Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree

[PATCH v3 00/50] tree-in-dcache stuff · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 24/50] convert ibmasmfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 13/50] convert hugetlbfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 25/50] ibmasmfs: get rid of ibmasmfs_dir_ops · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 14/50] convert mqueue · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 02/50] tracefs: fix a leak in eventfs_create_events_dir() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 05/50] introduce a flag for explicitly marking persistently pinned dentries · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 08/50] convert ramfs and tmpfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 21/50] debugfs: remove duplicate checks in callers of start_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 17/50] convert fuse_ctl · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 17/50] convert fuse_ctl · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 19/50] convert tracefs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 12/50] convert smackfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 04/50] new helper: simple_done_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 22/50] convert efivarfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 09/50] procfs: make /self and /thread_self dentries persistent · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 10/50] configfs, securityfs: kill_litter_super() not needed · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 16/50] convert dlmfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 18/50] convert pstore · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 15/50] convert bpf · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 28/50] binderfs_binder_ctl_create(): kill a bogus check · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 30/50] autofs_{rmdir,unlink}: dentry->d_fsdata->dentry == dentry there · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 27/50] binderfs: use simple_start_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 23/50] convert spufs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 06/50] primitives for maintaining persisitency · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 03/50] new helper: simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 03/50] new helper: simple_remove_by_name() · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 11/50] convert xenfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 20/50] convert debugfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 26/50] convert devpts · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 07/50] convert simple_{link,unlink,rmdir,rename,fill_super}() to new primitives · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 32/50] convert binfmt_misc · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 29/50] convert binderfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 31/50] convert autofs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 33/50] selinuxfs: don't stash the dentry of /policy_capabilities · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · bot+bpf-ci@kernel.org · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Chris Mason <hidden> · 2025-11-12
[PATCH v3 35/50] convert selinuxfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 39/50] convert gadgetfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · bot+bpf-ci@kernel.org · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Christian Brauner <brauner@kernel.org> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Chris Mason <hidden> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Chris Mason <hidden> · 2025-11-12
[functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-13
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-13
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Chris Mason <hidden> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Christian Brauner <brauner@kernel.org> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-15
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-16
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 1/4] functionfs: don't abuse ffs_data_closed() on fs shutdown · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 2/4] functionfs: don't bother with ffs->ref in ffs_data_{opened,closed}() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 3/4] functionfs: need to cancel ->reset_work in ->kill_sb() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 4/4] functionfs: fix the open/removal races · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-18
[PATCH v3 37/50] convert functionfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 38/50] gadgetfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 40/50] hypfs: don't pin dentries twice · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 41/50] hypfs: switch hypfs_create_str() to returning int · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 43/50] convert hypfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 42/50] hypfs: swich hypfs_create_u64() to returning int · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 44/50] convert rpc_pipefs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 45/50] convert nfsctl · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 46/50] convert rust_binderfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 47/50] get rid of kill_litter_super() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 48/50] convert securityfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 49/50] kill securityfs_recursive_remove() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 50/50] d_make_discardable(): warn if given a non-persistent dentry · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11

From: Al Viro <viro@zeniv.linux.org.uk>
Date: 2025-11-11 09:50:00
Also in: bpf, linux-efi, linux-fsdevel, linux-mm, linux-usb, ocfs2-devel, selinux

On Tue, Nov 11, 2025 at 07:53:18AM +0000, bot+bpf-ci@kernel.org wrote:

Can this leak the parent directory's reference count? The parent inode's
link count is incremented with inc_nlink(d_inode(dir)) before calling
sel_attach(). When sel_attach()->d_alloc_name() fails and returns NULL,
sel_attach() correctly cleans up the child inode with iput() and returns
ERR_PTR(-ENOMEM). However, the parent directory's link count has already
been incremented and is never decremented on this error path.

In the original code, the parent link count increment happened after
d_add() succeeded, ensuring it only occurred when the full operation
completed successfully.

All callers of sel_make_dir() proceed to remove the parent in case of
failure.  All directories are created either at mount time or at
policy reload afterwards.  A failure in the former will have
sel_fill_super() return an error, with the entire filesystem instance
being torn apart by the cleanup path in its caller (get_tree_single()).
No directories survive that.  A failure in the latter (in something
called from sel_make_policy_nodes()) will be taken care of by the
call of simple_recursive_removal() in the end of sel_make_policy_nodes() -
there we
	1.  create a temporary directory ("/.swapover").  We do *NOT*
use sel_make_dir() for that - see sel_make_swapover_dir().  If that has
failed, we return an error.
	2.  create and populate two subtrees in it ("booleans" and "classes").
That's the step where we would create subdirectories and that's where
sel_make_dir() failures might occur.
	3.  if the subtree creation had been successful, swap "/.swapover/booleans"
with "/booleans" and "/.swapover/classes" with "/classes" respectively.
	4.  recursively remove "/.swapover", along with anything that might
be in it.  In case of success that would be the old "/classes" and "/booleans"
that got replaced, in case of failure - whatever we have partially created.

That's the same reason why we don't need to bother with failure cleanups in
the functions that populate directories - if they fail halfway through, the
entire (sub)tree is going to be wiped out in one pass.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help