Re: [PATCH] fix security_release_secctx seems broken

From: James Morris
Date: Wed Oct 04 2017 - 18:11:19 EST

On Wed, 4 Oct 2017, Konstantin Khlebnikov wrote:

> Just "getcap /bin/ping" is enough to tigger leak if file has capabilities.
> Selinux shouldn't be loaded because its release_secctx hook call kfree.

Ahh, makes sense.

> But sometimes it takes some time for kmemleak to find leak. Presumably
> because stale poiner stays on stack which could be reused nowdays.

Thanks for finding this!

James Morris