Re: [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Cai Xinchen" <caixinchen1@huawei.com>
Cc: bpf@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path
Date: Mon, 29 Jun 2026 06:54:53 +0000	[thread overview]
Message-ID: <20260629065453.CF1F11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629070653.580879-4-caixinchen1@huawei.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] If `init_file()` fails in `alloc_empty_backing_file()`, the `kzalloc`'d memory is incorrectly freed to `filp_cachep`, causing SLUB corruption.
- [Medium] The `backing_file` container allocation lacks `__GFP_ACCOUNT`, bypassing memcg memory accounting.
--

commit 253dd7739e2dba161f4b1907e20e7723d9f6a637
Author: Amir Goldstein <amir73il@gmail.com>

fs: use backing_file container for internal files with "fake" f_path

Overlayfs uses open_with_fake_path() to allocate internal kernel files.
This commit introduces a backing_file container to hold the fake ovl path
along with the real path.

> diff --git a/fs/file_table.c b/fs/file_table.c
> index be24d724b4075..6daef2e2b2ada 100644
> --- a/fs/file_table.c
> +++ b/fs/file_table.c
[ ... ]
> @@ -189,6 +211,30 @@ struct file *alloc_empty_file_noaccount(int flags, const struct cred *cred)
>  	return f;
>  }
>  
> +/*
> + * Variant of alloc_empty_file() that allocates a backing_file container
> + * and doesn't check and modify nr_files.
> + *
> + * This is only for kernel internal use, and the allocate file must not be
> + * installed into file tables or such.
> + */
> +struct file *alloc_empty_backing_file(int flags, const struct cred *cred)
> +{
> +	struct backing_file *ff;
> +	int error;
> +
> +	ff = kzalloc(sizeof(struct backing_file), GFP_KERNEL);

[Severity: Medium]
Since this replaces an allocation that previously came from the filp_cachep
slab cache (which uses SLAB_ACCOUNT), should this kzalloc() include the
__GFP_ACCOUNT flag?

Without __GFP_ACCOUNT, this memory might bypass memcg accounting, allowing a
container to allocate kernel memory without being charged against its limit.

> +	if (unlikely(!ff))
> +		return ERR_PTR(-ENOMEM);
> +
> +	error = init_file(&ff->file, flags, cred);

[Severity: High]
If init_file() fails (for example, due to an error in security_file_alloc()),
it calls file_free_rcu().

Because FMODE_BACKING has not been set in f_mode yet, file_free_rcu() will
evaluate (f->f_mode & FMODE_BACKING) as false:

fs/file_table.c:file_free_rcu() {
    ...
    if (unlikely(f->f_mode & FMODE_BACKING))
        kfree(backing_file(f));
    else
        kmem_cache_free(filp_cachep, f);
}

Will this cause the kzalloc'd ff pointer to be incorrectly freed into the
filp_cachep slab cache, leading to SLUB corruption?

> +	if (unlikely(error))
> +		return ERR_PTR(error);
> +
> +	ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT;
> +	return &ff->file;
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629070653.580879-1-caixinchen1@huawei.com?part=3

next prev parent reply	other threads:[~2026-06-29  6:54 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  7:06 [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 1/7] ovl: pass layer mnt to ovl_open_realfile() Cai Xinchen
2026-06-29  8:55   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers Cai Xinchen
2026-06-29  6:52   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path Cai Xinchen
2026-06-29  6:54   ` sashiko-bot [this message]
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 4/7] lsm: constify the 'file' parameter in security_binder_transfer_file() Cai Xinchen
2026-06-29  6:51   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file Cai Xinchen
2026-06-29  6:52   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 6/7] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29  6:56   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 7/7] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29  7:00   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629065453.CF1F11F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=caixinchen1@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.