Re: [PATCH] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()

Next message: Jakub Kicinski: "Re: [PATCH] sfc: Use acquire/release for irq_soft_enabled"
Previous message: Jakub Kicinski: "Re: [PATCH 0/3] vmsplice: make vmsplice a trivial wrapper for preadv2/pwritev2"
In reply to: Jann Horn: "[PATCH] fhandle: fix UAF due to unlocked -&gt;mnt_ns read in may_decode_fh()"
Next in thread: Al Viro: "Re: [PATCH] fhandle: fix UAF due to unlocked -&gt;mnt_ns read in may_decode_fh()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Wed Jun 03 2026 - 14:21:54 EST

On Wed, Jun 03, 2026 at 07:38:06PM +0200, Jann Horn wrote:

> Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
> in __prepend_path().

> + /*
> + * Containing namespace.
> + * Normally protected by namespace_sem, but there are also lockless
> + * readers (which must use RCU to guard against the namespace being
> + * freed).
> + */
> + struct mnt_namespace *mnt_ns;

Umm... It's somewhat subtle - at the very least you need to explain why
there will be an RCU delay between umount_tree() clearing that and
having the sucker freed.