Linux Security Modules development
 help / color / mirror / Atom feed
* [PATCH -next 0/2] Fix call security_backing_file_free second time
@ 2026-06-26  1:17 Cai Xinchen
  2026-06-26  1:17 ` [PATCH -next 1/2] security: Some cleanup code Cai Xinchen
  2026-06-26  1:17 ` [PATCH -next 2/2] security: Fix call security_backing_file_free second time Cai Xinchen
  0 siblings, 2 replies; 5+ messages in thread
From: Cai Xinchen @ 2026-06-26  1:17 UTC (permalink / raw)
  To: paul, jmorris, serge, stephen.smalley.work, omosnace, amir73il,
	brauner
  Cc: linux-security-module, linux-kernel, selinux, caixinchen1,
	lujialin4

I found the following path:

alloc_empty_backing-file
    init_file(&ff->file, xxx)
        -> file_ref_init(&f->f_ref, 1); // only 1
    error = init_backing_file
        -> security_backing_file_alloc
        -> rc = call_int_hook(backing_file_alloc, ...)
           if (unlikely(rc))
                security_backing_file_free(backing_file); // first call
    if (unlikely(error)) {
        fput(&ff->file);
         -> if (unlikely(file_ref_put(&file->f_ref))) // zero
                __fput_deferred(file);
                 -> ____fput -> __fput -> file_free(file);
                 -> backing_file_free(backing_file(f));
                 -> security_backing_file_free(&ff->file); // second call

Cai Xinchen (2):
  security: Some cleanup code
  security: Fix call security_backing_file_free second time

 security/lsm_init.c      | 1 -
 security/security.c      | 5 +----
 security/selinux/hooks.c | 1 -
 3 files changed, 1 insertion(+), 6 deletions(-)

-- 
2.34.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH -next 1/2] security: Some cleanup code
  2026-06-26  1:17 [PATCH -next 0/2] Fix call security_backing_file_free second time Cai Xinchen
@ 2026-06-26  1:17 ` Cai Xinchen
  2026-07-02 21:09   ` [PATCH " Paul Moore
  2026-06-26  1:17 ` [PATCH -next 2/2] security: Fix call security_backing_file_free second time Cai Xinchen
  1 sibling, 1 reply; 5+ messages in thread
From: Cai Xinchen @ 2026-06-26  1:17 UTC (permalink / raw)
  To: paul, jmorris, serge, stephen.smalley.work, omosnace, amir73il,
	brauner
  Cc: linux-security-module, linux-kernel, selinux, caixinchen1,
	lujialin4

Delete an unnecessary blank line and a blobs variable with
duplicate assignment.

Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
---
 security/lsm_init.c      | 1 -
 security/selinux/hooks.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/security/lsm_init.c b/security/lsm_init.c
index 7c0fd17f1601..d7384866e3a5 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -290,7 +290,6 @@ static void __init lsm_prepare(struct lsm_info *lsm)
 		return;
 
 	/* Register the LSM blob sizes. */
-	blobs = lsm->blobs;
 	lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred);
 	lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file);
 	lsm_blob_size_update(&blobs->lbs_backing_file,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1a713d96206f..e5930ebc9e37 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1748,7 +1748,6 @@ static int bpf_fd_pass(const struct file *file, u32 sid);
 
 static int __file_has_perm(const struct cred *cred, const struct file *file,
 			   u32 av, bool bf_user_file)
-
 {
 	struct common_audit_data ad;
 	struct inode *inode;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH -next 2/2] security: Fix call security_backing_file_free second time
  2026-06-26  1:17 [PATCH -next 0/2] Fix call security_backing_file_free second time Cai Xinchen
  2026-06-26  1:17 ` [PATCH -next 1/2] security: Some cleanup code Cai Xinchen
@ 2026-06-26  1:17 ` Cai Xinchen
  2026-07-02 21:09   ` [PATCH " Paul Moore
  1 sibling, 1 reply; 5+ messages in thread
From: Cai Xinchen @ 2026-06-26  1:17 UTC (permalink / raw)
  To: paul, jmorris, serge, stephen.smalley.work, omosnace, amir73il,
	brauner
  Cc: linux-security-module, linux-kernel, selinux, caixinchen1,
	lujialin4

I found the following path:

alloc_empty_backing-file
    init_file(&ff->file, xxx)
        -> file_ref_init(&f->f_ref, 1); // only 1
    error = init_backing_file
        -> security_backing_file_alloc
        -> rc = call_int_hook(backing_file_alloc, ...)
           if (unlikely(rc))
           	security_backing_file_free(backing_file); // first call
    if (unlikely(error)) {
        fput(&ff->file);
         -> if (unlikely(file_ref_put(&file->f_ref))) // zero
                __fput_deferred(file);
                 -> ____fput -> __fput -> file_free(file);
                 -> backing_file_free(backing_file(f));
                 -> security_backing_file_free(&ff->file); // second call

Currently, only SELinux has the lsm backing_file_alloc hook, and the
backing_file_free hook is not set. When security_backing_file_free is
called for the first time, the blobs pointer is set to NULL. Therefore,
double free will not occur in the code.

Fixes: 6af36aeb147a ("lsm: add backing_file LSM hooks")
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
---
 security/security.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/security/security.c b/security/security.c
index 71aea8fdf014..595d3c73253e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2468,11 +2468,8 @@ int security_backing_file_alloc(struct file *backing_file,
 	rc = lsm_backing_file_alloc(backing_file);
 	if (rc)
 		return rc;
-	rc = call_int_hook(backing_file_alloc, backing_file, user_file);
-	if (unlikely(rc))
-		security_backing_file_free(backing_file);
 
-	return rc;
+	return call_int_hook(backing_file_alloc, backing_file, user_file);
 }
 
 /**
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] security: Some cleanup code
  2026-06-26  1:17 ` [PATCH -next 1/2] security: Some cleanup code Cai Xinchen
@ 2026-07-02 21:09   ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2026-07-02 21:09 UTC (permalink / raw)
  To: Cai Xinchen, jmorris, serge, stephen.smalley.work, omosnace,
	amir73il, brauner
  Cc: linux-security-module, linux-kernel, selinux, caixinchen1,
	lujialin4

On Jun 25, 2026 Cai Xinchen <caixinchen1@huawei.com> wrote:
> 
> Delete an unnecessary blank line and a blobs variable with
> duplicate assignment.
> 
> Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
> ---
>  security/lsm_init.c      | 1 -
>  security/selinux/hooks.c | 1 -
>  2 files changed, 2 deletions(-)

Please split this into two patches: one for the LSM (lsm_init.c) and
one for SELinux (hooks.c).  They are two different subsystems, mailing
lists, etc.

> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index 7c0fd17f1601..d7384866e3a5 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -290,7 +290,6 @@ static void __init lsm_prepare(struct lsm_info *lsm)
>  		return;
>  
>  	/* Register the LSM blob sizes. */
> -	blobs = lsm->blobs;
>  	lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred);
>  	lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file);
>  	lsm_blob_size_update(&blobs->lbs_backing_file,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 1a713d96206f..e5930ebc9e37 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1748,7 +1748,6 @@ static int bpf_fd_pass(const struct file *file, u32 sid);
>  
>  static int __file_has_perm(const struct cred *cred, const struct file *file,
>  			   u32 av, bool bf_user_file)
> -
>  {
>  	struct common_audit_data ad;
>  	struct inode *inode;
> -- 
> 2.34.1

--
paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] security: Fix call security_backing_file_free second  time
  2026-06-26  1:17 ` [PATCH -next 2/2] security: Fix call security_backing_file_free second time Cai Xinchen
@ 2026-07-02 21:09   ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2026-07-02 21:09 UTC (permalink / raw)
  To: Cai Xinchen, jmorris, serge, stephen.smalley.work, omosnace,
	amir73il, brauner
  Cc: linux-security-module, linux-kernel, selinux, caixinchen1,
	lujialin4

On Jun 25, 2026 Cai Xinchen <caixinchen1@huawei.com> wrote:
> 
> I found the following path:
> 
> alloc_empty_backing-file
>     init_file(&ff->file, xxx)
>         -> file_ref_init(&f->f_ref, 1); // only 1
>     error = init_backing_file
>         -> security_backing_file_alloc
>         -> rc = call_int_hook(backing_file_alloc, ...)

The good news is that as you mentioned, only SELinux defines a
backing_file_alloc hook and it always returns success/0.

>            if (unlikely(rc))
>            	security_backing_file_free(backing_file); // first call
>     if (unlikely(error)) {
>         fput(&ff->file);
>          -> if (unlikely(file_ref_put(&file->f_ref))) // zero
>                 __fput_deferred(file);
>                  -> ____fput -> __fput -> file_free(file);
>                  -> backing_file_free(backing_file(f));
>                  -> security_backing_file_free(&ff->file); // second call
> 
> Currently, only SELinux has the lsm backing_file_alloc hook, and the
> backing_file_free hook is not set. When security_backing_file_free is
> called for the first time, the blobs pointer is set to NULL. Therefore,
> double free will not occur in the code.
> 
> Fixes: 6af36aeb147a ("lsm: add backing_file LSM hooks")
> Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
> ---
>  security/security.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/security/security.c b/security/security.c
> index 71aea8fdf014..595d3c73253e 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2468,11 +2468,8 @@ int security_backing_file_alloc(struct file *backing_file,
>  	rc = lsm_backing_file_alloc(backing_file);
>  	if (rc)
>  		return rc;
> -	rc = call_int_hook(backing_file_alloc, backing_file, user_file);
> -	if (unlikely(rc))
> -		security_backing_file_free(backing_file);
>  
> -	return rc;
> +	return call_int_hook(backing_file_alloc, backing_file, user_file);
>  }

I think the better option would be to move the
call_void_hook(backing_file_free, ...) call in security_backing_file_free()
into the if-statment true block before we set the backing file's LSM blob
pointer to NULL and free the LSM blob.

--
paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-02 21:09 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26  1:17 [PATCH -next 0/2] Fix call security_backing_file_free second time Cai Xinchen
2026-06-26  1:17 ` [PATCH -next 1/2] security: Some cleanup code Cai Xinchen
2026-07-02 21:09   ` [PATCH " Paul Moore
2026-06-26  1:17 ` [PATCH -next 2/2] security: Fix call security_backing_file_free second time Cai Xinchen
2026-07-02 21:09   ` [PATCH " Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox