Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2993009imu; Mon, 19 Nov 2018 09:05:55 -0800 (PST) X-Google-Smtp-Source: AJdET5fXpW+Oz1OIcJVHqYn9yCsslr/CaHItshVv5Iq7RdWrigL65nNRW909T+HdRXpeHPV1nfB5 X-Received: by 2002:a63:1a4b:: with SMTP id a11mr20949901pgm.254.1542647155171; Mon, 19 Nov 2018 09:05:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542647155; cv=none; d=google.com; s=arc-20160816; b=XPaZ1AFaS2UHk/o0fqQ/38moWnF2I0xqaqQmDUwh2rll03rhlJh+wQYYgPBQe6lorq Hin3cxiqo1DmWzZd8lCVwpHo75YufXCWHcEVwO2DKX02IX7263/GxX0EKA8hFLcwNZEr JCdGf9v8Syhogwxw7nND5BeAy9fXiMOCqMC0aP+6OT4z6LFvDMB22I+ljlnB7SBGyF+8 xy2Zh9K1VAbEyhx0tY1lb5wyjif/yVZmfl1yEbkIbbW9AC20NYimvTKx3q0EEZQGfWNN gJnx53xeE5mFg/6j65YTLVDTa4/ufVX5ccs9UYJdhiroanjchRTOA83qT5U56ThPMM2y N2Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Z3wV34yphycwL0GwXg4OlYk5P8H9S56GANETKuZTFAQ=; b=LcZYrCbyyLNutFK3LQoWJG1NU5wguGvgHQRh3AeZbo3H2vu6K0krI2es9azldMnQd0 F4+Edn9mX8y8yy5xvy4cG1THvvgkh1frM2pVa9ikVt87eL+YMuS0uizu1xgvOlRM7urw jch1xo3CIwzkMeT9hP24N1/xcMq1jp8kComMNnalE2l2ZCmge/JwCESjxzsAYyuGEXHk XTnYwVzFXLDjkcbJHuqm6uL5a6AY1Z7JQeTAqdU4RXqjiH34pmfFRA7y3XH8AdJ/5DVV pqATql5UAiFmN8AuiawFW/tbwQgA9Mz+IvmJoDnPgh4LxMd2dfsZmqD3WER3nHIrD+sh C0/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="MD/AICP4"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7si24286092pfh.147.2018.11.19.09.05.39; Mon, 19 Nov 2018 09:05:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="MD/AICP4"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406091AbeKTD1K (ORCPT + 99 others); Mon, 19 Nov 2018 22:27:10 -0500 Received: from mail.kernel.org ([198.145.29.99]:41024 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405038AbeKTD1K (ORCPT ); Mon, 19 Nov 2018 22:27:10 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E3F48224E0; Mon, 19 Nov 2018 17:02:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542646973; bh=tpyAANvdiwHuwLWmd0rVF2bEisx3TxO39w8DPFCbWvw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MD/AICP4n7wn9R4idSdxDSXR7Hlw/TmGZS0/EbKDfpuh0lftAEAJThQn4FZWFmx7I nXTtL+IKQ3lcPGPsEeADKIBDnyA96aazz1sVwUlf2byFSXv7vwzWwjjbbdBLfViPGY nCD+VtYIxsie68skglFverJ/Lj8246f8w+ZJhpnI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , "Eric W. Biederman" Subject: [PATCH 4.4 149/160] mount: Retest MNT_LOCKED in do_umount Date: Mon, 19 Nov 2018 17:29:48 +0100 Message-Id: <20181119162644.023073628@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162630.031306128@linuxfoundation.org> References: <20181119162630.031306128@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream. It was recently pointed out that the one instance of testing MNT_LOCKED outside of the namespace_sem is in ksys_umount. Fix that by adding a test inside of do_umount with namespace_sem and the mount_lock held. As it helps to fail fails the existing test is maintained with an additional comment pointing out that it may be racy because the locks are not held. Cc: stable@vger.kernel.org Reported-by: Al Viro Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- fs/namespace.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1584,8 +1584,13 @@ static int do_umount(struct mount *mnt, namespace_lock(); lock_mount_hash(); - event++; + /* Recheck MNT_LOCKED with the locks held */ + retval = -EINVAL; + if (mnt->mnt.mnt_flags & MNT_LOCKED) + goto out; + + event++; if (flags & MNT_DETACH) { if (!list_empty(&mnt->mnt_list)) umount_tree(mnt, UMOUNT_PROPAGATE); @@ -1599,6 +1604,7 @@ static int do_umount(struct mount *mnt, retval = 0; } } +out: unlock_mount_hash(); namespace_unlock(); return retval; @@ -1681,7 +1687,7 @@ SYSCALL_DEFINE2(umount, char __user *, n goto dput_and_out; if (!check_mnt(mnt)) goto dput_and_out; - if (mnt->mnt.mnt_flags & MNT_LOCKED) + if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ goto dput_and_out; retval = -EPERM; if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))