The patch titled
ipcns: fix use after free in free_ipc_ns()
has been removed from the -mm tree. Its filename was
ipcns-fix-use-after-free-in-free_ipc_ns.patch
This patch was dropped because it was merged into mainline or a subsystem tree
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: ipcns: fix use after free in free_ipc_ns()
From: Xiaotian Feng <dfeng@xxxxxxxxxx>
commit b515498 ("userns: add a user namespace owner of ipc ns") added a
user namespace owner of ipc ns, but it also introduced a use after free in
free_ipc_ns().
Signed-off-by: Xiaotian Feng <dfeng@xxxxxxxxxx>
Cc: "Serge E. Hallyn" <serge.hallyn@xxxxxxxxxxxxx>
Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: Daniel Lezcano <daniel.lezcano@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
ipc/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN ipc/namespace.c~ipcns-fix-use-after-free-in-free_ipc_ns ipc/namespace.c
--- a/ipc/namespace.c~ipcns-fix-use-after-free-in-free_ipc_ns
+++ a/ipc/namespace.c
@@ -104,7 +104,6 @@ static void free_ipc_ns(struct ipc_names
sem_exit_ns(ns);
msg_exit_ns(ns);
shm_exit_ns(ns);
- kfree(ns);
atomic_dec(&nr_ipc_ns);
/*
@@ -113,6 +112,7 @@ static void free_ipc_ns(struct ipc_names
*/
ipcns_notify(IPCNS_REMOVED);
put_user_ns(ns->user_ns);
+ kfree(ns);
}
/*
_
Patches currently in -mm which might be from dfeng@xxxxxxxxxx are
origin.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
