[PATCH] ipcns: fix use after free in free_ipc_ns

From: Xiaotian Feng
Date: Fri Mar 25 2011 - 02:29:04 EST

Next message: Lin Ming: "Re: [PATCH v2 -tip] perf probe: Add fastpath to do lookup byfunction name"
Previous message: Dmitry Torokhov: "Re: [PATCH v3] Documentation: Add evdev type and code definitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

commit b515498 add a user namespace owner of ipc ns, but it also
introduced a use after free in free_ipc_ns.

Signed-off-by: Xiaotian Feng <dfeng@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: "Serge E. Hallyn" <serge.hallyn@xxxxxxxxxxxxx>
Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: Daniel Lezcano <daniel.lezcano@xxxxxxx>
---
ipc/namespace.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipc/namespace.c b/ipc/namespace.c
index 3c3e522..8054c8e 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -104,7 +104,6 @@ static void free_ipc_ns(struct ipc_namespace *ns)
sem_exit_ns(ns);
msg_exit_ns(ns);
shm_exit_ns(ns);
- kfree(ns);
atomic_dec(&nr_ipc_ns);

/*
@@ -113,6 +112,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
*/
ipcns_notify(IPCNS_REMOVED);
put_user_ns(ns->user_ns);
+ kfree(ns);
}

/*
--
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Lin Ming: "Re: [PATCH v2 -tip] perf probe: Add fastpath to do lookup byfunction name"
Previous message: Dmitry Torokhov: "Re: [PATCH v3] Documentation: Add evdev type and code definitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]