| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <kiyr4pnrw2a2oeoc3lavj73glvdg5llsfz2txfnn56bxmytfgw@o6weansm3iyi> Date: Thu, 18 Sep 2025 11:42:38 +0200 From: Jan Kara <jack@...e.cz> To: Christian Brauner <brauner@...nel.org> Cc: linux-fsdevel@...r.kernel.org, Amir Goldstein <amir73il@...il.com>, Josef Bacik <josef@...icpanda.com>, Jeff Layton <jlayton@...nel.org>, Mike Yuan <me@...dnzj.com>, Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl>, Lennart Poettering <mzxreary@...inter.de>, Daan De Meyer <daan.j.demeyer@...il.com>, Aleksa Sarai <cyphar@...har.com>, Alexander Viro <viro@...iv.linux.org.uk>, Jan Kara <jack@...e.cz>, Tejun Heo <tj@...nel.org>, Johannes Weiner <hannes@...xchg.org>, Michal Koutný <mkoutny@...e.com>, Jakub Kicinski <kuba@...nel.org>, Anna-Maria Behnsen <anna-maria@...utronix.de>, Frederic Weisbecker <frederic@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 7/9] net: centralize ns_common initialization On Wed 17-09-25 12:28:06, Christian Brauner wrote: > Centralize ns_common initialization. > > Signed-off-by: Christian Brauner <brauner@...nel.org> > --- > net/core/net_namespace.c | 23 +++-------------------- > 1 file changed, 3 insertions(+), 20 deletions(-) > > diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c > index a57b3cda8dbc..897f4927df9e 100644 > --- a/net/core/net_namespace.c > +++ b/net/core/net_namespace.c > @@ -409,7 +409,7 @@ static __net_init int preinit_net(struct net *net, struct user_namespace *user_n > ns_ops = NULL; > #endif > > - ret = ns_common_init(&net->ns, ns_ops, false); > + ret = ns_common_init(&net->ns, ns_ops, true); > if (ret) > return ret; > > @@ -597,6 +597,7 @@ struct net *copy_net_ns(unsigned long flags, > net_passive_dec(net); > dec_ucounts: > dec_net_namespaces(ucounts); > + ns_free_inum(&net->ns); This looks like a wrong place to put it? dec_ucounts also gets called when we failed to create 'net' and thus net == NULL. > return ERR_PTR(rv); > } > return net; > @@ -718,6 +719,7 @@ static void cleanup_net(struct work_struct *work) > #endif > put_user_ns(net->user_ns); > net_passive_dec(net); > + ns_free_inum(&net->ns); The calling of ns_free_inum() after we've dropped our reference (net_passive_dec()) looks suspicious. Given how 'net' freeing works I don't think this can lead to actual UAF issues but it is in my opinion a bad coding pattern and for no good reason AFAICT. > } > WRITE_ONCE(cleanup_net_task, NULL); > } Honza -- Jan Kara <jack@...e.com> SUSE Labs, CR
Powered by blists - more mailing lists