[PATCH 6.1.y] selinux: avoid dereference of garbage after mount failure - Linux-stable-mirror

12 May 2025

From: Christian Göttsche cgzones@googlemail.com
commit 37801a36b4d68892ce807264f784d818f8d0d39b upstream.
In case kern_mount() fails and returns an error pointer return in the
error branch instead of continuing and dereferencing the error pointer.
While on it drop the never read static variable selinuxfs_mount.
Cc: stable@vger.kernel.org
Fixes: 0619f0f5e36f ("selinux: wrap selinuxfs state")
Signed-off-by: Christian Göttsche cgzones@googlemail.com
Signed-off-by: Paul Moore paul@paul-moore.com
Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com
Signed-off-by: He Zhe zhe.he@windriver.com
---
Verified the build test
---
 security/selinux/selinuxfs.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ab804d4ea911..c236f3cd2dd7 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -2210,7 +2210,6 @@ static struct file_system_type sel_fs_type = {
    .kill_sb	= sel_kill_sb,
 };
-static struct vfsmount *selinuxfs_mount __ro_after_init;
 struct path selinux_null __ro_after_init;
static int __init init_sel_fs(void)
@@ -2232,18 +2231,21 @@ static int __init init_sel_fs(void)
    	return err;
    }
-	selinux_null.mnt = selinuxfs_mount = kern_mount(&sel_fs_type);
-	if (IS_ERR(selinuxfs_mount)) {
+	selinux_null.mnt = kern_mount(&sel_fs_type);
+	if (IS_ERR(selinux_null.mnt)) {
    	pr_err("selinuxfs:  could not mount!\n");
-		err = PTR_ERR(selinuxfs_mount);
-		selinuxfs_mount = NULL;
+		err = PTR_ERR(selinux_null.mnt);
+		selinux_null.mnt = NULL;
+		return err;
    }
+
    selinux_null.dentry = d_hash_and_lookup(selinux_null.mnt->mnt_root,
    					&null_name);
    if (IS_ERR(selinux_null.dentry)) {
    	pr_err("selinuxfs:  could not lookup null!\n");
    	err = PTR_ERR(selinux_null.dentry);
    	selinux_null.dentry = NULL;
+		return err;
    }
return err;
-- 
2.34.1



    