Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree

[PATCH v3 00/50] tree-in-dcache stuff · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 24/50] convert ibmasmfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 13/50] convert hugetlbfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 25/50] ibmasmfs: get rid of ibmasmfs_dir_ops · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 14/50] convert mqueue · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 02/50] tracefs: fix a leak in eventfs_create_events_dir() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 05/50] introduce a flag for explicitly marking persistently pinned dentries · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 08/50] convert ramfs and tmpfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 21/50] debugfs: remove duplicate checks in callers of start_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 17/50] convert fuse_ctl · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 17/50] convert fuse_ctl · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 19/50] convert tracefs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 12/50] convert smackfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 04/50] new helper: simple_done_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 22/50] convert efivarfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 09/50] procfs: make /self and /thread_self dentries persistent · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 10/50] configfs, securityfs: kill_litter_super() not needed · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 16/50] convert dlmfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 18/50] convert pstore · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 15/50] convert bpf · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 28/50] binderfs_binder_ctl_create(): kill a bogus check · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 30/50] autofs_{rmdir,unlink}: dentry->d_fsdata->dentry == dentry there · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 27/50] binderfs: use simple_start_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 23/50] convert spufs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 06/50] primitives for maintaining persisitency · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 03/50] new helper: simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 03/50] new helper: simple_remove_by_name() · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 11/50] convert xenfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 20/50] convert debugfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 26/50] convert devpts · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 07/50] convert simple_{link,unlink,rmdir,rename,fill_super}() to new primitives · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 32/50] convert binfmt_misc · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 29/50] convert binderfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 31/50] convert autofs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 33/50] selinuxfs: don't stash the dentry of /policy_capabilities · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · bot+bpf-ci@kernel.org · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Chris Mason <hidden> · 2025-11-12
[PATCH v3 35/50] convert selinuxfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 39/50] convert gadgetfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · bot+bpf-ci@kernel.org · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Christian Brauner <brauner@kernel.org> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Chris Mason <hidden> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Chris Mason <hidden> · 2025-11-12
[functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-13
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-13
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Chris Mason <hidden> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Christian Brauner <brauner@kernel.org> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-15
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-16
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 1/4] functionfs: don't abuse ffs_data_closed() on fs shutdown · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 2/4] functionfs: don't bother with ffs->ref in ffs_data_{opened,closed}() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 3/4] functionfs: need to cancel ->reset_work in ->kill_sb() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 4/4] functionfs: fix the open/removal races · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-18
[PATCH v3 37/50] convert functionfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 38/50] gadgetfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 40/50] hypfs: don't pin dentries twice · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 41/50] hypfs: switch hypfs_create_str() to returning int · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 43/50] convert hypfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 42/50] hypfs: swich hypfs_create_u64() to returning int · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 44/50] convert rpc_pipefs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 45/50] convert nfsctl · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 46/50] convert rust_binderfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 47/50] get rid of kill_litter_super() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 48/50] convert securityfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 49/50] kill securityfs_recursive_remove() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 50/50] d_make_discardable(): warn if given a non-persistent dentry · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11

From: bot+bpf-ci@kernel.org
Date: 2025-11-11 07:53:19
Also in: bpf, linux-efi, linux-fsdevel, linux-mm, linux-usb, ocfs2-devel, selinux

quoted hunk ↗ jump to hunk

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b39e919c2..f088776db 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c

[ ... ]

quoted hunk ↗ jump to hunk

@@ -1197,6 +1197,25 @@ static struct inode *sel_make_inode(struct super_block *sb, umode_t mode)
 	return ret;
 }

+static struct dentry *sel_attach(struct dentry *parent, const char *name,
+				 struct inode *inode)
+{
+	struct dentry *dentry = d_alloc_name(parent, name);
+	if (unlikely(!dentry)) {
+		iput(inode);
+		return ERR_PTR(-ENOMEM);
+	}
+	d_add(dentry, inode);
+	return dentry;
+}
+
+static int sel_attach_file(struct dentry *parent, const char *name,
+			   struct inode *inode)
+{
+	struct dentry *dentry = sel_attach(parent, name, inode);
+	return PTR_ERR_OR_ZERO(dentry);
+}

[ ... ]

quoted hunk ↗ jump to hunk

@@ -1887,31 +1887,23 @@ static struct dentry *sel_make_dir(struct dentry *dir, const char *name,
 			unsigned long *ino)
 {
-	struct dentry *dentry = d_alloc_name(dir, name);
 	struct inode *inode;

-	if (!dentry)
-		return ERR_PTR(-ENOMEM);
-
 	inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO);
-	if (!inode) {
-		dput(dentry);
+	if (!inode)
 		return ERR_PTR(-ENOMEM);
-	}

 	inode->i_op = &simple_dir_inode_operations;
 	inode->i_fop = &simple_dir_operations;
 	inode->i_ino = ++(*ino);
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
 	inc_nlink(inode);
-	d_add(dentry, inode);
 	/* bump link count on parent directory, too */
 	inc_nlink(d_inode(dir));
+
+	return sel_attach(dir, name, inode);
 }

Can this leak the parent directory's reference count? The parent inode's
link count is incremented with inc_nlink(d_inode(dir)) before calling
sel_attach(). When sel_attach()->d_alloc_name() fails and returns NULL,
sel_attach() correctly cleans up the child inode with iput() and returns
ERR_PTR(-ENOMEM). However, the parent directory's link count has already
been incremented and is never decremented on this error path.

In the original code, the parent link count increment happened after
d_add() succeeded, ensuring it only occurred when the full operation
completed successfully.


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19257803162

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help