From: Giuseppe Scrivano <gscrivan@redhat.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        LKML <linux-kernel@vger.kernel.org>, alexander.deucher@amd.com,
        broonie@kernel.org, chris@chris-wilson.co.uk,
        David Miller <davem@davemloft.net>, deepa.kernel@gmail.com,
        Greg KH <gregkh@linuxfoundation.org>, luc.vanoostenryck@gmail.com,
        lucien xin <lucien.xin@gmail.com>, Ingo Molnar <mingo@kernel.org>,
        Neil Horman <nhorman@tuxdriver.com>, syzkaller-bugs@googlegroups.com,
        Vladislav Yasevich <vyasevich@gmail.com>
Subject: Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free
References: <20171219101440.19736-1-gscrivan@redhat.com>
        <20171219114819.GQ21978@ZenIV.linux.org.uk>
        <20171219153225.GA14771@ZenIV.linux.org.uk>
        <874lomhcwb.fsf@redhat.com>
Date: Tue, 19 Dec 2017 19:40:43 +0100
In-Reply-To: <874lomhcwb.fsf@redhat.com> (Giuseppe Scrivano's message of "Tue,
        19 Dec 2017 17:59:32 +0100")
Message-ID: <87vah2ftn8.fsf@redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 706
Lines: 23

Giuseppe Scrivano <gscrivan@redhat.com> writes:

> The only issue I've seen with my version is that if I do:
>
> # unshare -im /bin/sh
> # mount -t mqueue mqueue /dev/mqueue
> # touch /dev/mqueue/foo
> # umount /dev/mqueue
> # mount -t mqueue mqueue /dev/mqueue
>
> then /dev/mqueue/foo doesn't exist at this point.  Your patch does not
> have this problem and /dev/mqueue/foo is again accessible after the
> second mount.

although, how much is that of an issue?  Is there any other way to delay
the cost of kern_mount_data()?  Most containers have /dev/mqueue mounted
but it is not really going to be used.

Would it be possible somehow to postpone it until the first inode is
created?

Thanks,
Giuseppe