Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree

[bot+bpf-ci]

> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index b39e919c2..f088776db 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c

[ ... ]

> @@ -1197,6 +1197,25 @@ static struct inode *sel_make_inode(struct super_block 
> *sb, umode_t mode)
>       return ret;
>  }
>
> +static struct dentry *sel_attach(struct dentry *parent, const char *name,
> +                              struct inode *inode)
> +{
> +     struct dentry *dentry = d_alloc_name(parent, name);
> +     if (unlikely(!dentry)) {
> +             iput(inode);
> +             return ERR_PTR(-ENOMEM);
> +     }
> +     d_add(dentry, inode);
> +     return dentry;
> +}
> +
> +static int sel_attach_file(struct dentry *parent, const char *name,
> +                        struct inode *inode)
> +{
> +     struct dentry *dentry = sel_attach(parent, name, inode);
> +     return PTR_ERR_OR_ZERO(dentry);
> +}

[ ... ]

> @@ -1887,31 +1887,23 @@ static struct dentry *sel_make_dir(struct dentry 
> *dir, const char *name,
>                       unsigned long *ino)
>  {
> -     struct dentry *dentry = d_alloc_name(dir, name);
>       struct inode *inode;
>
> -     if (!dentry)
> -             return ERR_PTR(-ENOMEM);
> -
>       inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO);
> -     if (!inode) {
> -             dput(dentry);
> +     if (!inode)
>               return ERR_PTR(-ENOMEM);
> -     }
>
>       inode->i_op = &simple_dir_inode_operations;
>       inode->i_fop = &simple_dir_operations;
>       inode->i_ino = ++(*ino);
>       /* directory inodes start off with i_nlink == 2 (for "." entry) */
>       inc_nlink(inode);
> -     d_add(dentry, inode);
>       /* bump link count on parent directory, too */
>       inc_nlink(d_inode(dir));
> +
> +     return sel_attach(dir, name, inode);
>  }

Can this leak the parent directory's reference count? The parent inode's
link count is incremented with inc_nlink(d_inode(dir)) before calling
sel_attach(). When sel_attach()->d_alloc_name() fails and returns NULL,
sel_attach() correctly cleans up the child inode with iput() and returns
ERR_PTR(-ENOMEM). However, the parent directory's link count has already
been incremented and is never decremented on this error path.

In the original code, the parent link count increment happened after
d_add() succeeded, ensuring it only occurred when the full operation
completed successfully.


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19257803162