BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Cai Xinchen" <caixinchen1@huawei.com>
Cc: bpf@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers
Date: Mon, 29 Jun 2026 06:52:24 +0000	[thread overview]
Message-ID: <20260629065229.2E7BE1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629070653.580879-3-caixinchen1@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] API trap leading to cross-allocator slab corruption when handling errors in `init_file()`.
--

commit 4291ff6cf97e536c82d7fa5b99705d5c988c0fac
Author: Amir Goldstein <amir73il@gmail.com>

fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers

Use a common helper init_file() instead of __alloc_file() for
alloc_empty_file*() helpers and improrve the documentation.

This is needed for a follow up patch that allocates a backing_file
container.

> diff --git a/fs/file_table.c b/fs/file_table.c
> index 7a3b4a7f68086..be24d724b4075 100644
> --- a/fs/file_table.c
> +++ b/fs/file_table.c
> @@ -93,20 +93,15 @@ int proc_nr_files(struct ctl_table *table, int write,
[ ... ]
> -static struct file *__alloc_file(int flags, const struct cred *cred)
> +static int init_file(struct file *f, int flags, const struct cred *cred)
>  {
> -	struct file *f;
>  	int error;
>  
> -	f = kmem_cache_zalloc(filp_cachep, GFP_KERNEL);
> -	if (unlikely(!f))
> -		return ERR_PTR(-ENOMEM);
> -
>  	f->f_cred = get_cred(cred);
>  	error = security_file_alloc(f);
>  	if (unlikely(error)) {
>  		file_free_rcu(&f->f_u.fu_rcuhead);
> -		return ERR_PTR(error);
> +		return error;
>  	}

[Severity: High]
If a follow-up patch allocates a struct backing_file container using kzalloc()
and passes its file field to init_file(), could this error path lead to
cross-allocator slab corruption?

Because file_free_rcu() checks f->f_mode & FMODE_BACKING to decide whether to
use kfree() or kmem_cache_free(filp_cachep, ...), it seems FMODE_BACKING would
need to be set before calling init_file() to ensure safe cleanup if
security_file_alloc() fails.

>  
>  	atomic_long_set(&f->f_count, 1);
>  	rwlock_init(&f->f_owner.lock);
>  	spin_lock_init(&f->f_lock);
>  	mutex_init(&f->f_pos_lock);
>  	eventpoll_init_file(f);
>  	f->f_flags = flags;
>  	f->f_mode = OPEN_FMODE(flags);

[Severity: High]
However, since init_file() unconditionally overwrites f->f_mode here, the
caller cannot safely set FMODE_BACKING beforehand without it being
overwritten upon success.

Could this lead to kzalloc allocated memory being incorrectly freed to
filp_cachep if security_file_alloc() encounters an error (e.g., under
memory pressure or LSM denial)?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629070653.580879-1-caixinchen1@huawei.com?part=2

  reply	other threads:[~2026-06-29  6:52 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  7:06 [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 1/7] ovl: pass layer mnt to ovl_open_realfile() Cai Xinchen
2026-06-29  8:55   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers Cai Xinchen
2026-06-29  6:52   ` sashiko-bot [this message]
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path Cai Xinchen
2026-06-29  6:54   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 4/7] lsm: constify the 'file' parameter in security_binder_transfer_file() Cai Xinchen
2026-06-29  6:51   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file Cai Xinchen
2026-06-29  6:52   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 6/7] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29  6:56   ` sashiko-bot
2026-06-29  7:06 ` [PATCH stable/linux-5.10.y 7/7] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29  7:00   ` sashiko-bot
2026-06-29 17:31 ` [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Amir Goldstein
2026-06-30  3:06   ` Cai Xinchen
2026-06-30 11:01     ` Amir Goldstein

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629065229.2E7BE1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=caixinchen1@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox