From: Christian Brauner <brauner@xxxxxxxxxx> commit 8a46067783bdff222d1fb8f8c20e3b7b711e3ce5 upstream. When we access a no-current task's pid namespace we need check that the task hasn't been reaped in the meantime and it's pid namespace isn't accessible anymore. The user namespace is fine because it is only released when the last reference to struct task_struct is put and exit_creds() is called. Link: https://lore.kernel.org/r/20240926-klebt-altgedienten-0415ad4d273c@brauner Fixes: 5b08bd408534 ("pidfs: allow retrieval of namespace file descriptors") CC: stable@xxxxxxxxxxxxxxx # v6.11 Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/pidfs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/pidfs.c b/fs/pidfs.c index 7ffdc88dfb52..80675b6bf884 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -120,6 +120,7 @@ static long pidfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg) struct nsproxy *nsp __free(put_nsproxy) = NULL; struct pid *pid = pidfd_pid(file); struct ns_common *ns_common = NULL; + struct pid_namespace *pid_ns; if (arg) return -EINVAL; @@ -202,7 +203,9 @@ static long pidfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg) case PIDFD_GET_PID_NAMESPACE: if (IS_ENABLED(CONFIG_PID_NS)) { rcu_read_lock(); - ns_common = to_ns_common( get_pid_ns(task_active_pid_ns(task))); + pid_ns = task_active_pid_ns(task); + if (pid_ns) + ns_common = to_ns_common(get_pid_ns(pid_ns)); rcu_read_unlock(); } break; -- 2.46.2 Patches currently in stable-queue which might be from brauner@xxxxxxxxxx are queue-6.11/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch queue-6.11/proc-add-config-param-to-block-forcing-mem-writes.patch queue-6.11/fs-inode-prevent-dump_mapping-accessing-invalid-dent.patch queue-6.11/iomap-constrain-the-file-range-passed-to-iomap_file_.patch queue-6.11/netfs-cancel-dirty-folios-that-have-no-storage-desti.patch queue-6.11/exec-don-t-warn-for-racy-path_noexec-check.patch queue-6.11/netfs-fix-missing-wakeup-after-issuing-writes.patch queue-6.11/pidfs-check-for-valid-pid-namespace.patch queue-6.11/afs-fix-missing-wire-up-of-afs_retry_request.patch queue-6.11/afs-fix-the-setting-of-the-server-responding-flag.patch queue-6.11/vfs-use-rcu-in-ilookup.patch queue-6.11/cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch queue-6.11/iomap-handle-a-post-direct-i-o-invalidate-race-in-io.patch
