> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index b39e919c2..f088776db 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c [ ... ] > @@ -1197,6 +1197,25 @@ static struct inode *sel_make_inode(struct super_block *sb, umode_t mode) > return ret; > } > > +static struct dentry *sel_attach(struct dentry *parent, const char *name, > + struct inode *inode) > +{ > + struct dentry *dentry = d_alloc_name(parent, name); > + if (unlikely(!dentry)) { > + iput(inode); > + return ERR_PTR(-ENOMEM); > + } > + d_add(dentry, inode); > + return dentry; > +} > + > +static int sel_attach_file(struct dentry *parent, const char *name, > + struct inode *inode) > +{ > + struct dentry *dentry = sel_attach(parent, name, inode); > + return PTR_ERR_OR_ZERO(dentry); > +} [ ... ] > @@ -1887,31 +1887,23 @@ static struct dentry *sel_make_dir(struct dentry *dir, const char *name, > unsigned long *ino) > { > - struct dentry *dentry = d_alloc_name(dir, name); > struct inode *inode; > > - if (!dentry) > - return ERR_PTR(-ENOMEM); > - > inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO); > - if (!inode) { > - dput(dentry); > + if (!inode) > return ERR_PTR(-ENOMEM); > - } > > inode->i_op = &simple_dir_inode_operations; > inode->i_fop = &simple_dir_operations; > inode->i_ino = ++(*ino); > /* directory inodes start off with i_nlink == 2 (for "." entry) */ > inc_nlink(inode); > - d_add(dentry, inode); > /* bump link count on parent directory, too */ > inc_nlink(d_inode(dir)); > + > + return sel_attach(dir, name, inode); > } Can this leak the parent directory's reference count? The parent inode's link count is incremented with inc_nlink(d_inode(dir)) before calling sel_attach(). When sel_attach()->d_alloc_name() fails and returns NULL, sel_attach() correctly cleans up the child inode with iput() and returns ERR_PTR(-ENOMEM). However, the parent directory's link count has already been incremented and is never decremented on this error path. In the original code, the parent link count increment happened after d_add() succeeded, ensuring it only occurred when the full operation completed successfully. --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19257803162