Re: [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Cai Xinchen" <caixinchen1@huawei.com>
Cc: selinux@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file
Date: Mon, 29 Jun 2026 06:52:21 +0000	[thread overview]
Message-ID: <20260629065224.2D8701F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629070653.580879-6-caixinchen1@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Slab allocator corruption and kernel panic when security_file_alloc() fails during backing file initialization.
--

commit 5ea328a29bcb61b7c30ea4dc685a4910998da08f
Author: Amir Goldstein <amir73il@gmail.com>

fs: prepare for adding LSM blob to backing_file

In preparation to adding LSM blob to backing_file struct, factor out
helpers init_backing_file() and backing_file_free().

> diff --git a/fs/file_table.c b/fs/file_table.c
> index 6daef2e2b2ada..6792d0bce2461 100644
> --- a/fs/file_table.c
> +++ b/fs/file_table.c

[ ... ]

> @@ -231,7 +242,14 @@ struct file *alloc_empty_backing_file(int flags, const struct cred *cred)
>  	if (unlikely(error))
>  		return ERR_PTR(error);
>  
> +	/* The f_mode flags must be set before fput(). */
>  	ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT;

[Severity: High]
Can this lead to slab corruption if init_file() fails?

In alloc_empty_backing_file(), the backing_file is allocated via kzalloc():

fs/file_table.c:alloc_empty_backing_file() {
    ...
	ff = kzalloc(sizeof(struct backing_file), GFP_KERNEL);
	if (unlikely(!ff))
		return ERR_PTR(-ENOMEM);

	error = init_file(&ff->file, flags, cred);
    ...
}

If security_file_alloc() fails inside init_file(), it triggers the cleanup
path using file_free_rcu():

fs/file_table.c:init_file() {
    ...
	error = security_file_alloc(f);
	if (unlikely(error)) {
		file_free_rcu(&f->f_u.fu_rcuhead);
		return error;
	}
    ...
}

Because FMODE_BACKING is not set until after init_file() returns,
file_free_rcu() will take the else branch and attempt to free the kzalloc'd
pointer into the filp_cachep kmem cache:

fs/file_table.c:file_free_rcu() {
    ...
	if (unlikely(f->f_mode & FMODE_BACKING))
		kfree(backing_file(f));
	else
		kmem_cache_free(filp_cachep, f);
}

Should FMODE_BACKING be set before calling init_file(), or is there a
different way this cleanup should be handled?

> +	error = init_backing_file(ff);
> +	if (unlikely(error)) {
> +		fput(&ff->file);
> +		return ERR_PTR(error);
> +	}
> +
>  	return &ff->file;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629070653.580879-1-caixinchen1@huawei.com?part=5

next prev parent reply	other threads:[~2026-06-29  6:52 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  7:06 [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 1/7] ovl: pass layer mnt to ovl_open_realfile() Cai Xinchen
2026-06-29  8:55   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers Cai Xinchen
2026-06-29  6:52   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path Cai Xinchen
2026-06-29  6:54   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 4/7] lsm: constify the 'file' parameter in security_binder_transfer_file() Cai Xinchen
2026-06-29  6:51   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file Cai Xinchen
2026-06-29  6:52   ` sashiko-bot [this message]
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 6/7] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29  6:56   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 7/7] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29  7:00   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629065224.2D8701F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=caixinchen1@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.