[PATCH v3 05/15] Apparmor: Use simple_start_creating() / simple_done_creating()
NeilBrown
neilb at ownmail.net
Fri Mar 6 21:12:50 UTC 2026
On Fri, 06 Mar 2026, Christian Brauner wrote:
> On Wed, Feb 25, 2026 at 09:16:50AM +1100, NeilBrown wrote:
> > From: NeilBrown <neil at brown.name>
> >
> > Instead of explicitly locking the parent and performing a look up in
> > apparmor, use simple_start_creating(), and then simple_done_creating()
> > to unlock and drop the dentry.
> >
> > This removes the need to check for an existing entry (as
> > simple_start_creating() acts like an exclusive create and can return
> > -EEXIST), simplifies error paths, and keeps dir locking code
> > centralised.
> >
> > Reviewed-by: Jeff Layton <jlayton at kernel.org>
> > Signed-off-by: NeilBrown <neil at brown.name>
> > ---
>
> Fwiw, I think this fixes a reference count leak:
>
> The old aafs_create returned dentries with refcount=2 (one from
> lookup_noperm, one from dget in __aafs_setup_d_inode). The cleanup path
> aafs_remove puts one reference leaving one reference that didn't get
> cleaned up.
>
> After your changes this is now correct as simple_done_creating() puts
> the lookup reference.
>
Yes, I think you are correct. I remember reviewing how ->dents was used
to confirm that the new refcounting was correct. I didn't notice at the
time that the old was wrong.
Thanks,
NeilBrown
More information about the Linux-security-module-archive
mailing list