Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-16 Thread Giuseppe Scrivano
Cong Wang writes: > On Thu, Dec 14, 2017 at 1:08 PM, Al Viro wrote: >> On Thu, Dec 14, 2017 at 12:17:57PM -0800, Cong Wang wrote: >>> syzbot reported we have a use-after-free when mqueue_evict_inode() >>> is called on __cleanup_mnt() path, where the ipc ns is already >>> freed by the previous ex

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-15 Thread Dmitry Vyukov
On Sat, Dec 16, 2017 at 1:00 AM, Cong Wang wrote: > syzbot reported we have a use-after-free when mqueue_evict_inode() > is called on __cleanup_mnt() path, where the ipc ns is already > freed by the previous exit_task_namespaces(). We can just move > it after after exit_task_work()

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-15 Thread Cong Wang
On Fri, Dec 15, 2017 at 12:00 AM, Dmitry Vyukov wrote: > On Fri, Dec 15, 2017 at 8:35 AM, Dmitry Vyukov wrote: >> On Fri, Dec 15, 2017 at 7:56 AM, Eric W. Biederman >> wrote: >>> Cong Wang writes: >>> syzbot reported we have a use-after-free when mqueue_evict_inode() is called on __cl

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-15 Thread Cong Wang
On Thu, Dec 14, 2017 at 1:08 PM, Al Viro wrote: > On Thu, Dec 14, 2017 at 12:17:57PM -0800, Cong Wang wrote: >> syzbot reported we have a use-after-free when mqueue_evict_inode() >> is called on __cleanup_mnt() path, where the ipc ns is already >> freed by the previous exit_task_namespaces(). We c

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-15 Thread Dmitry Vyukov
On Fri, Dec 15, 2017 at 8:35 AM, Dmitry Vyukov wrote: > On Fri, Dec 15, 2017 at 7:56 AM, Eric W. Biederman > wrote: >> Cong Wang writes: >> >>> syzbot reported we have a use-after-free when mqueue_evict_inode() >>> is called on __cleanup_mnt() path, where the ipc ns is already >>> freed by the p

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-14 Thread Dmitry Vyukov
On Fri, Dec 15, 2017 at 7:56 AM, Eric W. Biederman wrote: > Cong Wang writes: > >> syzbot reported we have a use-after-free when mqueue_evict_inode() >> is called on __cleanup_mnt() path, where the ipc ns is already >> freed by the previous exit_task_namespaces(). We can just move >> it after aft

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-14 Thread Eric W. Biederman
Cong Wang writes: > syzbot reported we have a use-after-free when mqueue_evict_inode() > is called on __cleanup_mnt() path, where the ipc ns is already > freed by the previous exit_task_namespaces(). We can just move > it after after exit_task_work() to avoid this use-after-free. How does that p

Re: [PATCH] exit: move exit_task_namespaces() after exit_task_work()

2017-12-14 Thread Al Viro
On Thu, Dec 14, 2017 at 12:17:57PM -0800, Cong Wang wrote: > syzbot reported we have a use-after-free when mqueue_evict_inode() > is called on __cleanup_mnt() path, where the ipc ns is already > freed by the previous exit_task_namespaces(). We can just move > it after after exit_task_work() to avoi