ipcns: fix use after free in free_ipc_ns()

[pandora-kernel.git] / ipc / namespace.c

diff --git a/ipc/namespace.c b/ipc/namespace.c
index a1094ff..8054c8e 100644 (file)
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -11,10 +11,12 @@
 #include <linux/slab.h>
 #include <linux/fs.h>
 #include <linux/mount.h>
+#include <linux/user_namespace.h>
 
 #include "util.h"
 
-static struct ipc_namespace *create_ipc_ns(void)
+static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk,
+                                          struct ipc_namespace *old_ns)
 {
        struct ipc_namespace *ns;
        int err;
@@ -43,14 +45,19 @@ static struct ipc_namespace *create_ipc_ns(void)
        ipcns_notify(IPCNS_CREATED);
        register_ipcns_notifier(ns);
 
+       ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns);
+
        return ns;
 }
 
-struct ipc_namespace *copy_ipcs(unsigned long flags, struct ipc_namespace *ns)
+struct ipc_namespace *copy_ipcs(unsigned long flags,
+                               struct task_struct *tsk)
 {
+       struct ipc_namespace *ns = tsk->nsproxy->ipc_ns;
+
        if (!(flags & CLONE_NEWIPC))
                return get_ipc_ns(ns);
-       return create_ipc_ns();
+       return create_ipc_ns(tsk, ns);
 }
 
 /*
@@ -97,7 +104,6 @@ static void free_ipc_ns(struct ipc_namespace *ns)
        sem_exit_ns(ns);
        msg_exit_ns(ns);
        shm_exit_ns(ns);
-       kfree(ns);
        atomic_dec(&nr_ipc_ns);
 
        /*
@@ -105,6 +111,8 @@ static void free_ipc_ns(struct ipc_namespace *ns)
         * order to have a correct value when recomputing msgmni.
         */
        ipcns_notify(IPCNS_REMOVED);
+       put_user_ns(ns->user_ns);
+       kfree(ns);
 }
 
 /*