Re: [PATCH] fs: fix use-after-free in peer group traversal during mount release

Next message: Shah, Tanmay: "Re: [PATCH v4 0/2] remoteproc: xlnx: remote crash recovery"
Previous message: Kees Cook: "Re: kalloc_objs() may not be as safe as it seems"
In reply to: Christian Brauner: "Re: [PATCH] fs: fix use-after-free in peer group traversal during mount release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yuto Ohnuki

Date: Tue Mar 17 2026 - 17:15:03 EST

On Tue, Mar 17, 2026 at 04:24:32PM +0100, Christian Brauner wrote:
> The last time this reproduced upstream was on:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?id=6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
>
> which is v7.0-rc1. At which point the question should be "why?" :)
>
> Fixed by: a41dbf5e004e ("mount: hold namespace_sem across copy in create_new_namespace()")
>
> In any case, thanks for the proposed fix but it is already fixed
> upstream and the fix you suggested indicates another bug that is the
> real cause.

Thanks for the review and explanation. I should have checked why the
reproducer stopped firing on current HEAD before sending the patch -
lesson learned. I was testing with a custom reproducer that called
clone_mnt() directly from a module, which bypassed the actual
create_new_namespace() code path and masked the fact that the real
bug was already fixed.

I see now that the real issue was the namespace_sem drop-and-reacquire
race in create_new_namespace(), not a missing cleanup in
mntput_no_expire_slowpath(). a41dbf5e004e properly fixes the root
cause by holding namespace_sem across the copy.

Please disregard this patch.

Thanks again,
Yuto

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705