'lsm-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm 2026-06-17T11:34:16+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-17T11:34:16+00:00 87599bd29856ea7bfdd62591c581c8be5a4719ee Pull lsm update from Paul Moore: "A single LSM update the security_inode_listsecurity() hook to be able to leverage the xattr_list_one() helper function. We wanted to do this for a while, but we needed to fixup the callers in the NFS code first. With the NFS code changes shipping in Linux v7.0 and no one complaining, it seemed a good time to complete the shift" * tag 'lsm-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: security,fs,nfs,net: update security_inode_listsecurity() interface 
Pull lsm update from Paul Moore:
 "A single LSM update the security_inode_listsecurity() hook to be able
  to leverage the xattr_list_one() helper function.

  We wanted to do this for a while, but we needed to fixup the callers
  in the NFS code first. With the NFS code changes shipping in Linux
  v7.0 and no one complaining, it seemed a good time to complete the
  shift"

* tag 'lsm-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
  security,fs,nfs,net: update security_inode_listsecurity() interface
Merge tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2026-06-17T07:17:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-17T07:17:00+00:00 b85966adbf5de0668a815c6e3527f87e0c387fb4 Pull networking updates from Jakub Kicinski: "Core & protocols: - Work on removing rtnl_lock protection throughout the stack continues. In this chapter: - don't use rtnl_lock for IPv6 multicast routing configuration - don't take rtnl_lock in ethtool for modern drivers - prepare Qdisc dump callbacks for rtnl_lock removal - Support dumping just ifindex + name of all interfaces, under RCU. It's a common operation for Netlink CLI tools (when translating names to ifindexes) and previously required full rtnl_lock. - Support dumping qdiscs and page pools for a specific netdev. Even tho user space wants a dump of all netdevs, most of the time, the OOO programming model results in repeating the dump for each netdev. Which, in absence of a cache, leads to a O(n^2) behavior. - Flush nexthops once on multi-nexthop removal (e.g. when device goes down), another O(n^2) -> O(n) improvement. - Rehash locally generated traffic to a different nexthop on retransmit timeout. - Honor oif when choosing nexthop for locally generated IPv6 traffic. - Convert TCP Auth Option to crypto library, and drop non-RFC algos. - Increase subflow limits in MPTCP to 64 and endpoint limit to 256. - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need to selectively skip reporting of the standard TCP Timestamp option, because they won't fit into the header space together (12 + 30 > 40). - Support using bridge neighbor suppression, Duplicate Address Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN deployments, e.g. VXLAN fabrics (IPv4 and IPv6). - Improve link state reporting for upper netdevs (e.g. macvlan) over tunnel devices (again, mostly for EVPN deployments). - Support binding GENEVE tunnels to a local address. - Speed up UDP tunnel destruction (remove one synchronize_rcu()). - Support exponential field encoding in multicast (IGMPv3 and MLDv2). - Support attaching PSP crypto offload to containers (veth, netkit). - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows migrating individual IPsec SAs independently of their policies. The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA migration, lacks SPI for unique SA identification, and cannot express reqid changes or migrate Transport mode selectors. The new interface identifies the SA via SPI and mark, supports reqid changes, address family changes, encap removal, and uses an atomic create+install flow under x->lock to prevent SN/IV reuse during AEAD SA migration. - Implement GRO/GSO support for PPPoE. - Convert sockopt callbacks in a number of protocols to iov_iter. Cross-tree stuff: - Remove support for Crypto TFM cloning (unblocked after the TCP Auth Option rework). This feature regressed performance for all crypto API users, since it changed crypto transformation objects into reference-counted objects. - Add FCrypt-PCBC implementation to rxrpc and remove it from the global crypto API as obsolete and insecure. Wireless: - Major rework of station bandwidth handling, fixing issues with lower capability than AP. - Cleanups for EMLSR spec issues (drafts differed). - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast, schedule improvements, multi-station etc.) - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work (e.g. non-primary channel access, UHR DBE support). - Fine Timing Measurement ranging (i.e. distance measurement) APIs. Netfilter: - Use per-rule hash initval in nf_conncount. This avoids unnecessary lock contention with short keys (e.g. conntrack zones) in different namespaces. - Various safety improvements, both in packet parsing and object lifetimes. Notably add refcounts to conntrack timeout policy. Deletions: - Remove TLS + sockmap integration. TLS wants to pin user pages to avoid a copy, and sockmap wants to write to the input stream. More work on this integration is clearly needed, and we can't find any users (original author admitted that they never deployed it). - Remove support for TLS offload with TCP Offload Engine (the far more common opportunistic offload is retained). The locking looks unfixable (driver sleeps under TCP spin locks) and people from the vendor that added this are AWOL. - Remove more ATM code, trying to leave behind only what PPPoATM needs, AAL5 and br2684 with permanent circuits. - Remove AppleTalk. Let it join hamradio in our out of tree protocol graveyard, I mean, repository. - Disable 32-bit x_tables compatibility (32bit binaries on 64bit kernel) interface in user namespaces. To be deleted completely, soon. - Remove 5/10 MHz support from cfg80211/mac80211. Drivers: - Software: - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit) - bonding: add knob to strictly follow 802.3ad for link state - New drivers: - Alibaba Elastic Ethernet Adaptor (cloud vNIC). - NXP NETC switch within i.MX94. - DPLL: - Add operational state to pins (implement in zl3073x). - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice). - Ethernet high-speed NICs: - Huawei (hinic3): - enhance tc flow offload support with queue selection, tunnels - nVidia/Mellanox: - avoid over-copying payload to the skb's linear part (up to 60% win for LRO on slow CPUs like ARM64 V2) - expose more per-queue stats over the standard API - support additional, unprivileged PFs in the DPU configuration - support Socket Direct (multi-PF) with switchdev offloads - add a pool / frag allocator for DMA mapped buffers for control objects, save memory on systems with 64kB page size - take advantage of the ability to dynamically change RSS table size, even when table is configured by the user - increase the max RSS table size for even traffic distribution - Ethernet NICs: - Marvell/Aquantia: - AQC113 PTP support - Realtek USB (r8152): - support 10Gbit Link Speeds and Energy-Efficient Ethernet (EEE) - support firmware loaded (for RTL8157/RTL8159) - support for the RTL8159 - Intel (ixgbe): - support Energy-Efficient Ethernet (EEE) on E610 devices - Ethernet switches: - Airoha: - support multiple netdevs on a single GDM block / port - Marvell (mv88e6xxx): - support SERDES of mv88e6321 - Microchip (ksz8/9): - rework the driver callbacks to remove one indirection layer - Motorcomm (yt921x): - support port rate policing - support TBF qdisc offload - support ACL/flower offload - nVidia/Mellanox: - expose per-PG rx_discards - Realtek: - rtl8365mb: bridge offloading and VLAN support - Ethernet PHYs: - Airoha: - support Airoha AN8801R Gigabit PHYs. - Micrel: - implement 3 low-loss cable tunables - Realtek: - support MDI swapping for RTL8226-CG - support MDIO for RTL931x - Qualcomm: - at803x: Rx and Tx clock management for IPQ5018 PHY - Motorcomm: - support YT8522 100M RMII PHY - set drive strength in YT8531s RGMII - TI: - dp83822: add optional external PHY clock - Bluetooth: - hci_sync: add support for HCI_LE_Set_Host_Feature [v2] - SMP: use AES-CMAC library API - Intel: - support Product level reset - support smart trigger dump - Mediatek: - add event filter to filter specific event - Realtek: - fix RTL8761B/BU broken LE extended scan - WiFi: - Broadcom (b43): - new support for a 11n device - MediaTek (mt76): - support mt7927 - mt792x: broken usb transport detection - mt7921: regulatory improvements - Qualcomm (ath9k): - GPIO interface improvements - Qualcomm (ath12k): - WDS support - replace dynamic memory allocation in WMI Rx path - thermal throttling/cooling device support - 6 GHz incumbent interference detection - channel 177 in 5 GHz - Realtek (rt89): - RTL8922AU support - USB 3 mode switch for performance - better monitor radiotap support - RTL8922DE preparations" * tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits) ipv4: fib_rule: Move fib4_rules_exit() to ->exit(). net: serialize netif_running() check in enqueue_to_backlog() net: skmsg: preserve sg.copy across SG transforms appletalk: move the protocol out of tree appletalk: stop storing per-interface state in struct net_device selftests/bpf: test that TLS crypto is rejected on a sockmap socket selftests/bpf: drop the unused kTLS program from test_sockmap selftests/bpf: remove sockmap + ktls tests tls: remove dead sockmap (psock) handling from the SW path tls: reject the combination of TLS and sockmap atm: remove orphaned uAPI for deleted drivers, protocols and SVCs atm: remove unused ATM PHY operations atm: remove the unused pre_send and send_bh device operations atm: remove the unused change_qos device operation atm: remove SVC socket support and the signaling daemon interface atm: remove the local ATM (NSAP) address registry atm: remove dead SONET PHY ioctls atm: remove the unused send_oam / push_oam callbacks atm: remove AAL3/4 transport support net: dsa: sja1105: fix lastused timestamp in flower stats ... 
Pull networking updates from Jakub Kicinski:
 "Core & protocols:

   - Work on removing rtnl_lock protection throughout the stack
     continues. In this chapter:
       - don't use rtnl_lock for IPv6 multicast routing configuration
       - don't take rtnl_lock in ethtool for modern drivers
       - prepare Qdisc dump callbacks for rtnl_lock removal

   - Support dumping just ifindex + name of all interfaces, under RCU.
     It's a common operation for Netlink CLI tools (when translating
     names to ifindexes) and previously required full rtnl_lock.

   - Support dumping qdiscs and page pools for a specific netdev. Even
     tho user space wants a dump of all netdevs, most of the time, the
     OOO programming model results in repeating the dump for each
     netdev. Which, in absence of a cache, leads to a O(n^2) behavior.

   - Flush nexthops once on multi-nexthop removal (e.g. when device goes
     down), another O(n^2) -> O(n) improvement.

   - Rehash locally generated traffic to a different nexthop on
     retransmit timeout.

   - Honor oif when choosing nexthop for locally generated IPv6 traffic.

   - Convert TCP Auth Option to crypto library, and drop non-RFC algos.

   - Increase subflow limits in MPTCP to 64 and endpoint limit to 256.

   - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need
     to selectively skip reporting of the standard TCP Timestamp option,
     because they won't fit into the header space together (12 + 30 >
     40).

   - Support using bridge neighbor suppression, Duplicate Address
     Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN
     deployments, e.g. VXLAN fabrics (IPv4 and IPv6).

   - Improve link state reporting for upper netdevs (e.g. macvlan) over
     tunnel devices (again, mostly for EVPN deployments).

   - Support binding GENEVE tunnels to a local address.

   - Speed up UDP tunnel destruction (remove one synchronize_rcu()).

   - Support exponential field encoding in multicast (IGMPv3 and MLDv2).

   - Support attaching PSP crypto offload to containers (veth, netkit).

   - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows
     migrating individual IPsec SAs independently of their policies.

     The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA
     migration, lacks SPI for unique SA identification, and cannot
     express reqid changes or migrate Transport mode selectors.

     The new interface identifies the SA via SPI and mark, supports
     reqid changes, address family changes, encap removal, and uses an
     atomic create+install flow under x->lock to prevent SN/IV reuse
     during AEAD SA migration.

   - Implement GRO/GSO support for PPPoE.

   - Convert sockopt callbacks in a number of protocols to iov_iter.

  Cross-tree stuff:

   - Remove support for Crypto TFM cloning (unblocked after the TCP Auth
     Option rework). This feature regressed performance for all crypto
     API users, since it changed crypto transformation objects into
     reference-counted objects.

   - Add FCrypt-PCBC implementation to rxrpc and remove it from the
     global crypto API as obsolete and insecure.

  Wireless:

   - Major rework of station bandwidth handling, fixing issues with
     lower capability than AP.

   - Cleanups for EMLSR spec issues (drafts differed).

   - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast,
     schedule improvements, multi-station etc.)

   - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work
     (e.g. non-primary channel access, UHR DBE support).

   - Fine Timing Measurement ranging (i.e. distance measurement) APIs.

  Netfilter:

   - Use per-rule hash initval in nf_conncount. This avoids unnecessary
     lock contention with short keys (e.g. conntrack zones) in different
     namespaces.

   - Various safety improvements, both in packet parsing and object
     lifetimes. Notably add refcounts to conntrack timeout policy.

  Deletions:

   - Remove TLS + sockmap integration. TLS wants to pin user pages to
     avoid a copy, and sockmap wants to write to the input stream. More
     work on this integration is clearly needed, and we can't find any
     users (original author admitted that they never deployed it).

   - Remove support for TLS offload with TCP Offload Engine (the far
     more common opportunistic offload is retained). The locking looks
     unfixable (driver sleeps under TCP spin locks) and people from the
     vendor that added this are AWOL.

   - Remove more ATM code, trying to leave behind only what PPPoATM
     needs, AAL5 and br2684 with permanent circuits.

   - Remove AppleTalk. Let it join hamradio in our out of tree protocol
     graveyard, I mean, repository.

   - Disable 32-bit x_tables compatibility (32bit binaries on 64bit
     kernel) interface in user namespaces. To be deleted completely,
     soon.

   - Remove 5/10 MHz support from cfg80211/mac80211.

  Drivers:

   - Software:
       - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit)
       - bonding: add knob to strictly follow 802.3ad for link state

   - New drivers:
       - Alibaba Elastic Ethernet Adaptor (cloud vNIC).
       - NXP NETC switch within i.MX94.

   - DPLL:
       - Add operational state to pins (implement in zl3073x).
       - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice).

   - Ethernet high-speed NICs:
       - Huawei (hinic3):
           - enhance tc flow offload support with queue selection,
             tunnels
       - nVidia/Mellanox:
           - avoid over-copying payload to the skb's linear part (up to
             60% win for LRO on slow CPUs like ARM64 V2)
           - expose more per-queue stats over the standard API
           - support additional, unprivileged PFs in the DPU
             configuration
           - support Socket Direct (multi-PF) with switchdev offloads
           - add a pool / frag allocator for DMA mapped buffers for
             control objects, save memory on systems with 64kB page size
           - take advantage of the ability to dynamically change RSS
             table size, even when table is configured by the user
           - increase the max RSS table size for even traffic
             distribution

   - Ethernet NICs:
       - Marvell/Aquantia:
           - AQC113 PTP support
       - Realtek USB (r8152):
           - support 10Gbit Link Speeds and Energy-Efficient Ethernet
             (EEE)
           - support firmware loaded (for RTL8157/RTL8159)
           - support for the RTL8159
       - Intel (ixgbe):
           - support Energy-Efficient Ethernet (EEE) on E610 devices

   - Ethernet switches:
       - Airoha:
           - support multiple netdevs on a single GDM block / port
       - Marvell (mv88e6xxx):
           - support SERDES of mv88e6321
       - Microchip (ksz8/9):
           - rework the driver callbacks to remove one indirection layer
       - Motorcomm (yt921x):
           - support port rate policing
           - support TBF qdisc offload
           - support ACL/flower offload
       - nVidia/Mellanox:
           - expose per-PG rx_discards
       - Realtek:
           - rtl8365mb: bridge offloading and VLAN support

   - Ethernet PHYs:
       - Airoha:
           - support Airoha AN8801R Gigabit PHYs.
       - Micrel:
           - implement 3 low-loss cable tunables
       - Realtek:
           - support MDI swapping for RTL8226-CG
           - support MDIO for RTL931x
       - Qualcomm:
           - at803x: Rx and Tx clock management for IPQ5018 PHY
       - Motorcomm:
           - support YT8522 100M RMII PHY
           - set drive strength in YT8531s RGMII
       - TI:
           - dp83822: add optional external PHY clock

   - Bluetooth:
       - hci_sync: add support for HCI_LE_Set_Host_Feature [v2]
       - SMP: use AES-CMAC library API
       - Intel:
           - support Product level reset
           - support smart trigger dump
       - Mediatek:
           - add event filter to filter specific event
       - Realtek:
           - fix RTL8761B/BU broken LE extended scan

   - WiFi:
       - Broadcom (b43):
           - new support for a 11n device
       - MediaTek (mt76):
           - support mt7927
           - mt792x: broken usb transport detection
           - mt7921: regulatory improvements
       - Qualcomm (ath9k):
           - GPIO interface improvements
       - Qualcomm (ath12k):
           - WDS support
           - replace dynamic memory allocation in WMI Rx path
           - thermal throttling/cooling device support
           - 6 GHz incumbent interference detection
           - channel 177 in 5 GHz
       - Realtek (rt89):
           - RTL8922AU support
           - USB 3 mode switch for performance
           - better monitor radiotap support
           - RTL8922DE preparations"

* tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits)
  ipv4: fib_rule: Move fib4_rules_exit() to ->exit().
  net: serialize netif_running() check in enqueue_to_backlog()
  net: skmsg: preserve sg.copy across SG transforms
  appletalk: move the protocol out of tree
  appletalk: stop storing per-interface state in struct net_device
  selftests/bpf: test that TLS crypto is rejected on a sockmap socket
  selftests/bpf: drop the unused kTLS program from test_sockmap
  selftests/bpf: remove sockmap + ktls tests
  tls: remove dead sockmap (psock) handling from the SW path
  tls: reject the combination of TLS and sockmap
  atm: remove orphaned uAPI for deleted drivers, protocols and SVCs
  atm: remove unused ATM PHY operations
  atm: remove the unused pre_send and send_bh device operations
  atm: remove the unused change_qos device operation
  atm: remove SVC socket support and the signaling daemon interface
  atm: remove the local ATM (NSAP) address registry
  atm: remove dead SONET PHY ioctls
  atm: remove the unused send_oam / push_oam callbacks
  atm: remove AAL3/4 transport support
  net: dsa: sja1105: fix lastused timestamp in flower stats
  ...
keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP 2026-06-15T12:19:13+00:00 Mohammed EL Kadiri med08elkadiri@gmail.com 2026-06-15T12:11:50+00:00 1b9524250996b1f2f49833a1b2ae21c34e486f85 Replace two BUG() calls in keyctl_pkey_params_get_2() and keyctl_pkey_e_d_s() default cases with -EOPNOTSUPP, matching the error style already used in these functions. Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> 
Replace two BUG() calls in keyctl_pkey_params_get_2() and
keyctl_pkey_e_d_s() default cases with -EOPNOTSUPP, matching
the error style already used in these functions.

Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>