From nobody Tue Dec  2 00:04:37 2025
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 205CD23D7F3
	for <linux-kernel@vger.kernel.org>; Tue, 25 Nov 2025 15:14:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764083654; cv=none;
 b=ikuX2FwZYOduDCqmKjjbLshvKJ3zwIEVTmRSHYtj2W6zLpbTLKgElqRpPjX1Ko+vQTcnS7K3aPala6Y5Xsjt0r/FjzvIvFrXozrR7eoNCoSxKQ+al6iQuDKMvpF8Ce8yI2x21Gg1uqXOa3L+7Sxpbv9IYwWI3YepcXGSMDOIMkY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764083654; c=relaxed/simple;
	bh=VPVmk6J+XjLNiLn8hiJmjI/UzmzseWpgXhHjwxFefAQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=L6hFmBNXZkhOlgbvoH2vROn9M/arXUY1/yKwGAwPj4YyFuR7x9XF/m6l3HKU4YTxIPE5S6rVw9D4ZWWTETXBcrKBaMa56E1ZrJfoMWbVXY8xXCzY35BcuFGxXNO9Qn3VS0DDsqhPL3yECrxmB1ZuxPgqcpX6+0uOd4q4TlN0Tsg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=asu.edu;
 spf=pass smtp.mailfrom=asu.edu;
 dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu
 header.b=CZNu35XK; arc=none smtp.client-ip=209.85.210.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=asu.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=asu.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu
 header.b="CZNu35XK"
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-7aa2170adf9so4843734b3a.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 25 Nov 2025 07:14:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=asu.edu; s=google; t=1764083652; x=1764688452; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=1/+zs7Y2KKxnic9iV8CwUhqWg++yabSqUSpaztnQV28=;
        b=CZNu35XKdKPOUXNfE0044zvp0+YRNUHAIveRK2D8g7GhaS5MAcyxjloXsdD2zuy4kq
         28j1JG/HjCBZzVC0mhkNOqJMo4cXfH6c6spoKiheBNMsWQDX6GnvbrSD14tuxpDyZDQu
         eGi5nIxAZk6GoCEUdT91vmK+mccekxefZRFVIpUhVYqeNB1IjE7TrJX4mTvYYnbFwHlQ
         PJjCJ7Vxq8NbiUuzr548YwXI80/QIWhe780IlLK5FGIEUbnMfXv/YlEjEnQM6kxcmnGe
         HolzZiDiFtbZI2V3CM54y1aEKBaHd5Pk823rZHRRC/qiI+Eme6lLcbYBCMQBUP2eYoxv
         HzXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764083652; x=1764688452;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=1/+zs7Y2KKxnic9iV8CwUhqWg++yabSqUSpaztnQV28=;
        b=MiSgrHjFhn9sdqZ4gABzCHOB/tocmGHWl4N7Bodgo6fQMgv4wZnpcSc67fUoxht+Nh
         6U8Bg8vbt/l9AqOFeQ9GlXMdONwZtUUZg6rWw6YSWEq+BRuqrOgqtbe3EG2AJRwGUO2p
         gDIDMt2+mXYI7uvRNCRc1vlJBOstofXetwF0q2hZBv898omNt8ARGc1afPbyN5kaXNxK
         EasDZS6RcnCDm8SvynZaEY9LDO01/fwjSNnfiqzx50rwHRsO6aJae6ES9zXSDrqIBLEt
         yhonAtCnO8R7kVOUz0JyRl91CF3WSdORmUDN1dQGAVewFxjd9eAO5RoPhIEidXT8Fwyc
         XPDw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXZ3CPBsgQ8zXNlVDs1fFLHAVYrn9+eBR8U+ibEC/eUUTXOMcw0TVCxqvivwO/7Ic5kKCPfJDclPLX3A6s=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx71DI2krgcH2205aBycqDivhoom255O6sDCRuBvXCXHZZg//yc
	gswqmidA1aMzUkM0Ww+q+wPNGQNwNs8+slUOLX5NW2Go8wGO5gTgEU4v1fkHCIeBrw==
X-Gm-Gg: ASbGncvBAXsF953SBmeuS3sawvS57YJ5NTYUKjkVirlf/RT9OmMWD7x1m9M/hDMo+p6
	GWqQeGqDqZQgBWoZ7KvqP9cwKnZXg+xtmJlxk2Il0OSXFkXDkMOFyl95EXUuh0A/64/cCcw8ls8
	tCjPLbZoupK9PFYWhqxLeGATSo55Tecf80FMhnJc9uZRcKrDnS8Ms0erGRBTkiK7wyWvAr1SwPp
	AVJMGiW+ScGZK5LyMTKmAfpU3FIxGC3JvxvicCAgCapJvxth6mNzDj0nUnR9sGp1Ez+qmMrg2Dc
	vSQba9ruAJ/C5e1JXm6niWxTnzPQlofOTYTmq6JNQBdI/kddZ4HwYQOD+8tL22y/SwLh1HHzMrR
	kQNO/TI4HuwRgdOi5l9aPaS6L7zFVwFnYXgHX2oY8mhsCZ3okgSoN5CxmkMsk4qwAk0VCIYr4c6
	sg7zDB/6v6TGs10xnAtkxzC6/jOYIBWudqGAQ=
X-Google-Smtp-Source: 
 AGHT+IGbppIXFfMonMi4HoEhoqx/H/jlOwIp0AWEARsAjVEra8Wp3/XKLTYKtVuD+FkzNS4F3BQYLg==
X-Received: by 2002:a05:7022:608c:b0:11b:af12:ba30 with SMTP id
 a92af1059eb24-11cb3ee2087mr2226738c88.8.1764083652226;
        Tue, 25 Nov 2025 07:14:12 -0800 (PST)
Received: from will-mint.dhcp.asu.edu (ip72-200-102-19.tc.ph.cox.net.
 [72.200.102.19])
        by smtp.googlemail.com with ESMTPSA id
 a92af1059eb24-11cc631c236sm11656873c88.7.2025.11.25.07.14.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Nov 2025 07:14:11 -0800 (PST)
From: Will Rosenberg <whrosenb@asu.edu>
To: 
Cc: Will Rosenberg <whrosenb@asu.edu>,
	Oliver Rosenberg <olrose55@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Tejun Heo <tj@kernel.org>,
	Paul Moore <paul@paul-moore.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v4] kernfs: fix memory leak of kernfs_iattrs in
 __kernfs_new_node
Date: Tue, 25 Nov 2025 08:13:32 -0700
Message-Id: <20251125151332.2010687-1-whrosenb@asu.edu>
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
 <CAHC9VhRwBmC+8iMk8rFbDdwCy+=_unNMybC=HQN=+v5v-nkE8g@mail.gmail.com>
References: 
 <CAHC9VhRwBmC+8iMk8rFbDdwCy+=_unNMybC=HQN=+v5v-nkE8g@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

There exists a memory leak of kernfs_iattrs contained as an element
of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
allocates kernfs_iattrs as a sub-object, and the LSM security check
incorrectly errors out and does not free the kernfs_iattrs sub-object.

Make an additional error out case that properly frees kernfs_iattrs if
security_kernfs_init_security() fails.

Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
Co-developed-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
---

Notes:
    V1 -> V2: meant as a RESEND, but the commit message and notes were also=
 made more succinct. Patch remained unchanged. v1 was not sent to LKML by m=
istake.
    V2 -> V3: Update Fixes tag in commit message. Patch remains unchanged.
    V3 -> V4: Use kmem_cache_free() in place of kfree(). To be safe and con=
sistent, call simple_xattrs_free() in case simple_xattr is allocated in the=
 future.

 fs/kernfs/dir.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index a670ba3e565e..5c0efd6b239f 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -675,11 +675,14 @@ static struct kernfs_node *__kernfs_new_node(struct k=
ernfs_root *root,
 	if (parent) {
 		ret =3D security_kernfs_init_security(parent, kn);
 		if (ret)
-			goto err_out3;
+			goto err_out4;
 	}
=20
 	return kn;
=20
+ err_out4:
+	simple_xattrs_free(&kn->iattr->xattrs, NULL);
+	kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
  err_out3:
 	spin_lock(&root->kernfs_idr_lock);
 	idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));

base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
--=20
2.34.1