Re: [Linux-stable-mirror] [PATCH] exit: move exit_task_namespaces() after exit_task_work()

On Thu, Dec 14, 2017 at 12:17:57PM -0800, Cong Wang wrote:

syzbot reported we have a use-after-free when mqueue_evict_inode() is called on __cleanup_mnt() path, where the ipc ns is already freed by the previous exit_task_namespaces(). We can just move it after after exit_task_work() to avoid this use-after-free.

What's to prevent somebody else holding a reference to the same inode past the exit(2)? IOW, I don't believe that this is fixing anything - in the best case, your patch papers over a specific reproducer.