mount_subtree() pointless use-after-free

d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been overwritten by now... Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk>

mount_subtree() pointless use-after-free
d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been overwritten by now... Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk>
d31da0f0 · Al Viro · b4641336 · d31da0f0
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

fs/namespace.c fs/namespace.c +4 -2

未找到文件。
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns);
 struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 {
 	struct mnt_namespace *ns;
+	struct super_block *s;
 	struct path path;
 	int err;

@@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 		return ERR_PTR(err);

 	/* trade a vfsmount reference for active sb one */
-	atomic_inc(&path.mnt->mnt_sb->s_active);
+	s = path.mnt->mnt_sb;
+	atomic_inc(&s->s_active);
 	mntput(path.mnt);
 	/* lock the sucker */
-	down_write(&path.mnt->mnt_sb->s_umount);
+	down_write(&s->s_umount);
 	/* ... and return the root of (sub)tree on it */
 	return path.dentry;
 }