mirror of
https://github.com/torvalds/linux.git
synced 2024-12-30 23:02:08 +00:00
mount_subtree() pointless use-after-free
d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been overwritten by now... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
b464133679
commit
d31da0f0ba
@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns);
|
|||||||
struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
|
struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
|
||||||
{
|
{
|
||||||
struct mnt_namespace *ns;
|
struct mnt_namespace *ns;
|
||||||
|
struct super_block *s;
|
||||||
struct path path;
|
struct path path;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
|
|||||||
return ERR_PTR(err);
|
return ERR_PTR(err);
|
||||||
|
|
||||||
/* trade a vfsmount reference for active sb one */
|
/* trade a vfsmount reference for active sb one */
|
||||||
atomic_inc(&path.mnt->mnt_sb->s_active);
|
s = path.mnt->mnt_sb;
|
||||||
|
atomic_inc(&s->s_active);
|
||||||
mntput(path.mnt);
|
mntput(path.mnt);
|
||||||
/* lock the sucker */
|
/* lock the sucker */
|
||||||
down_write(&path.mnt->mnt_sb->s_umount);
|
down_write(&s->s_umount);
|
||||||
/* ... and return the root of (sub)tree on it */
|
/* ... and return the root of (sub)tree on it */
|
||||||
return path.dentry;
|
return path.dentry;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user