From: Al Viro Date: Tue, 22 Nov 2011 17:31:21 +0000 (-0500) Subject: mount_subtree() pointless use-after-free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d31da0f0ba3bc0a827a63879310818c22d9a95be;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git mount_subtree() pointless use-after-free d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been overwritten by now... Signed-off-by: Al Viro --- diff --git a/fs/namespace.c b/fs/namespace.c index 50ee30345b4..6d3a1963879 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns); struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) { struct mnt_namespace *ns; + struct super_block *s; struct path path; int err; @@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) return ERR_PTR(err); /* trade a vfsmount reference for active sb one */ - atomic_inc(&path.mnt->mnt_sb->s_active); + s = path.mnt->mnt_sb; + atomic_inc(&s->s_active); mntput(path.mnt); /* lock the sucker */ - down_write(&path.mnt->mnt_sb->s_umount); + down_write(&s->s_umount); /* ... and return the root of (sub)tree on it */ return path.dentry; }