Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752876AbdLNUSb (ORCPT ); Thu, 14 Dec 2017 15:18:31 -0500 Received: from mail-pf0-f194.google.com ([209.85.192.194]:32916 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752270AbdLNUS2 (ORCPT ); Thu, 14 Dec 2017 15:18:28 -0500 X-Google-Smtp-Source: ACJfBovzcf2c+ZjEXmjkMJYrJBzi4Imw5ABqhm0aDwTdvB2AXHa49c+TUMrkhi57kO1TN/ODAe7b0Q== From: Cong Wang To: linux-kernel@vger.kernel.org Cc: Cong Wang , Ingo Molnar , Al Viro , Andrew Morton , Linus Torvalds , stable@vger.kernel.org Subject: [PATCH] exit: move exit_task_namespaces() after exit_task_work() Date: Thu, 14 Dec 2017 12:17:57 -0800 Message-Id: <20171214201757.5393-1-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.9.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 984 Lines: 32 syzbot reported we have a use-after-free when mqueue_evict_inode() is called on __cleanup_mnt() path, where the ipc ns is already freed by the previous exit_task_namespaces(). We can just move it after after exit_task_work() to avoid this use-after-free. Reported-by: syzbot Cc: Ingo Molnar Cc: Al Viro Cc: Andrew Morton Cc: Linus Torvalds Cc: stable@vger.kernel.org Signed-off-by: Cong Wang --- kernel/exit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/exit.c b/kernel/exit.c index 6b4298a41167..909e43c45158 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -861,8 +861,8 @@ void __noreturn do_exit(long code) exit_fs(tsk); if (group_dead) disassociate_ctty(1); - exit_task_namespaces(tsk); exit_task_work(tsk); + exit_task_namespaces(tsk); exit_thread(tsk); /* -- 2.13.0