From f077638b5f19080b877fd4cd15fc00558669aa6d Mon Sep 17 00:00:00 2001
From: Christian Brauner <brauner@kernel.org>
Date: Mon, 23 Jun 2025 14:50:30 +0200
Subject: [PATCH] pidfs: fix pidfs_free_pid()

Ensure that we handle the case where task creation fails and pid->attr
was never accessed at all.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/pidfs.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/fs/pidfs.c b/fs/pidfs.c
index ba526fdd4c4d..47f5f9e0bdff 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -150,18 +150,20 @@ void pidfs_free_pid(struct pid *pid)
 	 */
 	VFS_WARN_ON_ONCE(pid->stashed);
 
-	if (IS_ERR(attr))
-		return;
-
 	/*
-	 * Any dentry must've been wiped from the pid by now. Otherwise
-	 * there's a reference count bug.
+	 * This if an error occurred during e.g., task creation that
+	 * causes us to never go through the exit path.
 	 */
-	VFS_WARN_ON_ONCE(pid->stashed);
+	if (unlikely(!attr))
+		return;
+
+	/* This never had a pidfd created. */
+	if (IS_ERR(attr))
+		return;
 
-	xattrs = attr->xattrs;
+	xattrs = no_free_ptr(attr->xattrs);
 	if (xattrs)
-		simple_xattrs_free(attr->xattrs, NULL);
+		simple_xattrs_free(xattrs, NULL);
 }
 
 #ifdef CONFIG_PROC_FS
-- 
2.25.1