Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d31da0f0 authored by Al Viro's avatar Al Viro
Browse files

mount_subtree() pointless use-after-free 



d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt
to grab s_umount on mnt->mnt_sb.  The trouble is, *mnt might've been
overwritten by now...

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent b4641336

fs/namespace.c

+4 −2
Original line number Diff line number Diff line
@@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns); 
struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)

{

	struct mnt_namespace *ns;

	struct super_block *s;

	struct path path;

	int err;
@@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) 
		return ERR_PTR(err);



	/* trade a vfsmount reference for active sb one */

	atomic_inc(&path.mnt->mnt_sb->s_active);

	s = path.mnt->mnt_sb;

	atomic_inc(&s->s_active);

	mntput(path.mnt);

	/* lock the sucker */

	down_write(&path.mnt->mnt_sb->s_umount);

	down_write(&s->s_umount);

	/* ... and return the root of (sub)tree on it */

	return path.dentry;

}