Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3026708imu;
        Mon, 19 Nov 2018 09:32:17 -0800 (PST)
X-Google-Smtp-Source: AJdET5cf3MPOUkd0EqgoqquZPtZbYKXR4j/bNKIWGJV/Oo5k3crlQAL8V6A/n6EP5lkXB8JD7oAu
X-Received: by 2002:a62:4bc2:: with SMTP id d63-v6mr25024707pfj.170.1542648737045;
        Mon, 19 Nov 2018 09:32:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542648737; cv=none;
        d=google.com; s=arc-20160816;
        b=e35u41JNqxLn+oVK1DRJWaqG2Amh7Mvb/t14SJZ0tsAfecQ7KmB38EzOBHhuNtmYTE
         AIBMkaCmJs6bSdikjFa9hq7gaCJ+2jshOJ8JfX3XI6i5ye0luhjlVzzumOcGZBYJhB25
         6waQXtOX3To8SPwUBAl5GmLVkLEs6BG/e6calnSJiue2FAot8VkTbNlzERlIvnR3wowO
         qQR4JUNbvyl4zyf6v7PkA7kl+3t6UgMhEzFP+HSL6akHEqzqv5Nft2CkO8KR07D4vJWr
         6Rql7ifVLIK5txC4/j3vBD5wdRhn5J2HPDK8wWHehcDVQdpdvA0vQZ+515KJsgNaoUto
         rrZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=p3SreSo9iU7Q2s9ZxSmYoQe8BMhKUTuPIt9OXs0PGYU=;
        b=0W5XP/n+2vUQGIrcumRYle2o8TATXha5DnA3xMSSZQ6YODagifZbNLA2IsGIFNAtK7
         5fPQBN39OEhqDxT/0zL6RVaOBaKbx3H7mBhS1an7nsK5xZDcsWRO4ynKomHuENFiDLQ4
         Nrq1FgDQjnL0XxBIy0PLG6RcvKRYU7uW4P9D6EGb8HiWCfk5zeAdeaS3wzpQELDhsEoe
         2Sa1QB+pYRSW/7H/SBNFMud9oCPAIDIvN2bsVJneFlwv7lNAmm8nWl89EkSqwblpX7L2
         1WlJ6W/cEegYnhbD6dSq0gA6VXRfmlL9V3FyFh4YLaakHYIHOKxXM59ehZvk+eCHNE1v
         frRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=r7CC0oS+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 1-v6si17094943plx.278.2018.11.19.09.32.01;
        Mon, 19 Nov 2018 09:32:17 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=r7CC0oS+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2404049AbeKTDTV (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Mon, 19 Nov 2018 22:19:21 -0500
Received: from mail.kernel.org ([198.145.29.99]:58468 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2391050AbeKTDTU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Nov 2018 22:19:20 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B19AB206BA;
        Mon, 19 Nov 2018 16:55:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1542646506;
        bh=UG71cGrKpSDQpBOgh/T+G8Pd7SvFXLS+DESyHSukfPE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=r7CC0oS+l8MIve6GwZH+Hcxx0ryM6YzNegtRe7FhHp8M94vsAytmgO1w+6hdpceLe
         fAful2Z3UYtKvLopmjU209M7JIyR3BHln4Ntj/FVG+Tki60k8OYsLwG0hgIaBgJ4kw
         dsGSY1uk0IUB5ZMpHRpwlTSkDFsFnRv3avMoSqns=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Al Viro <viro@ZenIV.linux.org.uk>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 4.9 66/83] mount: Retest MNT_LOCKED in do_umount
Date:   Mon, 19 Nov 2018 17:29:32 +0100
Message-Id: <20181119162625.237158176@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181119162612.046511542@linuxfoundation.org>
References: <20181119162612.046511542@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream.

It was recently pointed out that the one instance of testing MNT_LOCKED
outside of the namespace_sem is in ksys_umount.

Fix that by adding a test inside of do_umount with namespace_sem and
the mount_lock held.  As it helps to fail fails the existing test is
maintained with an additional comment pointing out that it may be racy
because the locks are not held.

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1599,8 +1599,13 @@ static int do_umount(struct mount *mnt,
 
 	namespace_lock();
 	lock_mount_hash();
-	event++;
 
+	/* Recheck MNT_LOCKED with the locks held */
+	retval = -EINVAL;
+	if (mnt->mnt.mnt_flags & MNT_LOCKED)
+		goto out;
+
+	event++;
 	if (flags & MNT_DETACH) {
 		if (!list_empty(&mnt->mnt_list))
 			umount_tree(mnt, UMOUNT_PROPAGATE);
@@ -1614,6 +1619,7 @@ static int do_umount(struct mount *mnt,
 			retval = 0;
 		}
 	}
+out:
 	unlock_mount_hash();
 	namespace_unlock();
 	return retval;
@@ -1704,7 +1710,7 @@ SYSCALL_DEFINE2(umount, char __user *, n
 		goto dput_and_out;
 	if (!check_mnt(mnt))
 		goto dput_and_out;
-	if (mnt->mnt.mnt_flags & MNT_LOCKED)
+	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
 		goto dput_and_out;
 	retval = -EPERM;
 	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))