Re: [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls

From: Cai Xinchen

Date: Mon Jun 29 2026 - 23:06:43 EST


Thank you for your reply. Regarding the two points of feedback:

First, 6.1 is still in the process of being adapted.

Second, this patch set is primarily intended to fix CVE-2026-46054, but it seems that for lower versions to implement SELinux checks for overlay mmap/mprotect checks, some dependencies are unavoidable. In such cases, should we add more tests to reduce the risk and integrate the changes, or should we simply not fix this issue? If more tests are needed, are there any recommended test suites?

On 6/30/2026 1:31 AM, Amir Goldstein wrote:
On Mon, Jun 29, 2026 at 8:38 AM Cai Xinchen <caixinchen1@xxxxxxxxxx> wrote:
ackport the patch series
"Fix incorrect overlayfs mmap() and mprotect() LSM access controls" [1]
to 5.10 lts
Chai,

First of all, I don't think that stable maintainers are picking backports
to 5.10 that were not backported to 6.1 and 5.15.

Second, backporting backing_file as a dependency to LTS kernels is a pretty
intrusive change, so your description above is very much lacking.

Please do not backport backing_file to any of the LTS kernels without providing
detailed explanation to try and convince the vfs maintainers that you
verified this
bacport is safe for the LTS kernel, because honestly, this looks a bit
risky for me.

Thanks,
Amir.