From: Al Viro <viro@ZenIV.linux.org.uk>
To: Giuseppe Scrivano <gscrivan@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
alexander.deucher@amd.com, broonie@kernel.org,
chris@chris-wilson.co.uk, David Miller <davem@davemloft.net>,
deepa.kernel@gmail.com, Greg KH <gregkh@linuxfoundation.org>,
luc.vanoostenryck@gmail.com, lucien xin <lucien.xin@gmail.com>,
Ingo Molnar <mingo@kernel.org>,
Neil Horman <nhorman@tuxdriver.com>,
syzkaller-bugs@googlegroups.com,
Vladislav Yasevich <vyasevich@gmail.com>
Subject: Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free
Date: Tue, 19 Dec 2017 11:48:19 +0000 [thread overview]
Message-ID: <20171219114819.GQ21978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20171219101440.19736-1-gscrivan@redhat.com>
On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote:
> mqueue_evict_inode() doesn't access the ipc namespace if it was
> already freed. It can happen if in a new IPC namespace the inode was
> created without a prior mq_open() which creates the vfsmount used to
> access the superblock from mq_clear_sbinfo().
>
> Keep a direct pointer to the superblock used by the inodes so we can
> correctly reset the reference to the IPC namespace being destroyed.
>
> Bug introduced with 9c583773d03633 ("ipc, mqueue: lazy call
> kern_mount_data in new namespaces")
And just what will happen in the same scenario if you mount the damn
thing in userland without ever calling mq_open(), touch a file there,
then unmount and then leave the ipc namespace?
next prev parent reply other threads:[~2017-12-19 11:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-19 10:14 [PATCH linux-next] mqueue: fix IPC namespace use-after-free Giuseppe Scrivano
2017-12-19 11:48 ` Al Viro [this message]
2017-12-19 15:32 ` Al Viro
2017-12-19 15:44 ` Al Viro
2017-12-19 16:31 ` Dmitry Vyukov
2017-12-19 17:02 ` Giuseppe Scrivano
2017-12-19 16:59 ` Giuseppe Scrivano
2017-12-19 18:40 ` Giuseppe Scrivano
2017-12-19 20:14 ` Al Viro
2017-12-19 21:49 ` Eric W. Biederman
2017-12-19 22:40 ` Al Viro
2017-12-19 23:36 ` Eric W. Biederman
2017-12-21 19:19 ` Giuseppe Scrivano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171219114819.GQ21978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alexander.deucher@amd.com \
--cc=broonie@kernel.org \
--cc=chris@chris-wilson.co.uk \
--cc=davem@davemloft.net \
--cc=deepa.kernel@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luc.vanoostenryck@gmail.com \
--cc=lucien.xin@gmail.com \
--cc=mingo@kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.