Received: by 10.213.65.68 with SMTP id h4csp4109934imn;
        Tue, 10 Apr 2018 09:22:11 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49JqF6HSbnmKk8vu4S13Fm91CZ5g3X1hPoCTNS8NbMkgLpAMjOfhSFfigygnPXWeyjM/f74
X-Received: by 10.98.133.212 with SMTP id m81mr923742pfk.61.1523377331854;
        Tue, 10 Apr 2018 09:22:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523377331; cv=none;
        d=google.com; s=arc-20160816;
        b=XKBG6BaprCPa5A9WBtjvu5jXi1+HGqWluUVfhq9l8XKZmP6I/5Tlg1uaG/LSKIiZb6
         MiX0LNIR1kcj7OidQWqdDU4rKXLQSTjSO7I7IlGL7X19YAWSOlW/39qWPCr6OlLS2xlv
         K519yw0tpJlmPvM8QlMzJesWws+a7kb5+tJu3LFLSQhPfttEcG8pCVJISPM2Ql54Zf/f
         2nZ4PToFwpSFrsym+gfqdoj/Rji5lod6E36ZxrNQ5gcOmR9yJ138rC7YykcUIlY2vy9d
         6bc8hA3vgsu2rqlhhUZWuQvXBeYVP3+1vhxh/o7vsGpJb2P5cZLRrn3A78Sn3T4PYy0E
         Emsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:arc-authentication-results;
        bh=6gU6dndqv56y7EuPONlVa3OwaprRCVTTDmgRclwJSTs=;
        b=cpF8fGA0Wq9inDWBUhlrV4EciZRYWlf520h/CRJMUYna1L51tDYtobDV6HhynwLmOQ
         gL17hrwfCp8joCk3DCMWLt/PfmUayvQVpZ1gDldh0KLGsnQ7JmO0UuiMKEXq5GshN6ln
         bM2ji4APQaZ7GpODW1A+qTKMma2BneTlD9GpaaiUznonl8/bc58OtBM6kFGNE4tG+GHu
         GCFA/miV3EmVSHxGzUdbfgc+jbRAhZ9qS0Y9xLIXL69nDUqqS3W0T/21t43D77DGy8gw
         92llT0e3V3phj309Mb/gJkQSQiWIyLRi8IDqoDCXSzPc4UPIm7HVhbiyh3HmyRNfhYtb
         ncXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r74si2358307pfe.63.2018.04.10.09.21.31;
        Tue, 10 Apr 2018 09:22:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751803AbeDJQSq (ORCPT <rfc822;kkdevenda@gmail.com> + 99 others);
        Tue, 10 Apr 2018 12:18:46 -0400
Received: from mx2.suse.de ([195.135.220.15]:36791 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751367AbeDJQSp (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Apr 2018 12:18:45 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 65CE1ADC1;
        Tue, 10 Apr 2018 16:18:43 +0000 (UTC)
Date:   Tue, 10 Apr 2018 09:05:21 -0700
From:   Davidlohr Bueso <dave@stgolabs.net>
To:     Eric Biggers <ebiggers3@gmail.com>
Cc:     linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Manfred Spraul <manfred@colorfullife.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] ipc/shm: fix use-after-free of shm file via
 remap_file_pages()
Message-ID: <20180410160521.ybi6g2r7b43eb2di@linux-n805>
Mail-Followup-To: Eric Biggers <ebiggers3@gmail.com>, linux-mm@kvack.org,
        Andrew Morton <akpm@linux-foundation.org>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Manfred Spraul <manfred@colorfullife.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        syzkaller-bugs@googlegroups.com
References: <94eb2c06f65e5e2467055d036889@google.com>
 <20180409043039.28915-1-ebiggers3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20180409043039.28915-1-ebiggers3@gmail.com>
User-Agent: NeoMutt/20170421 (1.8.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, 08 Apr 2018, Eric Biggers wrote:
>@@ -480,6 +487,7 @@ static int shm_release(struct inode *ino, struct file *file)
> 	struct shm_file_data *sfd = shm_file_data(file);
>
> 	put_ipc_ns(sfd->ns);
>+	fput(sfd->file);
> 	shm_file_data(file) = NULL;
> 	kfree(sfd);
> 	return 0;
>@@ -1432,7 +1440,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
> 	file->f_mapping = shp->shm_file->f_mapping;
> 	sfd->id = shp->shm_perm.id;
> 	sfd->ns = get_ipc_ns(ns);
>-	sfd->file = shp->shm_file;
>+	sfd->file = get_file(shp->shm_file);
> 	sfd->vm_ops = NULL;

This probably merits a comment as it is adhoc to remap_file_pages(),
but otherwise:

Acked-by: Davidlohr Bueso <dbueso@suse.de>