Re: [PATCH] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()

Next message: Yosry Ahmed: "Re: [PATCH v3 2/4] mm/zswap: Implement proactive writeback"
Previous message: Nhat Pham: "Re: [PATCH v3 2/4] mm/zswap: Implement proactive writeback"
In reply to: Al Viro: "Re: [PATCH] fhandle: fix UAF due to unlocked -&gt;mnt_ns read in may_decode_fh()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Wed Jun 03 2026 - 14:54:27 EST

On Wed, Jun 03, 2026 at 07:41:51PM +0100, Al Viro wrote:

> Basically, the store that cleared ->mnt_ns has been done in namespace_sem
> scope and that scope is either no later than the scope in put_mnt_ns()

argh... s/either//

> that has dropped the active refcount of ns to zero. At the beginning
> of that scope in put_mnt_ns() we are guaranteed to have the passive
> refcount positive. Dropping the passive reference happens after an
> rcu delay started in later in the same namespace_sem scope and namespace
> is not freed until the passive refcount reaches zero.

TL;DR: your fix is correct, but needs a better explanation of correctness.
If nothing else, I'd like to have the above findable on lore - I've way
too many pieces of half-baked docs sitting around in local notes as it is ;-/