diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2011-11-22 21:31:21 +0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2011-11-22 21:31:21 +0400 |
commit | d31da0f0ba3bc0a827a63879310818c22d9a95be (patch) | |
tree | d89bbdf299c4cbc37f49a9964b8127f09eedd50b | |
parent | b46413367961c2e8bd827e067a231be982aaeee2 (diff) | |
download | linux-d31da0f0ba3bc0a827a63879310818c22d9a95be.tar.xz |
mount_subtree() pointless use-after-free
d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt
to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been
overwritten by now...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/namespace.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 50ee30345b4f..6d3a1963879b 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns); struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) { struct mnt_namespace *ns; + struct super_block *s; struct path path; int err; @@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) return ERR_PTR(err); /* trade a vfsmount reference for active sb one */ - atomic_inc(&path.mnt->mnt_sb->s_active); + s = path.mnt->mnt_sb; + atomic_inc(&s->s_active); mntput(path.mnt); /* lock the sucker */ - down_write(&path.mnt->mnt_sb->s_umount); + down_write(&s->s_umount); /* ... and return the root of (sub)tree on it */ return path.dentry; } |