From d31da0f0ba3bc0a827a63879310818c22d9a95be Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 22 Nov 2011 12:31:21 -0500
Subject: mount_subtree() pointless use-after-free

d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt
to grab s_umount on mnt->mnt_sb.  The trouble is, *mnt might've been
overwritten by now...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/namespace.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'fs/namespace.c')

diff --git a/fs/namespace.c b/fs/namespace.c
index 50ee30345b4f..6d3a1963879b 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns);
 struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 {
 	struct mnt_namespace *ns;
+	struct super_block *s;
 	struct path path;
 	int err;
 
@@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 		return ERR_PTR(err);
 
 	/* trade a vfsmount reference for active sb one */
-	atomic_inc(&path.mnt->mnt_sb->s_active);
+	s = path.mnt->mnt_sb;
+	atomic_inc(&s->s_active);
 	mntput(path.mnt);
 	/* lock the sucker */
-	down_write(&path.mnt->mnt_sb->s_umount);
+	down_write(&s->s_umount);
 	/* ... and return the root of (sub)tree on it */
 	return path.dentry;
 }
-- 
cgit v1.2.3