Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2975268imu; Mon, 19 Nov 2018 08:51:44 -0800 (PST) X-Google-Smtp-Source: AJdET5dM7eJX3Gyf84JcUIOvoBx2a3Oc+xX6TPJHdYuLcDxRtmkHamh2zyM7UVMzvyeY3IS6OlMf X-Received: by 2002:a63:db02:: with SMTP id e2mr21004883pgg.419.1542646304259; Mon, 19 Nov 2018 08:51:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542646304; cv=none; d=google.com; s=arc-20160816; b=LsdIn0lCLuWzQ9kr7RvuwFw+TVsStMnU1eLN+B4ajNEqVMahJ2sIDron8QOSFyqsLO tEC+UNcTEx+2/dwHvTJwMqSwkLmZDkpjMPrweIZvVoK3DXI8MhL408O1cH0dcHtTRdhZ pd19x/l67M2CmvOUqTk94KJ616B3ZRW8Qoj1Wq9zIWTX7K+3AarQAvAF5WCuRMz3PMGN pMSMABT4v6EVJZGPSqcaIP+rNFrHB/9BHpwrlECFsS493j8tGoHaAecESPVWg3QZhsb4 zy12XEQ0NV9IXPOjv+87oYD/R0zRT09MmxHI7e9vPOutczWXVfXmXtdtAY6gbDH2/g2Q zeNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IYNByV+vdl/ZKVlc6vkUptwAy7hg18LxTGeoN1tdKYs=; b=KjleAuWNRPnUFj4PjsqJHKd/kl4vTbOStU9K9Yvpczv2KqRjkh3AqvejiR2bxl5bcx 75OOhNr6r7uiOcpF1o69qbMHm5cpTR5/uSSaVT/CfAzF50WXhcqeIoqevrBkbCmoTExC A9jXZugOvuRT5B6WuCD5LTmY+GJbv5KYdLzXd+q4VBxlwXjCsVNmarYLgQIsnmguomMe WgM8XplJ+HZzI/NS5IfT4j0ljgU5DC5CEWrrHsTUeEmW00Si4cOYbqkZ1qW3TdJUWJP+ EehRdkyzF0RdVYUb/ISqd40AYzpuCsV02xNlcc41nLGRNzL6zXvWeFAU+wcWULcnq9HF FIvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iloZMWCY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c191si24276248pfg.72.2018.11.19.08.51.28; Mon, 19 Nov 2018 08:51:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iloZMWCY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390080AbeKTDOw (ORCPT + 99 others); Mon, 19 Nov 2018 22:14:52 -0500 Received: from mail.kernel.org ([198.145.29.99]:52296 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388976AbeKTDOv (ORCPT ); Mon, 19 Nov 2018 22:14:51 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1AFB2206BA; Mon, 19 Nov 2018 16:50:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542646238; bh=efzkDKRhvLWbNG1/MjrLQoc/Mpbzm1sNRxAfVvqvB0k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iloZMWCYx7uSwHcgGjCgvtq98EcJcWalGx4OP239ibJowUTV2qEIj21vivJbXHT9M WJBQDUEjC3HTXqXfzcRyBW8qGeOnQaQCUSoeLYDQ98AETnSSbnyNQJTa1HtHWgHOIR 4Nm7HfeC/JBWY20LfgBR5JPsOGt7xFBR+DjqiRPo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , "Eric W. Biederman" Subject: [PATCH 4.14 090/124] mount: Retest MNT_LOCKED in do_umount Date: Mon, 19 Nov 2018 17:29:04 +0100 Message-Id: <20181119162630.025478280@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162612.951907286@linuxfoundation.org> References: <20181119162612.951907286@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream. It was recently pointed out that the one instance of testing MNT_LOCKED outside of the namespace_sem is in ksys_umount. Fix that by adding a test inside of do_umount with namespace_sem and the mount_lock held. As it helps to fail fails the existing test is maintained with an additional comment pointing out that it may be racy because the locks are not held. Cc: stable@vger.kernel.org Reported-by: Al Viro Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- fs/namespace.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1625,8 +1625,13 @@ static int do_umount(struct mount *mnt, namespace_lock(); lock_mount_hash(); - event++; + /* Recheck MNT_LOCKED with the locks held */ + retval = -EINVAL; + if (mnt->mnt.mnt_flags & MNT_LOCKED) + goto out; + + event++; if (flags & MNT_DETACH) { if (!list_empty(&mnt->mnt_list)) umount_tree(mnt, UMOUNT_PROPAGATE); @@ -1640,6 +1645,7 @@ static int do_umount(struct mount *mnt, retval = 0; } } +out: unlock_mount_hash(); namespace_unlock(); return retval; @@ -1730,7 +1736,7 @@ SYSCALL_DEFINE2(umount, char __user *, n goto dput_and_out; if (!check_mnt(mnt)) goto dput_and_out; - if (mnt->mnt.mnt_flags & MNT_LOCKED) + if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ goto dput_and_out; retval = -EPERM; if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))