Linux-Security-Module Archive on
 help / color / Atom feed
From: Linus Torvalds <>
To: Steven Rostedt <>
Cc: LKML <>,
	Matthew Garrett <>,
	James Morris James Morris <>,
	LSM List <>,
	Linux API <>,
	Ben Hutchings <>,
	Al Viro <>
Subject: Re: [PATCH] tracefs: Do not allocate and free proxy_ops for lockdown
Date: Fri, 11 Oct 2019 11:20:30 -0700
Message-ID: <> (raw)
In-Reply-To: <20191011135458.7399da44@gandalf.local.home>

On Fri, Oct 11, 2019 at 10:55 AM Steven Rostedt <> wrote:
> I bisected this down to the addition of the proxy_ops into tracefs for
> lockdown. It appears that the allocation of the proxy_ops and then freeing
> it in the destroy_inode callback, is causing havoc with the memory system.
> Reading the documentation about destroy_inode, I'm not sure that this is the
> proper way to handle allocating and then freeing the fops of the inode.

What is happening is that *because* it has a "destroy_inode()"
callback, it now expects destroy_inode to not just free free the proxy
ops, but to also schedule the inode itself for freeing.

Which that tracefs)destroy_inode() doesn't do.

So the inode never gets free'd at all - and you eventually run out of
memory due to the inode leak.

The trivial fix would be to instead use the "free_inode()" callback
(which is called after the required RCU grace period) and then free
the proxy op there _and_ call free_inode_nonrcu() too.

But I think your patch to not need a proxy op allocation at all is
probably better.

That said, I think the _best_ option would be to just getting rid of
the proxy fops _entirely_, and just make the (very few)
tracefs_create_file() cases do that LOCKDOWN_TRACEFS in their open in
the first place.

The proxy_fops was a hacky attempt to make the patch smaller. Your
"just wrap all ops" thing now made the patch bigger than just doing
the lockdown thing in all the callers.

In fact, many of them use tracing_open_generic(). And others - like
subsystem_open() already call tracing_open_generic() as part of their

So from a quick glance, just making tracing_open_generic() do the
lockdown testing will take care of most cases.  Add a few other cases
to fill up the whole set, and your'e done.

Willing to do that instead?


  reply index

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-11 17:54 Steven Rostedt
2019-10-11 18:20 ` Linus Torvalds [this message]
2019-10-11 18:36   ` Steven Rostedt
2019-10-11 19:24     ` Linus Torvalds
2019-10-11 19:50     ` Ben Hutchings
2019-10-11 21:46     ` Florian Weimer
2019-10-11 22:27       ` Steven Rostedt
2019-10-11 20:25   ` Steven Rostedt
2019-10-11 20:46     ` Linus Torvalds
2019-10-11 21:08       ` Steven Rostedt
2019-10-11 20:54     ` Steven Rostedt
2019-10-11 21:00       ` Linus Torvalds
2019-10-11 21:11         ` Steven Rostedt

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on

Archives are clonable:
	git clone --mirror linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ \
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone