Re: [PATCH] kernfs: fix NULL pointer dereference in __kernfs_new_node()

Next message: Tejun Heo: "Re: [PATCH 1/2] sched_ext: Fix ops.dequeue() semantics"
Previous message: Sander Vanheule: "Re: [PATCH v2 5/8] iio: dac: ds4424: convert to regmap"
In reply to: Tejun Heo: "[PATCH] kernfs: fix NULL pointer dereference in __kernfs_new_node()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Will Rosenberg

Date: Sun Feb 01 2026 - 12:41:57 EST

On Sun, Feb 01, 2026 at 07:05:50AM -1000, Tejun Heo wrote:
> Commit 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in
> __kernfs_new_node") introduced an err_out4 error path which frees iattr
> when security_kernfs_init_security() fails. However, iattr is only
> allocated by __kernfs_setattr() when the node has non-default uid/gid.
> If the node uses default ownership, iattr remains NULL, and
> security_kernfs_init_security() failure would cause a NULL pointer
> dereference when err_out4 tries to access kn->iattr->xattrs.
>
> Add a NULL check before freeing iattr.
>
> Fixes: 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node")

Thank you for reporting the bug.

This bug has been fixed by Commit 2b742094582d ("fs/kernfs: null-ptr deref in simple_xattrs_free()").
Commit 382b1e8f30f7 ("kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node")
was also caught from entering any stable releases, so the bug should be
fixed on all active branches.

Please correct me if this bug has not been fully addressed.

--
Will Rosenberg