[PATCH v2] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[PATCH v2] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Will Rosenberg]

There exists a memory leak of kernfs_iattrs contained as an element
of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
allocates kernfs_iattrs as a sub-object, and the LSM security check
incorrectly errors out and does not free the kernfs_iattrs sub-object.

Make an additional error out case that properly frees kernfs_iattrs if
security_kernfs_init_security() fails.

Fixes: f72dae20891d7bcc43e9263ab206960b6ae5209f ("Merge tag 'selinux-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux")
Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
---
 fs/kernfs/dir.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index a670ba3e565e..5a40bfee7055 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -675,11 +675,13 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
 	if (parent) {
 		ret = security_kernfs_init_security(parent, kn);
 		if (ret)
-			goto err_out3;
+			goto err_out4;
 	}
 
 	return kn;
 
+ err_out4:
+	kfree(kn->iattr);
  err_out3:
 	spin_lock(&root->kernfs_idr_lock);
 	idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));

base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
-- 
2.34.1

Re: [PATCH v2] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Greg Kroah-Hartman]

On Mon, Nov 24, 2025 at 09:02:26AM -0700, Will Rosenberg wrote:
> There exists a memory leak of kernfs_iattrs contained as an element
> of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
> allocates kernfs_iattrs as a sub-object, and the LSM security check
> incorrectly errors out and does not free the kernfs_iattrs sub-object.
> 
> Make an additional error out case that properly frees kernfs_iattrs if
> security_kernfs_init_security() fails.
> 
> Fixes: f72dae20891d7bcc43e9263ab206960b6ae5209f ("Merge tag 'selinux-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux")

Did the error really happen on a merge?  That feels very wrong.

Also, please read the docs, it says how big to make that sha1 value :)

> Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
> Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
> Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
> ---
>  fs/kernfs/dir.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

What changed from v2?

Again, please read the kernel docs on how to submit a patch.

thanks,

greg k-h

[PATCH v3] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Will Rosenberg]

There exists a memory leak of kernfs_iattrs contained as an element
of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
allocates kernfs_iattrs as a sub-object, and the LSM security check
incorrectly errors out and does not free the kernfs_iattrs sub-object.

Make an additional error out case that properly frees kernfs_iattrs if
security_kernfs_init_security() fails.

Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
---

Notes:
    V1 -> V2: meant as a RESEND, but the commit message and notes were also made more succinct. Patch remained unchanged. v1 was not sent to LKML by mistake.
    V2 -> V3: Update Fixes tag in commit message. Patch remains unchanged.

 fs/kernfs/dir.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index a670ba3e565e..5a40bfee7055 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -675,11 +675,13 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
 	if (parent) {
 		ret = security_kernfs_init_security(parent, kn);
 		if (ret)
-			goto err_out3;
+			goto err_out4;
 	}
 
 	return kn;
 
+ err_out4:
+	kfree(kn->iattr);
  err_out3:
 	spin_lock(&root->kernfs_idr_lock);
 	idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));

base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
-- 
2.34.1

Re: [PATCH v3] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Paul Moore]

On Mon, Nov 24, 2025 at 1:37 PM Will Rosenberg <whrosenb@asu.edu> wrote:
>
> There exists a memory leak of kernfs_iattrs contained as an element
> of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
> allocates kernfs_iattrs as a sub-object, and the LSM security check
> incorrectly errors out and does not free the kernfs_iattrs sub-object.
>
> Make an additional error out case that properly frees kernfs_iattrs if
> security_kernfs_init_security() fails.
>
> Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
> Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
> Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
> Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
> ---
>
> Notes:
>     V1 -> V2: meant as a RESEND, but the commit message and notes were also made more succinct. Patch remained unchanged. v1 was not sent to LKML by mistake.
>     V2 -> V3: Update Fixes tag in commit message. Patch remains unchanged.
>
>  fs/kernfs/dir.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
> index a670ba3e565e..5a40bfee7055 100644
> --- a/fs/kernfs/dir.c
> +++ b/fs/kernfs/dir.c
> @@ -675,11 +675,13 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
>         if (parent) {
>                 ret = security_kernfs_init_security(parent, kn);
>                 if (ret)
> -                       goto err_out3;
> +                       goto err_out4;
>         }
>
>         return kn;
>
> + err_out4:
> +       kfree(kn->iattr);

Should this be kmem_cache_free(kernfs_iattrs_cache, kn->iattr)
instead?  I suspect it would also probably be a good idea to call
simple_xattrs_free() first.

I also noticed there is a reasonable amount of duplicated kernfs
cleanup code spread around fs/kernfs/dir.c, we could probably benefit
from some helper functions here, but that would be a follow-on patch;
keeping a small bugfix patch to ease stable tree backporting is a good
thing.

[HINT FOR THE FUTURE: for patches like this, look for a function that
normally does resource cleanup for the object and do what it does, in
this case kernfs_free_rcu() is a good example.]

>   err_out3:
>         spin_lock(&root->kernfs_idr_lock);
>         idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));
>
> base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
> --
> 2.34.1

-- 
paul-moore.com

Re: [PATCH v3] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Will Rosenberg]

On Mon, Nov 24, 2025 at 03:41:51PM -0500, Paul Moore wrote:
>
> Should this be kmem_cache_free(kernfs_iattrs_cache, kn->iattr)
> instead?  I suspect it would also probably be a good idea to call
> simple_xattrs_free() first.
>
> I also noticed there is a reasonable amount of duplicated kernfs
> cleanup code spread around fs/kernfs/dir.c, we could probably benefit
> from some helper functions here, but that would be a follow-on patch;
> keeping a small bugfix patch to ease stable tree backporting is a good
> thing.

I agree. Helper functions could also help prevent this type of bug from
re-emerging.

> [HINT FOR THE FUTURE: for patches like this, look for a function that
> normally does resource cleanup for the object and do what it does, in
> this case kernfs_free_rcu() is a good example.]

Thank you for all the help. I updated kfree to kmem_cache_free() and
added simple_xattrs_free() just to be safe for future changes.

--
will rosenberg

[PATCH v4] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Will Rosenberg]

There exists a memory leak of kernfs_iattrs contained as an element
of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
allocates kernfs_iattrs as a sub-object, and the LSM security check
incorrectly errors out and does not free the kernfs_iattrs sub-object.

Make an additional error out case that properly frees kernfs_iattrs if
security_kernfs_init_security() fails.

Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
---

Notes:
    V1 -> V2: meant as a RESEND, but the commit message and notes were also made more succinct. Patch remained unchanged. v1 was not sent to LKML by mistake.
    V2 -> V3: Update Fixes tag in commit message. Patch remains unchanged.
    V3 -> V4: Use kmem_cache_free() in place of kfree(). To be safe and consistent, call simple_xattrs_free() in case simple_xattr is allocated in the future.

 fs/kernfs/dir.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index a670ba3e565e..5c0efd6b239f 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -675,11 +675,14 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
 	if (parent) {
 		ret = security_kernfs_init_security(parent, kn);
 		if (ret)
-			goto err_out3;
+			goto err_out4;
 	}
 
 	return kn;
 
+ err_out4:
+	simple_xattrs_free(&kn->iattr->xattrs, NULL);
+	kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
  err_out3:
 	spin_lock(&root->kernfs_idr_lock);
 	idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));

base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
-- 
2.34.1

Re: [PATCH v4] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Paul Moore]

On Tue, Nov 25, 2025 at 10:14 AM Will Rosenberg <whrosenb@asu.edu> wrote:
>
> There exists a memory leak of kernfs_iattrs contained as an element
> of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
> allocates kernfs_iattrs as a sub-object, and the LSM security check
> incorrectly errors out and does not free the kernfs_iattrs sub-object.
>
> Make an additional error out case that properly frees kernfs_iattrs if
> security_kernfs_init_security() fails.
>
> Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
> Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
> Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
> Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
> ---
>
> Notes:
>     V1 -> V2: meant as a RESEND, but the commit message and notes were also made more succinct. Patch remained unchanged. v1 was not sent to LKML by mistake.
>     V2 -> V3: Update Fixes tag in commit message. Patch remains unchanged.
>     V3 -> V4: Use kmem_cache_free() in place of kfree(). To be safe and consistent, call simple_xattrs_free() in case simple_xattr is allocated in the future.
>
>  fs/kernfs/dir.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
> index a670ba3e565e..5c0efd6b239f 100644
> --- a/fs/kernfs/dir.c
> +++ b/fs/kernfs/dir.c
> @@ -675,11 +675,14 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
>         if (parent) {
>                 ret = security_kernfs_init_security(parent, kn);
>                 if (ret)
> -                       goto err_out3;
> +                       goto err_out4;
>         }
>
>         return kn;
>
> + err_out4:
> +       simple_xattrs_free(&kn->iattr->xattrs, NULL);
> +       kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
>   err_out3:
>         spin_lock(&root->kernfs_idr_lock);
>         idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));
>
> base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
> --
> 2.34.1

I haven't seen any feedback that this has been merged, or is in the
queue to be merged, so do you want to rebase against v6.18 or
v6.19-rc1 (when available) and resend, this time CC'ing the LSM list?
A rebase may not be necessary, but if you're going to resend, you
should verify it merges cleanly.

Since it is related to the kernfs LSM hooks, I don't have a problem
merging this via the LSM tree once the latest patch has had a quick
re-review.

-- 
paul-moore.com

Re: [PATCH v4] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Will Rosenberg]

On Sun, Dec 07, 2025 at 04:45:05PM -0500, Paul Moore wrote:
> I haven't seen any feedback that this has been merged, or is in the
> queue to be merged, so do you want to rebase against v6.18 or
> v6.19-rc1 (when available) and resend, this time CC'ing the LSM list?
> A rebase may not be necessary, but if you're going to resend, you
> should verify it merges cleanly.
> 
> Since it is related to the kernfs LSM hooks, I don't have a problem
> merging this via the LSM tree once the latest patch has had a quick
> re-review.
> 
> -- 
> paul-moore.com

Thanks for checking in. I received an automated message from Greg,
notifying me that the patch had been accepted into driver-core-next.
I just checked, and it has now been merged into master as part of the
v6.19-rc1 release window.

Best,
Will Rosenberg

Re: [PATCH v4] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

[Paul Moore]

On Sun, Dec 7, 2025 at 5:28 PM Will Rosenberg <whrosenb@asu.edu> wrote:
> On Sun, Dec 07, 2025 at 04:45:05PM -0500, Paul Moore wrote:
> > I haven't seen any feedback that this has been merged, or is in the
> > queue to be merged, so do you want to rebase against v6.18 or
> > v6.19-rc1 (when available) and resend, this time CC'ing the LSM list?
> > A rebase may not be necessary, but if you're going to resend, you
> > should verify it merges cleanly.
> >
> > Since it is related to the kernfs LSM hooks, I don't have a problem
> > merging this via the LSM tree once the latest patch has had a quick
> > re-review.
> >
> > --
> > paul-moore.com
>
> Thanks for checking in. I received an automated message from Greg,
> notifying me that the patch had been accepted into driver-core-next.
> I just checked, and it has now been merged into master as part of the
> v6.19-rc1 release window.

Perfect, thanks for the update.

-- 
paul-moore.com