Re: [PATCH] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()

Next message: Frank Li: "Re: [PATCH v3 1/5] phy: fsl-imx8mq-usb: fix typec switch leak on probe error path"
Previous message: Samuel Moelius: "[PATCH] scsi: scsi_debug: fix one-partition tape setup bounds"
In reply to: Al Viro: "Re: [PATCH] fhandle: fix UAF due to unlocked -&gt;mnt_ns read in may_decode_fh()"
Next in thread: Al Viro: "Re: [PATCH] fhandle: fix UAF due to unlocked -&gt;mnt_ns read in may_decode_fh()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Wed Jun 03 2026 - 14:25:53 EST

On Wed, Jun 3, 2026 at 8:15 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Jun 03, 2026 at 07:38:06PM +0200, Jann Horn wrote:
> > Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
> > in __prepend_path().
>
> > + /*
> > + * Containing namespace.
> > + * Normally protected by namespace_sem, but there are also lockless
> > + * readers (which must use RCU to guard against the namespace being
> > + * freed).
> > + */
> > + struct mnt_namespace *mnt_ns;
>
> Umm... It's somewhat subtle - at the very least you need to explain why
> there will be an RCU delay between umount_tree() clearing that and
> having the sucker freed.

I guess I could write something like this instead, to make it clear
that this basically follows normal RCU rules, except that this code
isn't actually using RCU markings and accessors?

"This is like an __rcu pointer which is protected by RCU and
namespace_sem; however, because most accesses happen under
namespace_sem, it is not marked as __rcu, and RCU access is done with
READ_ONCE()."

Or we could put __rcu on this pointer, and annotate all the locked
accesses with rcu_dereference_protected(...,
lockdep_is_held(&namespace_lock)), but I guess you'd probably prefer
to not do that?