[GIT PULL 14/16 for v7.2] vfs xattr

[Christian Brauner]

Hey Linus,

/* Summary */

This reworks the simple xattr api to make it more efficient and easier
to use for all consumers.

The simple_xattr hash table moves from the inode into a per-superblock
cache, removing the per-inode overhead for the common case of few or
no xattrs. The interface now passes struct simple_xattrs ** so lazy
allocation is handled internally instead of by every caller, kernfs
xattr operations on kernfs nodes shared between multiple superblocks
are properly serialized, and tmpfs constructs "security.foo" xattr
names with kasprintf() instead of kmalloc() plus two memcpy()s.

A follow-up fix links kernfs nodes to their parent before the LSM init
hook runs: with the per-sb cache kernfs_xattr_set() computes the cache
via kernfs_root(kn), which faulted on a freshly allocated node when
selinux_kernfs_init_security() called into it - reproducible as a NULL
pointer dereference on the first cgroup mkdir on SELinux-enabled
systems.

On top of this bpffs gains support for trusted.* and security.* xattrs
so that user space and BPF LSM programs can attach metadata - for
example a content hash or a security label - to pinned objects and
directories and inspect it uniformly like on other filesystems. The
store is in-memory and non-persistent, living only for the lifetime of
the mount like everything else in bpffs.

/* Testing */

gcc (Debian 14.2.0-19) 14.2.0
Debian clang version 19.1.7 (3+b1)

No build failures or warnings were observed.

/* Conflicts */

Merge conflicts with mainline
=============================

No known conflicts.

Merge conflicts with other trees
================================

This has merge conflicts with the bpf-next tree in kernel/bpf/inode.c
between commit 9722955b54307 ("bpf: Add simple xattr support to
bpffs") from this tree and commit b93c55b4932dd ("bpf: fix UAF by
restoring RCU-delayed inode freeing in bpffs") from the bpf-next tree,
and in include/linux/bpf.h. Reported in [1] and [2]; Daniel confirmed
the resolution in [3]. They can be resolved as follows:

[1]: https://lore.kernel.org/linux-next/aiF2rsdpUb5LuhmZ@xxxxxxxxxxxxx
[2]: https://lore.kernel.org/linux-next/aiamrLm8DnCP6dbw@xxxxxxxxxxxxx
[3]: https://lore.kernel.org/linux-next/8906796e-0542-46d2-bb92-9e49642d86dc@xxxxxxxxxxxxx

diff --cc kernel/bpf/inode.c
index c3f79b5a2f8c0,188c774a469ca..0000000000000
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@@ -842,9 -768,12 +842,13 @@@ static void bpf_destroy_inode(struct in

  	if (!bpf_inode_type(inode, &type))
  		bpf_any_put(inode->i_private, type);
 +	simple_xattrs_free(&opts->xa_cache, &bi->xattrs, NULL);
  }

+ /*
+  * Called after RCU grace period - safe to free inode and anything
+  *  that might be accessed by RCU pathwalk (inode fields, i_link).
+  */
  static void bpf_free_inode(struct inode *inode)
  {
  	if (S_ISLNK(inode->i_mode))

diff --cc include/linux/bpf.h
index 64efc3fdb7163,62bba7a4876f5..0000000000000
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@@ -31,7 -32,8 +32,9 @@@
  #include <linux/static_call.h>
  #include <linux/memcontrol.h>
  #include <linux/cfi.h>
+ #include <linux/key.h>
+ #include <linux/ftrace.h>
 +#include <linux/xattr.h>
  #include <asm/rqspinlock.h>

  struct bpf_verifier_env;

The following changes since commit 254f49634ee16a731174d2ae34bc50bd5f45e731:

  Linux 7.1-rc1 (2026-04-26 14:19:00 -0700)

are available in the Git repository at:

  git@xxxxxxxxxxxxxxxxxxx:pub/scm/linux/kernel/git/vfs/vfs tags/vfs-7.2-rc1.xattr

for you to fetch changes up to 9722955b54307e9070994f2382ec06af3d7405e0:

  bpf: Add simple xattr support to bpffs (2026-06-06 15:22:44 +0200)

----------------------------------------------------------------
vfs-7.2-rc1.xattr

Please consider pulling these changes from the signed vfs-7.2-rc1.xattr tag.

Thanks!
Christian

----------------------------------------------------------------
Christian Brauner (2):
      Merge patch series "Rework simple xattrs"
      kernfs: link kn to its parent before the LSM init hook

Daniel Borkmann (1):
      bpf: Add simple xattr support to bpffs

Miklos Szeredi (4):
      kernfs: fix xattr race condition with multiple superblocks
      tmpfs: simplify constructing "security.foo" xattr names
      simple_xattr: change interface to pass struct simple_xattrs **
      simpe_xattr: use per-sb cache

 fs/kernfs/dir.c             |  22 ++--
 fs/kernfs/file.c            |  13 +--
 fs/kernfs/inode.c           |  36 +++---
 fs/kernfs/kernfs-internal.h |  24 +++-
 fs/kernfs/mount.c           |   2 +-
 fs/pidfs.c                  |  45 ++-----
 fs/xattr.c                  | 278 ++++++++++++++++++++++++++------------------
 include/linux/bpf.h         |   3 +
 include/linux/kernfs.h      |  11 +-
 include/linux/shmem_fs.h    |   3 +-
 include/linux/xattr.h       |  39 ++++---
 kernel/bpf/inode.c          | 256 +++++++++++++++++++++++++++++++++++++---
 mm/shmem.c                  |  50 +++-----
 net/socket.c                |  30 ++---
 14 files changed, 526 insertions(+), 286 deletions(-)