From: sashiko-bot@kernel.org
To: "Cai Xinchen" <caixinchen1@huawei.com>
Cc: bpf@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path
Date: Mon, 29 Jun 2026 06:54:53 +0000 [thread overview]
Message-ID: <20260629065453.CF1F11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629070653.580879-4-caixinchen1@huawei.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] If `init_file()` fails in `alloc_empty_backing_file()`, the `kzalloc`'d memory is incorrectly freed to `filp_cachep`, causing SLUB corruption.
- [Medium] The `backing_file` container allocation lacks `__GFP_ACCOUNT`, bypassing memcg memory accounting.
--
commit 253dd7739e2dba161f4b1907e20e7723d9f6a637
Author: Amir Goldstein <amir73il@gmail.com>
fs: use backing_file container for internal files with "fake" f_path
Overlayfs uses open_with_fake_path() to allocate internal kernel files.
This commit introduces a backing_file container to hold the fake ovl path
along with the real path.
> diff --git a/fs/file_table.c b/fs/file_table.c
> index be24d724b4075..6daef2e2b2ada 100644
> --- a/fs/file_table.c
> +++ b/fs/file_table.c
[ ... ]
> @@ -189,6 +211,30 @@ struct file *alloc_empty_file_noaccount(int flags, const struct cred *cred)
> return f;
> }
>
> +/*
> + * Variant of alloc_empty_file() that allocates a backing_file container
> + * and doesn't check and modify nr_files.
> + *
> + * This is only for kernel internal use, and the allocate file must not be
> + * installed into file tables or such.
> + */
> +struct file *alloc_empty_backing_file(int flags, const struct cred *cred)
> +{
> + struct backing_file *ff;
> + int error;
> +
> + ff = kzalloc(sizeof(struct backing_file), GFP_KERNEL);
[Severity: Medium]
Since this replaces an allocation that previously came from the filp_cachep
slab cache (which uses SLAB_ACCOUNT), should this kzalloc() include the
__GFP_ACCOUNT flag?
Without __GFP_ACCOUNT, this memory might bypass memcg accounting, allowing a
container to allocate kernel memory without being charged against its limit.
> + if (unlikely(!ff))
> + return ERR_PTR(-ENOMEM);
> +
> + error = init_file(&ff->file, flags, cred);
[Severity: High]
If init_file() fails (for example, due to an error in security_file_alloc()),
it calls file_free_rcu().
Because FMODE_BACKING has not been set in f_mode yet, file_free_rcu() will
evaluate (f->f_mode & FMODE_BACKING) as false:
fs/file_table.c:file_free_rcu() {
...
if (unlikely(f->f_mode & FMODE_BACKING))
kfree(backing_file(f));
else
kmem_cache_free(filp_cachep, f);
}
Will this cause the kzalloc'd ff pointer to be incorrectly freed into the
filp_cachep slab cache, leading to SLUB corruption?
> + if (unlikely(error))
> + return ERR_PTR(error);
> +
> + ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT;
> + return &ff->file;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629070653.580879-1-caixinchen1@huawei.com?part=3
next prev parent reply other threads:[~2026-06-29 6:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 7:06 [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 1/7] ovl: pass layer mnt to ovl_open_realfile() Cai Xinchen
2026-06-29 8:55 ` sashiko-bot
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 2/7] fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers Cai Xinchen
2026-06-29 6:52 ` sashiko-bot
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 3/7] fs: use backing_file container for internal files with "fake" f_path Cai Xinchen
2026-06-29 6:54 ` sashiko-bot [this message]
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 4/7] lsm: constify the 'file' parameter in security_binder_transfer_file() Cai Xinchen
2026-06-29 6:51 ` sashiko-bot
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 5/7] fs: prepare for adding LSM blob to backing_file Cai Xinchen
2026-06-29 6:52 ` sashiko-bot
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 6/7] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29 6:56 ` sashiko-bot
2026-06-29 7:06 ` [PATCH stable/linux-5.10.y 7/7] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29 7:00 ` sashiko-bot
2026-06-29 17:31 ` [PATCH stable/linux-5.10.y 0/7] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Amir Goldstein
2026-06-30 3:06 ` Cai Xinchen
2026-06-30 11:01 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629065453.CF1F11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=caixinchen1@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox