From: Tianyue Ren <rentian...@kylinos.cn>
[ Upstream commit 83370b31a915493231e5b9addc72e4bef69f8d31 ]
Mark the inode security label as invalid if we cannot find
a dentry so that we will retry later rather than marking it
initialized with the unlabeled SID.
Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock")
Signed-off-by: Tianyue Ren <rentian...@kylinos.cn>
[PM: minor comment tweaks]
Signed-off-by: Paul Moore <p...@paul-moore.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
security/selinux/hooks.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5def19ec11797..af8ddae0ddedb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1569,7 +1569,13 @@ static int inode_doinit_with_dentry(struct inode *inode,
struct dentry *opt_dent
* inode_doinit with a dentry, before these inodes could
* be used again by userspace.
*/
- goto out;
+ isec->initialized = LABEL_INVALID;
+ /*
+ * There is nothing useful to jump to the "out"
+ * label, except a needless spin lock/unlock
+ * cycle.
+ */
+ return 0;
}
len = INITCONTEXTLEN;
@@ -1677,8 +1683,15 @@ static int inode_doinit_with_dentry(struct inode *inode,
struct dentry *opt_dent
* inode_doinit() with a dentry, before these inodes
* could be used again by userspace.
*/
- if (!dentry)
- goto out;
+ if (!dentry) {
+ isec->initialized = LABEL_INVALID;
+ /*
+ * There is nothing useful to jump to the "out"
+ * label, except a needless spin lock/unlock
+ * cycle.
+ */
+ return 0;
+ }
rc = selinux_genfs_get_sid(dentry, sclass,
sbsec->flags, &sid);
dput(dentry);
--
2.27.0
