From: sashiko-bot@kernel.org
To: "Cai Xinchen" <caixinchen1@huawei.com>
Cc: selinux@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH v3 stable/linux-6.12.y 2/3] lsm: add backing_file LSM hooks
Date: Mon, 29 Jun 2026 07:06:42 +0000 [thread overview]
Message-ID: <20260629070643.86D261F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629070338.578858-3-caixinchen1@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Double execution of LSM backing_file_free hooks on alloc error path
--
commit 2db824f4a305b633b1d25658a509035f0230ff7f
Author: Paul Moore <paul@paul-moore.com>
lsm: add backing_file LSM hooks
This commit adds a security blob to the backing_file struct to allow stacked
filesystems to provide the necessary mechanisms for LSMs to properly enforce
access controls on mmap() and mprotect() operations. Three new LSM hooks are
introduced to manage the lifecycle and access control of the backing file blob.
> diff --git a/fs/file_table.c b/fs/file_table.c
> --- a/fs/file_table.c
> +++ b/fs/file_table.c
[ ... ]
> @@ -293,7 +311,7 @@ struct file *alloc_empty_backing_file(int flags, const struct cred *cred)
>
> /* The f_mode flags must be set before fput(). */
> ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT;
> - error = init_backing_file(ff);
> + error = init_backing_file(ff, user_file);
> if (unlikely(error)) {
> fput(&ff->file);
[Severity: Medium]
Does this error path trigger a double execution of the LSM backing_file_free
hooks?
If security_backing_file_alloc() fails (e.g., due to an LSM hook returning an
error), it already cleans up its own state by calling
security_backing_file_free().
This propagates the error up here, where fput() is called to clean up the
partially initialized file structure.
Calling fput() eventually results in a call to file_free(), which calls
backing_file_free() and invokes security_backing_file_free() a second time.
While the second call safely ignores the NULL blob, it still unconditionally
executes call_void_hook(backing_file_free, backing_file):
void security_backing_file_free(struct file *backing_file)
{
void *blob = backing_file_security(backing_file);
call_void_hook(backing_file_free, backing_file);
...
}
Could this break the LSM lifecycle contract for future LSMs that might track
backing file state by executing the free hooks twice on the same file?
> return ERR_PTR(error);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629070338.578858-1-caixinchen1@huawei.com?part=2
next prev parent reply other threads:[~2026-06-29 7:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 7:03 [PATCH v3 stable/linux-6.12.y 0/3] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Cai Xinchen
2026-06-29 7:03 ` [PATCH v3 stable/linux-6.12.y 1/3] fs: constify file ptr in backing_file accessor helpers Cai Xinchen
2026-06-29 7:01 ` sashiko-bot
2026-06-29 7:03 ` [PATCH v3 stable/linux-6.12.y 2/3] lsm: add backing_file LSM hooks Cai Xinchen
2026-06-29 7:06 ` sashiko-bot [this message]
2026-06-29 7:03 ` [PATCH v3 stable/linux-6.12.y 3/3] selinux: fix overlayfs mmap() and mprotect() access checks Cai Xinchen
2026-06-29 7:09 ` sashiko-bot
2026-06-30 22:23 ` [PATCH v3 stable/linux-6.12.y 0/3] Backport Fix incorrect overlayfs mmap() and mprotect() LSM access controls Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629070643.86D261F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=caixinchen1@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox