From: Will Rosenberg <whrosenb@asu.edu>
To: Tejun Heo <tj@kernel.org>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Oliver Rosenberg" <olrose55@gmail.com>,
杜义恒 <duyiheng@tju.edu.cn>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] kernfs: fix NULL pointer dereference in __kernfs_new_node()
Date: Sun, 1 Feb 2026 10:41:47 -0700 [thread overview]
Message-ID: <aX+QW0yMZwVL5Y4h@gmail.com> (raw)
In-Reply-To: <f5fe5674adee792e663a86d680d836c5@kernel.org>
On Sun, Feb 01, 2026 at 07:05:50AM -1000, Tejun Heo wrote:
> Commit 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in
> __kernfs_new_node") introduced an err_out4 error path which frees iattr
> when security_kernfs_init_security() fails. However, iattr is only
> allocated by __kernfs_setattr() when the node has non-default uid/gid.
> If the node uses default ownership, iattr remains NULL, and
> security_kernfs_init_security() failure would cause a NULL pointer
> dereference when err_out4 tries to access kn->iattr->xattrs.
>
> Add a NULL check before freeing iattr.
>
> Fixes: 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node")
Thank you for reporting the bug.
This bug has been fixed by Commit 2b742094582d ("fs/kernfs: null-ptr deref in simple_xattrs_free()").
Commit 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node")
was also caught from entering any stable releases, so the bug should be
fixed on all active branches.
Please correct me if this bug has not been fully addressed.
--
Will Rosenberg
prev parent reply other threads:[~2026-02-01 17:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AOoAIQD0J-9V1NW0JM55A4po.1.1769761572059.Hmail.3019244382@tju.edu.cn>
2026-02-01 17:05 ` [PATCH] kernfs: fix NULL pointer dereference in __kernfs_new_node() Tejun Heo
2026-02-01 17:41 ` Will Rosenberg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aX+QW0yMZwVL5Y4h@gmail.com \
--to=whrosenb@asu.edu \
--cc=duyiheng@tju.edu.cn \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olrose55@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.