summaryrefslogtreecommitdiff
path: root/drivers/gpu/drm/amd/amdgpu/amdgpu_ip.c
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2025-05-04 20:28:37 +0300
committerAl Viro <viro@zeniv.linux.org.uk>2025-06-07 07:40:25 +0300
commitbab77c0d191e241d2d59a845c7ed68bfa6e1b257 (patch)
tree9621c3571a667b83ae3ed3b567417bbbbf059a8d /drivers/gpu/drm/amd/amdgpu/amdgpu_ip.c
parent5f31c549382bcddbbd754c72c5433b19420d485d (diff)
downloadlinux-bab77c0d191e241d2d59a845c7ed68bfa6e1b257.tar.xz
finish_automount(): don't leak MNT_LOCKED from parent to child
Intention for MNT_LOCKED had always been to protect the internal mountpoints within a subtree that got copied across the userns boundary, not the mountpoint that tree got attached to - after all, it _was_ exposed before the copying. For roots of secondary copies that is enforced in attach_recursive_mnt() - MNT_LOCKED is explicitly stripped for those. For the root of primary copy we are almost always guaranteed that MNT_LOCKED won't be there, so attach_recursive_mnt() doesn't bother. Unfortunately, one call chain got overlooked - triggering e.g. NFS referral will have the submount inherit the public flags from parent; that's fine for such things as read-only, nosuid, etc., but not for MNT_LOCKED. This is particularly pointless since the mount attached by finish_automount() is usually expirable, which makes any protection granted by MNT_LOCKED null and void; just wait for a while and that mount will go away on its own. Include MNT_LOCKED into the set of flags to be ignored by do_add_mount() - it really is an internal flag. Reviewed-by: Christian Brauner <brauner@kernel.org> Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_ip.c')
0 files changed, 0 insertions, 0 deletions