diff options
| author | Vlad Kulikov <vlad.kulikov.c@gmail.com> | 2025-10-21 21:13:39 +0300 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2025-11-12 10:00:15 -0800 |
| commit | 7229d74e5e8c1f140529d405c88d4493e37ce4e3 (patch) | |
| tree | 8a36cc07dc2b798b10c6f7cc3ac6fc6c31147e2d /ipc | |
| parent | aa5b6a72ccd9fad2d2ed875631f6aca6b0633d80 (diff) | |
ipc: create_ipc_ns: drop mqueue mount on sysctl setup failure
If setup_mq_sysctls(ns) fails after mq_init_ns(ns) succeeds, the error
path skipped releasing the internal kernel mqueue mount kept in
ns->mq_mnt. That leaves the vfsmount/superblock referenced until final
namespace teardown, i.e. a resource leak on this rare failure edge.
Unwind it by calling mntput(ns->mq_mnt) before dropping user_ns and
freeing the IPC namespace. This mirrors the normal ordering used in
free_ipc_ns().
Link: https://lkml.kernel.org/r/20251021181341.670297-1-vlad_kulikov_c@pm.me
Signed-off-by: Vlad Kulikov <vlad_kulikov_c@pm.me>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ma Wupeng <mawupeng1@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/namespace.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ipc/namespace.c b/ipc/namespace.c index 59b12fcb40bd..cf62d11a09b9 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c @@ -75,10 +75,10 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns, err = -ENOMEM; if (!setup_mq_sysctls(ns)) - goto fail_put; + goto fail_mq_mount; if (!setup_ipc_sysctls(ns)) - goto fail_mq; + goto fail_mq_sysctls; err = msg_init_ns(ns); if (err) @@ -92,9 +92,10 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns, fail_ipc: retire_ipc_sysctls(ns); -fail_mq: +fail_mq_sysctls: retire_mq_sysctls(ns); - +fail_mq_mount: + mntput(ns->mq_mnt); fail_put: put_user_ns(ns->user_ns); ns_common_free(ns); |