From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68B12126C02; Sun, 1 Feb 2026 17:05:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769965552; cv=none; b=ir+4/54YXDPgRxkqcS+xROqHXQVSrWwtloIye0qi0Kcz+GNKGJosJNVym5vfPS2SVKwWi75dFXDLXmw9GeFPy3irPlny7POnI4IWtmIqy/hldantTMk2IWmT3JHIU4JI5CwxcOZOlFa+w5cwpKsNndK+P3EKrCZp2tbHsGPMLsc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769965552; c=relaxed/simple; bh=v3ZnNB5Rl3F5t4u7Ylebj0GvWw7ysqQxa2V+IZ3dBRc=; h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References; b=lrokOlPA2+H4HQJZZYbBK81FeflXUA+EsAMqL4zfqrcy3D44K63lDuXfUcJV32Gnoe4PUnWA/mUEalXGC5jPyfSxd5rBjsgG6n/SFb/kX2eLXFQY3zfzLq09x2pAtcc+e2a0/WSEJ+ynaCFb1jfQ+tlgbr8suaowYvLwF+TDiJM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ec9KAVJr; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ec9KAVJr" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E02F2C4CEF7; Sun, 1 Feb 2026 17:05:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769965552; bh=v3ZnNB5Rl3F5t4u7Ylebj0GvWw7ysqQxa2V+IZ3dBRc=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=Ec9KAVJrbGmuD+cBR0hdQvFROza83pG+J5SI+ttwNZnNZb4JyBZgsd7ICKDHBClYt azCSxfpFJRaTcSroKS/AX580O2/PpH1b/UBIN6s6Drt5YjbGQX/q0X6cd9ug4ZgmxV J14N+GKqahLWQ/lxisHY6EoMOq7AYYMgqIhVvBQYll4VdfIbgcOdugHVFkyoGbkdXx Q//YEr7hfYUy5vUf4xRQpGy+pVLeX/gmlYo7WrrKvEMAVfeHhoP+XJAY4WvcFSNoPb NI3fb0BdPnkxqW4qhIXfUjI4XUmgI+EyqZAp7C12r68dgOaOKM8Z7rWSWn7lY2ACY8 3ych/JLbIDuLg== Date: Sun, 01 Feb 2026 07:05:50 -1000 Message-ID: From: Tejun Heo To: Greg Kroah-Hartman Cc: Will Rosenberg , Oliver Rosenberg , 杜义恒 , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] kernfs: fix NULL pointer dereference in __kernfs_new_node() In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Commit 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node") introduced an err_out4 error path which frees iattr when security_kernfs_init_security() fails. However, iattr is only allocated by __kernfs_setattr() when the node has non-default uid/gid. If the node uses default ownership, iattr remains NULL, and security_kernfs_init_security() failure would cause a NULL pointer dereference when err_out4 tries to access kn->iattr->xattrs. Add a NULL check before freeing iattr. Fixes: 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node") Cc: stable@vger.kernel.org Reported-by: 杜义恒 Signed-off-by: Tejun Heo --- fs/kernfs/dir.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index 5c0efd6b239f..29baeeb97871 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -681,8 +681,10 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root, return kn; err_out4: - simple_xattrs_free(&kn->iattr->xattrs, NULL); - kmem_cache_free(kernfs_iattrs_cache, kn->iattr); + if (kn->iattr) { + simple_xattrs_free(&kn->iattr->xattrs, NULL); + kmem_cache_free(kernfs_iattrs_cache, kn->iattr); + } err_out3: spin_lock(&root->kernfs_idr_lock); idr_remove(&root->ino_idr, (u32)kernfs_ino(kn)); -- 2.47.2