If setup_mq_sysctls(ns) fails after mq_init_ns(ns) succeeds, the error
path skipped releasing the internal kernel mqueue mount kept in
ns->mq_mnt. That leaves the vfsmount/superblock referenced until final
namespace teardown, i.e. a resource leak on this rare failure edge.
Unwind it by calling mntput(ns->mq_mnt) before dropping user_ns and
freeing the IPC namespace. This mirrors the normal ordering used in
free_ipc_ns().
Link: https://lkml.kernel.org/r/20251021181341.670297-1-vlad_kulikov_c@pm.me
Signed-off-by: Vlad Kulikov <vlad_kulikov_c@pm.me>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ma Wupeng <mawupeng1@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
err = -ENOMEM;
if (!setup_mq_sysctls(ns))
- goto fail_put;
+ goto fail_mq_mount;
if (!setup_ipc_sysctls(ns))
- goto fail_mq;
+ goto fail_mq_sysctls;
err = msg_init_ns(ns);
if (err)
fail_ipc:
retire_ipc_sysctls(ns);
-fail_mq:
+fail_mq_sysctls:
retire_mq_sysctls(ns);
-
+fail_mq_mount:
+ mntput(ns->mq_mnt);
fail_put:
put_user_ns(ns->user_ns);
ns_common_free(ns);
projects / thirdparty / linux.git / commitdiff
