Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 07:40:43PM +0100, Giuseppe Scrivano wrote: >> Giuseppe Scrivano writes: >> >> > The only issue I've seen with my version is that if I do: >> > >> > # unshare -im /bin/sh >> > # mount -t mqueue mqueue

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 07:40:43PM +0100, Giuseppe Scrivano wrote: >> Giuseppe Scrivano writes: >> >> > The only issue I've seen with my version is that if I do: >> > >> > # unshare -im /bin/sh >> > # mount -t mqueue mqueue /dev/mqueue >> > # touch /dev/mqueue/foo >> > #

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 03:49:24PM -0600, Eric W. Biederman wrote: >> > what would you be delaying? kmem_cache_alloc() for struct mount and >> > assignments >> > to its fields? That's noise; if anything, I would expect the main cost >> > with >> > a

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 03:49:24PM -0600, Eric W. Biederman wrote: >> > what would you be delaying? kmem_cache_alloc() for struct mount and >> > assignments >> > to its fields? That's noise; if anything, I would expect the main cost >> > with >> > a plenty of containers to

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 03:49:24PM -0600, Eric W. Biederman wrote: > > what would you be delaying? kmem_cache_alloc() for struct mount and > > assignments > > to its fields? That's noise; if anything, I would expect the main cost with > > a plenty of containers to be in sget() scanning the list

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 03:49:24PM -0600, Eric W. Biederman wrote: > > what would you be delaying? kmem_cache_alloc() for struct mount and > > assignments > > to its fields? That's noise; if anything, I would expect the main cost with > > a plenty of containers to be in sget() scanning the list

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 07:40:43PM +0100, Giuseppe Scrivano wrote: >> Giuseppe Scrivano writes: >> >> > The only issue I've seen with my version is that if I do: >> > >> > # unshare -im /bin/sh >> > # mount -t mqueue mqueue

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 07:40:43PM +0100, Giuseppe Scrivano wrote: >> Giuseppe Scrivano writes: >> >> > The only issue I've seen with my version is that if I do: >> > >> > # unshare -im /bin/sh >> > # mount -t mqueue mqueue /dev/mqueue >> > # touch /dev/mqueue/foo >> > #

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 07:40:43PM +0100, Giuseppe Scrivano wrote: > Giuseppe Scrivano writes: > > > The only issue I've seen with my version is that if I do: > > > > # unshare -im /bin/sh > > # mount -t mqueue mqueue /dev/mqueue > > # touch /dev/mqueue/foo > > # umount

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 07:40:43PM +0100, Giuseppe Scrivano wrote: > Giuseppe Scrivano writes: > > > The only issue I've seen with my version is that if I do: > > > > # unshare -im /bin/sh > > # mount -t mqueue mqueue /dev/mqueue > > # touch /dev/mqueue/foo > > # umount /dev/mqueue > > # mount

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Giuseppe Scrivano writes: > The only issue I've seen with my version is that if I do: > > # unshare -im /bin/sh > # mount -t mqueue mqueue /dev/mqueue > # touch /dev/mqueue/foo > # umount /dev/mqueue > # mount -t mqueue mqueue /dev/mqueue > > then /dev/mqueue/foo doesn't

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Giuseppe Scrivano writes: > The only issue I've seen with my version is that if I do: > > # unshare -im /bin/sh > # mount -t mqueue mqueue /dev/mqueue > # touch /dev/mqueue/foo > # umount /dev/mqueue > # mount -t mqueue mqueue /dev/mqueue > > then /dev/mqueue/foo doesn't exist at this point.

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Dmitry Vyukov writes: >> Unrelated issue, but register_filesystem() should be the last thing >> module_init() of a filesystem driver does. It's a separate story, >> in any case... > > Giuseppe, what report is this? > If there is a reproducer, you can ask syzbot to test a

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Dmitry Vyukov writes: >> Unrelated issue, but register_filesystem() should be the last thing >> module_init() of a filesystem driver does. It's a separate story, >> in any case... > > Giuseppe, what report is this? > If there is a reproducer, you can ask syzbot to test a patch. I have tried

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 11:48:19AM +, Al Viro wrote: >> On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote: >> > mqueue_evict_inode() doesn't access the ipc namespace if it was >> > already freed. It can happen if in a new IPC

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

Al Viro writes: > On Tue, Dec 19, 2017 at 11:48:19AM +, Al Viro wrote: >> On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote: >> > mqueue_evict_inode() doesn't access the ipc namespace if it was >> > already freed. It can happen if in a new IPC namespace the inode was >> >

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 4:44 PM, Al Viro wrote: > On Tue, Dec 19, 2017 at 03:32:25PM +, Al Viro wrote: >> + m = mq_internal_mount(); >> + if (IS_ERR(m)) >> + return ERR_CAST(m); >> + atomic_inc(>mnt_sb->s_active); >> +

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 4:44 PM, Al Viro wrote: > On Tue, Dec 19, 2017 at 03:32:25PM +, Al Viro wrote: >> + m = mq_internal_mount(); >> + if (IS_ERR(m)) >> + return ERR_CAST(m); >> + atomic_inc(>mnt_sb->s_active); >> + down_write(>mnt_sb->s_umount); >> + return

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 03:32:25PM +, Al Viro wrote: > + m = mq_internal_mount(); > + if (IS_ERR(m)) > + return ERR_CAST(m); > + atomic_inc(>mnt_sb->s_active); > + down_write(>mnt_sb->s_umount); > + return dget(m->mnt_root); Note: this is stripped down

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 03:32:25PM +, Al Viro wrote: > + m = mq_internal_mount(); > + if (IS_ERR(m)) > + return ERR_CAST(m); > + atomic_inc(>mnt_sb->s_active); > + down_write(>mnt_sb->s_umount); > + return dget(m->mnt_root); Note: this is stripped down

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 11:48:19AM +, Al Viro wrote: > On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote: > > mqueue_evict_inode() doesn't access the ipc namespace if it was > > already freed. It can happen if in a new IPC namespace the inode was > > created without a prior

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 11:48:19AM +, Al Viro wrote: > On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote: > > mqueue_evict_inode() doesn't access the ipc namespace if it was > > already freed. It can happen if in a new IPC namespace the inode was > > created without a prior

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote: > mqueue_evict_inode() doesn't access the ipc namespace if it was > already freed. It can happen if in a new IPC namespace the inode was > created without a prior mq_open() which creates the vfsmount used to > access the

Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote: > mqueue_evict_inode() doesn't access the ipc namespace if it was > already freed. It can happen if in a new IPC namespace the inode was > created without a prior mq_open() which creates the vfsmount used to > access the