AI Trajectory

null

{
  "EnableConfigs": [
    "BPF_LSM"
  ],
  "FocusSymbols": [
    "inode_storage_map_alloc"
  ],
  "Reasoning": "The patch adds a check to prevent the allocation of BPF_MAP_TYPE_INODE_STORAGE maps if the BPF LSM is not initialized. This is a functional change that prevents memory corruption. We should fuzz inode_storage_map_alloc to ensure the check works correctly and doesn't introduce regressions.",
  "WorthFuzzing": true
}

null

{
  "PatchDiff": "commit a565b86f245e014ad758418eb8596d0a904ff1d4\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Sun Jun 28 20:23:21 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h\nindex 143775a27a2a0b..dda272d78f013f 100644\n--- a/include/linux/bpf_lsm.h\n+++ b/include/linux/bpf_lsm.h\n@@ -14,6 +14,8 @@\n \n #ifdef CONFIG_BPF_LSM\n \n+extern bool bpf_lsm_initialized __ro_after_init;\n+\n #define LSM_HOOK(RET, DEFAULT, NAME, ...) \\\n \tRET bpf_lsm_##NAME(__VA_ARGS__);\n #include \u003clinux/lsm_hook_defs.h\u003e\n@@ -56,6 +58,8 @@ bool bpf_lsm_hook_returns_errno(u32 btf_id);\n \n #else /* !CONFIG_BPF_LSM */\n \n+#define bpf_lsm_initialized false\n+\n static inline bool bpf_lsm_is_sleepable_hook(u32 btf_id)\n {\n \treturn false;\ndiff --git a/kernel/bpf/bpf_inode_storage.c b/kernel/bpf/bpf_inode_storage.c\nindex 0da8d923e39d4b..f9e81060c1f459 100644\n--- a/kernel/bpf/bpf_inode_storage.c\n+++ b/kernel/bpf/bpf_inode_storage.c\n@@ -178,6 +178,15 @@ static int notsupp_get_next_key(struct bpf_map *map, void *key,\n \n static struct bpf_map *inode_storage_map_alloc(union bpf_attr *attr)\n {\n+\t/*\n+\t * Do not allow allocation of BPF_MAP_TYPE_INODE_STORAGE if the BPF LSM\n+\t * was not initialized by the LSM framework at boot. Without proper\n+\t * initialization, the BPF inode security blob offset remains unprepared,\n+\t * causing bpf_inode() to calculate an invalid memory offset and corrupt\n+\t * inode-\u003ei_security.\n+\t */\n+\tif (!bpf_lsm_initialized)\n+\t\treturn ERR_PTR(-EOPNOTSUPP);\n \treturn bpf_local_storage_map_alloc(attr, \u0026inode_cache);\n }\n \ndiff --git a/security/bpf/hooks.c b/security/bpf/hooks.c\nindex 40efde233f3ab3..7b98f5d1e2be83 100644\n--- a/security/bpf/hooks.c\n+++ b/security/bpf/hooks.c\n@@ -7,6 +7,8 @@\n #include \u003clinux/bpf_lsm.h\u003e\n #include \u003cuapi/linux/lsm.h\u003e\n \n+bool bpf_lsm_initialized __ro_after_init;\n+\n static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {\n \t#define LSM_HOOK(RET, DEFAULT, NAME, ...) \\\n \tLSM_HOOK_INIT(NAME, bpf_lsm_##NAME),\n@@ -24,6 +26,7 @@ static int __init bpf_lsm_init(void)\n {\n \tsecurity_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),\n \t\t\t   \u0026bpf_lsmid);\n+\tbpf_lsm_initialized = true;\n \tpr_info(\"LSM support for eBPF active\\n\");\n \treturn 0;\n }\n"
}

gemini-3.1-pro-preview

null

{
  "EnableConfigs": [
    "BPF_LSM"
  ],
  "FocusSymbols": [
    "inode_storage_map_alloc"
  ],
  "Reasoning": "The patch adds a check to prevent the allocation of BPF_MAP_TYPE_INODE_STORAGE maps if the BPF LSM is not initialized. This is a functional change that prevents memory corruption. We should fuzz inode_storage_map_alloc to ensure the check works correctly and doesn't introduce regressions.",
  "WorthFuzzing": true
}

You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

For your convenience, here is the diff of the changes:
commit a565b86f245e014ad758418eb8596d0a904ff1d4
Author: syz-cluster <triage@syzkaller.com>
Date:   Sun Jun 28 20:23:21 2026 +0000

    syz-cluster: applied patch under review

diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
index 143775a27a2a0b..dda272d78f013f 100644
--- a/include/linux/bpf_lsm.h
+++ b/include/linux/bpf_lsm.h
@@ -14,6 +14,8 @@
 
 #ifdef CONFIG_BPF_LSM
 
+extern bool bpf_lsm_initialized __ro_after_init;
+
 #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
 	RET bpf_lsm_##NAME(__VA_ARGS__);
 #include <linux/lsm_hook_defs.h>
@@ -56,6 +58,8 @@ bool bpf_lsm_hook_returns_errno(u32 btf_id);
 
 #else /* !CONFIG_BPF_LSM */
 
+#define bpf_lsm_initialized false
+
 static inline bool bpf_lsm_is_sleepable_hook(u32 btf_id)
 {
 	return false;
diff --git a/kernel/bpf/bpf_inode_storage.c b/kernel/bpf/bpf_inode_storage.c
index 0da8d923e39d4b..f9e81060c1f459 100644
--- a/kernel/bpf/bpf_inode_storage.c
+++ b/kernel/bpf/bpf_inode_storage.c
@@ -178,6 +178,15 @@ static int notsupp_get_next_key(struct bpf_map *map, void *key,
 
 static struct bpf_map *inode_storage_map_alloc(union bpf_attr *attr)
 {
+	/*
+	 * Do not allow allocation of BPF_MAP_TYPE_INODE_STORAGE if the BPF LSM
+	 * was not initialized by the LSM framework at boot. Without proper
+	 * initialization, the BPF inode security blob offset remains unprepared,
+	 * causing bpf_inode() to calculate an invalid memory offset and corrupt
+	 * inode->i_security.
+	 */
+	if (!bpf_lsm_initialized)
+		return ERR_PTR(-EOPNOTSUPP);
 	return bpf_local_storage_map_alloc(attr, &inode_cache);
 }
 
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 40efde233f3ab3..7b98f5d1e2be83 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -7,6 +7,8 @@
 #include <linux/bpf_lsm.h>
 #include <uapi/linux/lsm.h>
 
+bool bpf_lsm_initialized __ro_after_init;
+
 static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
 	#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
 	LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
@@ -24,6 +26,7 @@ static int __init bpf_lsm_init(void)
 {
 	security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),
 			   &bpf_lsmid);
+	bpf_lsm_initialized = true;
 	pr_info("LSM support for eBPF active\n");
 	return 0;
 }

gemini-3.1-pro-preview

null

null

							input: 2546
							output: 40
							thoughts: 189
						

**Analyzing the BPF Inode Storage Patch**

Okay, so we've got a patch here that's adding a crucial check. Essentially, it's putting a gate on `BPF_MAP_TYPE_INODE_STORAGE` allocation. The patch includes an `if (!bpf_lsm_initialized)` check within `inode_storage_map_alloc`. Smart, it's preventing the allocation if the BPF LSM hasn't been properly initialized. This is a functional change, a good practice to include a check like this.

We are modifying the `kernel/bpf/bpf_inode_storage.c` file along with `security/bpf/hooks.c` files. The primary purpose, of course, is to avoid issues with that inode storage map type when the BPF LSM is not initialized.

Let's dig in and figure out exactly how this is configured. What's the associated config option? Based on the included path, I'll bet it's `CONFIG_BPF_LSM`, defined in `include/linux/bpf_lsm.h`. Is that the only one? I need to be thorough and verify there are no other dependent configs. I'll take a quick scan through `kernel/bpf/bpf_inode_storage.c` just to be sure we haven't missed any other configuration dependencies. Gotta make sure we've got the full picture here before giving this the green light.

{
  "Expression": "inode_storage_map_alloc",
  "PathPrefix": "kernel/bpf/bpf_inode_storage.c"
}

{
  "Output": "kernel/bpf/bpf_inode_storage.c=173=static int notsupp_get_next_key(struct bpf_map *map, void *key,\n--\nkernel/bpf/bpf_inode_storage.c-178-\nkernel/bpf/bpf_inode_storage.c:179:static struct bpf_map *inode_storage_map_alloc(union bpf_attr *attr)\nkernel/bpf/bpf_inode_storage.c-180-{\n--\nkernel/bpf/bpf_inode_storage.c=198=const struct bpf_map_ops inode_storage_map_ops = {\n--\nkernel/bpf/bpf_inode_storage.c-200-\t.map_alloc_check = bpf_local_storage_map_alloc_check,\nkernel/bpf/bpf_inode_storage.c:201:\t.map_alloc = inode_storage_map_alloc,\nkernel/bpf/bpf_inode_storage.c-202-\t.map_free = inode_storage_map_free,\n"
}

gemini-3.1-pro-preview

null

null

							input: 3369
							output: 34
							thoughts: 22
						

Okay, here's my summary, taking the role of the thinker:

**Diving into BPF Inode Storage Configuration**

Alright, let's get down to brass tacks. I need to understand what's actually enabling `kernel/bpf/bpf_inode_storage.c`. It's crucial for understanding the current deployment, given its implications. This isn't just about finding the file; I need to trace the configuration flags and dependencies. What are the build-time options, any runtime configurations, and how do those all chain together to enable or disable that specific piece of code? It's a key component in any analysis of modern kernel BPF use cases, so I need to be sure. I'll need to go beyond a simple `grep`; I'll need to think about the preprocessor directives, any conditional compilation based on architecture or kernel version, and the whole build system logic. Time to dig in!

{
  "Expression": "bpf_inode_storage.o",
  "PathPrefix": "kernel/bpf/Makefile"
}

{
  "Output": "kernel/bpf/Makefile=14=obj-$(CONFIG_BPF_SYSCALL) += fixups.o cfg.o states.o backtrack.o check_btf.o\nkernel/bpf/Makefile:15:obj-${CONFIG_BPF_LSM}\t  += bpf_inode_storage.o\nkernel/bpf/Makefile-16-obj-$(CONFIG_BPF_SYSCALL) += disasm.o mprog.o\n"
}

gemini-3.1-pro-preview

null

null

							input: 3742
							output: 111
							thoughts: 89
						

Okay, here's my take on those thoughts, framed from my own perspective:

**Kernel Security Module Exploration**

Right, so I'm honing in on `CONFIG_BPF_LSM` as the primary configuration item of interest here. My central point of investigation will be `inode_storage_map_alloc`, that's my focal symbol in this whole process.

Now, let's just make sure there aren't any other configuration variables that are equally important. I know that `CONFIG_BPF_LSM` has a few dependencies: `CONFIG_BPF_SYSCALL` and, crucially, `CONFIG_SECURITY`. Really, given that context, I can just use `BPF_LSM` for the sake of brevity.

Okay, all set, let's call `set-results` and see how it fits together.

{
  "EnableConfigs": [
    "BPF_LSM"
  ],
  "FocusSymbols": [
    "inode_storage_map_alloc"
  ],
  "Reasoning": "The patch adds a check to prevent the allocation of BPF_MAP_TYPE_INODE_STORAGE maps if the BPF LSM is not initialized. This is a functional change that prevents memory corruption. We should fuzz inode_storage_map_alloc to ensure the check works correctly and doesn't introduce regressions.",
  "WorthFuzzing": true
}

{
  "EnableConfigs": [
    "BPF_LSM"
  ],
  "FocusSymbols": [
    "inode_storage_map_alloc"
  ],
  "Reasoning": "The patch adds a check to prevent the allocation of BPF_MAP_TYPE_INODE_STORAGE maps if the BPF LSM is not initialized. This is a functional change that prevents memory corruption. We should fuzz inode_storage_map_alloc to ensure the check works correctly and doesn't introduce regressions.",
  "WorthFuzzing": true
}