From: Al Viro <viro@ZenIV.linux.org.uk>
To: Giuseppe Scrivano <gscrivan@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
alexander.deucher@amd.com, broonie@kernel.org,
chris@chris-wilson.co.uk, David Miller <davem@davemloft.net>,
deepa.kernel@gmail.com, Greg KH <gregkh@linuxfoundation.org>,
luc.vanoostenryck@gmail.com, lucien xin <lucien.xin@gmail.com>,
Ingo Molnar <mingo@kernel.org>,
Neil Horman <nhorman@tuxdriver.com>,
syzkaller-bugs@googlegroups.com,
Vladislav Yasevich <vyasevich@gmail.com>
Subject: Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free
Date: Tue, 19 Dec 2017 15:44:01 +0000 [thread overview]
Message-ID: <20171219154400.GS21978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20171219153225.GA14771@ZenIV.linux.org.uk>
On Tue, Dec 19, 2017 at 03:32:25PM +0000, Al Viro wrote:
> + m = mq_internal_mount();
> + if (IS_ERR(m))
> + return ERR_CAST(m);
> + atomic_inc(&m->mnt_sb->s_active);
> + down_write(&m->mnt_sb->s_umount);
> + return dget(m->mnt_root);
Note: this is stripped down mount_subtree(m, ""), of course;
it might make sense to recognize that case and bypass the
create_mnt_ns/vfs_path_lookup/put_mnt_ns business in
mount_subtree() when the relative pathname is empty, replacing
it with path.mnt = mntget(mnt); path.dentry = dget(mnt->mnt_root);
in such case. That'd allow to simply call mount_subtree() here.
It would work as-is, but it's ridiculously heavy for such use
right now.
> static int __init init_mqueue_fs(void)
> {
> + struct vfsmount *m;
> int error;
>
> mqueue_inode_cachep = kmem_cache_create("mqueue_inode_cache",
> @@ -1577,6 +1606,10 @@ static int __init init_mqueue_fs(void)
> if (error)
> goto out_filesystem;
>
> + m = kern_mount_data(&mqueue_fs_type, &init_ipc_ns);
> + if (IS_ERR(m))
> + goto out_filesystem;
> + init_ipc_ns.mq_mnt = m;
> return 0;
>
> out_filesystem:
Unrelated issue, but register_filesystem() should be the last thing
module_init() of a filesystem driver does. It's a separate story,
in any case...
next prev parent reply other threads:[~2017-12-19 15:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-19 10:14 [PATCH linux-next] mqueue: fix IPC namespace use-after-free Giuseppe Scrivano
2017-12-19 11:48 ` Al Viro
2017-12-19 15:32 ` Al Viro
2017-12-19 15:44 ` Al Viro [this message]
2017-12-19 16:31 ` Dmitry Vyukov
2017-12-19 17:02 ` Giuseppe Scrivano
2017-12-19 16:59 ` Giuseppe Scrivano
2017-12-19 18:40 ` Giuseppe Scrivano
2017-12-19 20:14 ` Al Viro
2017-12-19 21:49 ` Eric W. Biederman
2017-12-19 22:40 ` Al Viro
2017-12-19 23:36 ` Eric W. Biederman
2017-12-21 19:19 ` Giuseppe Scrivano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171219154400.GS21978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alexander.deucher@amd.com \
--cc=broonie@kernel.org \
--cc=chris@chris-wilson.co.uk \
--cc=davem@davemloft.net \
--cc=deepa.kernel@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luc.vanoostenryck@gmail.com \
--cc=lucien.xin@gmail.com \
--cc=mingo@kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.