Re: [PATCH v2] debugfs: Fix lockdown check for mmap_prepare

From: Disha Goel

Date: Fri Jun 19 2026 - 07:12:29 EST


On 15/06/26 4:17 pm, Chun-Yi Lee wrote:
From: Chun-Yi Lee <jlee@xxxxxxxx>

Commit 651fdda8406d ("relay: update relay to use mmap_prepare")
changed the `mmap` file operation to `mmap_prepare` for relayfs, but
the lockdown check in debugfs was not updated accordingly.

This prevents debugfs from being locked down when the kernel is in
integrity mode if a file uses `mmap_prepare` but not `mmap`.

Since the conversion to `mmap_prepare` across the kernel is not yet
complete, update the lockdown check to look for both `mmap` and
`mmap_prepare` to ensure comprehensive coverage.

Fixes: 651fdda8406d ("relay: update relay to use mmap_prepare")
Signed-off-by: Chun-Yi Lee <jlee@xxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: Lorenzo Stoakes <ljs@xxxxxxxxxx>
Cc: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Rafael J. Wysocki <rafael@xxxxxxxxxx>
Cc: Matthew Garrett <mjg59@xxxxxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Danilo Krummrich <dakr@xxxxxxxxxx>
Cc: driver-core@xxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
---

Hi,

I tested this patch on ppc64le with lockdown enabled. It correctly fixes the security issue where debugfs files using mmap_prepare were not being restricted.

Test: blktrace/001 from blktests (uses relayfs via debugfs)
- Before patch: blktrace bypassed lockdown and accessed debugfs
- After patch: blktrace properly blocked from accessing debugfs

Environment:
Kernel: 7.1.0-rc7
Lockdown: integrity mode

Feel free to add:
Tested-by: Disha Goel <disgoel@xxxxxxxxxxxxx>

v2:
- Add explicit From tag to match Signed-off-by.
- Fix Lorenzo's email address.
- Add Cc stable for backporting.
- Check both mmap and mmap_prepare as suggested by Lorenzo.

fs/debugfs/file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index edd6aafbfbaa..08de6652a4f3 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -273,7 +273,8 @@ static int debugfs_locked_down(struct inode *inode,
(!real_fops ||
(!real_fops->unlocked_ioctl &&
!real_fops->compat_ioctl &&
- !real_fops->mmap)))
+ !real_fops->mmap &&
+ !real_fops->mmap_prepare)))
return 0;
if (security_locked_down(LOCKDOWN_DEBUGFS))

--
Regards,
Disha