patches/old/ipc-msgc-fix-percpu_counter-use-after-free.patch - pub/scm/linux/kernel/git/akpm/25-new - Git at Google

 From: Andrew Morton <akpm@linux-foundation.org>
 Subject: ipc/msg.c: fix percpu_counter use after free
 Date: Thu Oct 20 09:19:22 PM PDT 2022

 These percpu counters are referenced in free_ipcs->freeque, so destroy
 them later.

 Fixes: 72d1e611082e ("ipc/msg: mitigate the lock contention with percpu counter")
 Reported-by: syzbot+96e659d35b9d6b541152@syzkaller.appspotmail.com
 Tested-by: Mark Rutland <mark.rutland@arm.com>
 Cc: Jiebin Sun <jiebin.sun@intel.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 ---


 --- a/ipc/msg.c~ipc-msgc-fix-percpu_counter-use-after-free
 +++ a/ipc/msg.c
 @@ -1329,11 +1329,11 @@ fail_msg_bytes:
  #ifdef CONFIG_IPC_NS
  void msg_exit_ns(struct ipc_namespace *ns)
  {
 -	percpu_counter_destroy(&ns->percpu_msg_bytes);
 -	percpu_counter_destroy(&ns->percpu_msg_hdrs);
  	free_ipcs(ns, &msg_ids(ns), freeque);
  	idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
  	rhashtable_destroy(&ns->ids[IPC_MSG_IDS].key_ht);
 +	percpu_counter_destroy(&ns->percpu_msg_bytes);
 +	percpu_counter_destroy(&ns->percpu_msg_hdrs);
  }
  #endif

 _
	From: Andrew Morton <akpm@linux-foundation.org>
	Subject: ipc/msg.c: fix percpu_counter use after free
	Date: Thu Oct 20 09:19:22 PM PDT 2022

	These percpu counters are referenced in free_ipcs->freeque, so destroy
	them later.

	Fixes: 72d1e611082e ("ipc/msg: mitigate the lock contention with percpu counter")
	Reported-by: syzbot+96e659d35b9d6b541152@syzkaller.appspotmail.com
	Tested-by: Mark Rutland <mark.rutland@arm.com>
	Cc: Jiebin Sun <jiebin.sun@intel.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	---


	--- a/ipc/msg.c~ipc-msgc-fix-percpu_counter-use-after-free
	+++ a/ipc/msg.c
	@@ -1329,11 +1329,11 @@ fail_msg_bytes:
	#ifdef CONFIG_IPC_NS
	void msg_exit_ns(struct ipc_namespace *ns)
	{
	- percpu_counter_destroy(&ns->percpu_msg_bytes);
	- percpu_counter_destroy(&ns->percpu_msg_hdrs);
	free_ipcs(ns, &msg_ids(ns), freeque);
	idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
	rhashtable_destroy(&ns->ids[IPC_MSG_IDS].key_ht);
	+ percpu_counter_destroy(&ns->percpu_msg_bytes);
	+ percpu_counter_destroy(&ns->percpu_msg_hdrs);
	}
	#endif

	_