Re: [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Cai Xinchen" <caixinchen1@huawei.com>
Cc: bpf@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers
Date: Mon, 29 Jun 2026 06:52:24 +0000	[thread overview]
Message-ID: <20260629065229.2E7BE1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629070653.580879-3-caixinchen1@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] API trap leading to cross-allocator slab corruption when handling errors in `init_file()`.
--

commit 4291ff6cf97e536c82d7fa5b99705d5c988c0fac
Author: Amir Goldstein <amir73il@gmail.com>

fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers

Use a common helper init_file() instead of __alloc_file() for
alloc_empty_file*() helpers and improrve the documentation.

This is needed for a follow up patch that allocates a backing_file
container.

> diff --git a/fs/file_table.c b/fs/file_table.c
> index 7a3b4a7f68086..be24d724b4075 100644
> --- a/fs/file_table.c
> +++ b/fs/file_table.c
> @@ -93,20 +93,15 @@ int proc_nr_files(struct ctl_table *table, int write,
[ ... ]
> -static struct file *__alloc_file(int flags, const struct cred *cred)
> +static int init_file(struct file *f, int flags, const struct cred *cred)
>  {
> -	struct file *f;
>  	int error;
>  
> -	f = kmem_cache_zalloc(filp_cachep, GFP_KERNEL);
> -	if (unlikely(!f))
> -		return ERR_PTR(-ENOMEM);
> -
>  	f->f_cred = get_cred(cred);
>  	error = security_file_alloc(f);
>  	if (unlikely(error)) {
>  		file_free_rcu(&f->f_u.fu_rcuhead);
> -		return ERR_PTR(error);
> +		return error;
>  	}

[Severity: High]
If a follow-up patch allocates a struct backing_file container using kzalloc()
and passes its file field to init_file(), could this error path lead to
cross-allocator slab corruption?

Because file_free_rcu() checks f->f_mode & FMODE_BACKING to decide whether to
use kfree() or kmem_cache_free(filp_cachep, ...), it seems FMODE_BACKING would
need to be set before calling init_file() to ensure safe cleanup if
security_file_alloc() fails.

>  
>  	atomic_long_set(&f->f_count, 1);
>  	rwlock_init(&f->f_owner.lock);
>  	spin_lock_init(&f->f_lock);
>  	mutex_init(&f->f_pos_lock);
>  	eventpoll_init_file(f);
>  	f->f_flags = flags;
>  	f->f_mode = OPEN_FMODE(flags);

[Severity: High]
However, since init_file() unconditionally overwrites f->f_mode here, the
caller cannot safely set FMODE_BACKING beforehand without it being
overwritten upon success.

Could this lead to kzalloc allocated memory being incorrectly freed to
filp_cachep if security_file_alloc() encounters an error (e.g., under
memory pressure or LSM denial)?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629070653.580879-1-caixinchen1@huawei.com?part=2

next prev parent reply	other threads:[~2026-06-29  6:52 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  7:06 [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 1/7] ovl: pass layer mnt to ovl_open_realfile() Cai Xinchen
2026-06-29  8:55   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers Cai Xinchen
2026-06-29  6:52   ` sashiko-bot [this message]
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path Cai Xinchen
2026-06-29  6:54   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 4/7] lsm: constify the 'file' parameter in security_binder_transfer_file() Cai Xinchen
2026-06-29  6:51   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file Cai Xinchen
2026-06-29  6:52   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 6/7] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29  6:56   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 7/7] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29  7:00   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629065229.2E7BE1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=caixinchen1@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.