From: Tianyue Ren <rentian...@kylinos.cn>
[ Upstream commit 83370b31a915493231e5b9addc72e4bef69f8d31 ]
Mark the inode security label as invalid if we cannot find
a dentry so that we will retry later rather than marking it
initialized with the unlabeled SID.
Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock")
Signed-off-by: Tianyue Ren <rentian...@kylinos.cn>
[PM: minor comment tweaks]
Signed-off-by: Paul Moore <p...@paul-moore.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
security/selinux/hooks.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 212f48025db81..76f7eb5690c8e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1499,7 +1499,13 @@ static int inode_doinit_with_dentry(struct inode *inode,
struct dentry *opt_dent
* inode_doinit with a dentry, before these inodes could
* be used again by userspace.
*/
- goto out;
+ isec->initialized = LABEL_INVALID;
+ /*
+ * There is nothing useful to jump to the "out"
+ * label, except a needless spin lock/unlock
+ * cycle.
+ */
+ return 0;
}
rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
@@ -1553,8 +1559,15 @@ static int inode_doinit_with_dentry(struct inode *inode,
struct dentry *opt_dent
* inode_doinit() with a dentry, before these inodes
* could be used again by userspace.
*/
- if (!dentry)
- goto out;
+ if (!dentry) {
+ isec->initialized = LABEL_INVALID;
+ /*
+ * There is nothing useful to jump to the "out"
+ * label, except a needless spin lock/unlock
+ * cycle.
+ */
+ return 0;
+ }
rc = selinux_genfs_get_sid(dentry, sclass,
sbsec->flags, &sid);
if (rc) {
--
2.27.0
