[patch -next] ipcns: use after free in free_ipc_ns()

From: Dan Carpenter
Date: Mon Mar 28 2011 - 04:51:21 EST

Next message: Matt Fleming: "Re: [RFC] perf: EBNF for event syntax"
Previous message: Felipe Balbi: "Re: [PATCH 2/5 v6] usb: Add usb_endpoint_descriptor to be part ofthe struct usb_ep"
Next in thread: Eric W. Biederman: "Re: [patch -next] ipcns: use after free in free_ipc_ns()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We dereference "ns" after it has been freed. This was introduced in
b515498f5bb5 "userns: add a user namespace owner of ipc ns".

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>

diff --git a/ipc/namespace.c b/ipc/namespace.c
index 3c3e522..8054c8e 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -104,7 +104,6 @@ static void free_ipc_ns(struct ipc_namespace *ns)
sem_exit_ns(ns);
msg_exit_ns(ns);
shm_exit_ns(ns);
- kfree(ns);
atomic_dec(&nr_ipc_ns);

/*
@@ -113,6 +112,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
*/
ipcns_notify(IPCNS_REMOVED);
put_user_ns(ns->user_ns);
+ kfree(ns);
}

/*
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matt Fleming: "Re: [RFC] perf: EBNF for event syntax"
Previous message: Felipe Balbi: "Re: [PATCH 2/5 v6] usb: Add usb_endpoint_descriptor to be part ofthe struct usb_ep"
Next in thread: Eric W. Biederman: "Re: [patch -next] ipcns: use after free in free_ipc_ns()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]