Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3108819imu; Mon, 19 Nov 2018 10:44:29 -0800 (PST) X-Google-Smtp-Source: AJdET5ehAxMsHjjmreDvkELJyFhrNOQlhFGh9orZGfGPyB30jGCjzy42H39UXocZHOv+Fkrmwmvu X-Received: by 2002:a17:902:6b4b:: with SMTP id g11-v6mr23491086plt.213.1542653069253; Mon, 19 Nov 2018 10:44:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542653069; cv=none; d=google.com; s=arc-20160816; b=hsZB5kRVm4MEIQ3ku17jOZvc/3rJT5XE7T1tgk+djHAE73sMFe3sZtcoGGK7KRn1sD iZa6nGGDArqnjmA5StMLtsssPZat1S2pHS4BuJsSL/ZLUPg8QlU4Z+eiFVJPX3yO0/BB kw8d7IwLvHqub97R7F36QuBWFIGv7aJEHWVdB7mDkbv3V3fzcamA0FuayVk8t3l3NT/e mb3ByHkxV0wBkBaRX1ik1zI1Pgc4GnoudNt4RXSf/ShJAKGm4kp6mzohNpYwlvY/rJ8u Q6cw9oIJuzG/H/18T/0eZg1puWeXBRMwPjtx+2BmlvVDaUzh8o9t25aRqQ5T7YtRG31P 1Lkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=w0JphNGJpaM8PsRBHwezleW3Gt2FSqW7nBaGxMydK9Q=; b=XJs2uK12h2bvGuxPUxtaJw3CFEde1QJLtXhnsRBq7cU+U2hpoRjAQiFzlp+JOPY+uV 4I99lgzy78FxkhZGvF1f8er+O1b62vYxH6LmVQBsZ6g3YRV6tdoHKG9Bhhi4jXenMbwO xfPP0yxzQ4F16Flcwp9FS2EAbLWC4Yc/Xgoo9wqNrZ4UaBSrqd2seUyVmj2mqxN0ytPq KBwgwoCKP/I6SjwA97MjUI/wPezPzepnn7hM1QjDo8Gz2U2clXBRkPoETHvA0+xyM8Gj /Q2HA5BLCdvUKflmX2ugsnqdsKUqAAMHTX7hV9hMC/0QrKBGPVUFIxhvvoLMxSZChuPc +IJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bURHZUjk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t70si38758198pgd.339.2018.11.19.10.44.14; Mon, 19 Nov 2018 10:44:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bURHZUjk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732429AbeKTDCZ (ORCPT + 99 others); Mon, 19 Nov 2018 22:02:25 -0500 Received: from mail.kernel.org ([198.145.29.99]:34678 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731481AbeKTDCY (ORCPT ); Mon, 19 Nov 2018 22:02:24 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0CC8F208E4; Mon, 19 Nov 2018 16:38:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542645495; bh=AyNR4wqfVa62+6mSLTtaiZUUqi/+XWWKMmRuL1e8d0E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bURHZUjkyjOk7W6xYHFQdaqFTU0LOJkizHXymUvBr41GJ3oqALMiA2oxuTnng3892 ayAauE427wRGKD1QZCMi+od7QXAMwvbPRU7dS+SLXToznmbYmfaevVDlGNvqIiiDty MGl8nwHfQZ831Z8+GbhACo+yA2886/gQR4eRSc9A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , "Eric W. Biederman" Subject: [PATCH 4.19 147/205] mount: Retest MNT_LOCKED in do_umount Date: Mon, 19 Nov 2018 17:27:34 +0100 Message-Id: <20181119162638.372543174@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162616.586062722@linuxfoundation.org> References: <20181119162616.586062722@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream. It was recently pointed out that the one instance of testing MNT_LOCKED outside of the namespace_sem is in ksys_umount. Fix that by adding a test inside of do_umount with namespace_sem and the mount_lock held. As it helps to fail fails the existing test is maintained with an additional comment pointing out that it may be racy because the locks are not held. Cc: stable@vger.kernel.org Reported-by: Al Viro Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- fs/namespace.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1540,8 +1540,13 @@ static int do_umount(struct mount *mnt, namespace_lock(); lock_mount_hash(); - event++; + /* Recheck MNT_LOCKED with the locks held */ + retval = -EINVAL; + if (mnt->mnt.mnt_flags & MNT_LOCKED) + goto out; + + event++; if (flags & MNT_DETACH) { if (!list_empty(&mnt->mnt_list)) umount_tree(mnt, UMOUNT_PROPAGATE); @@ -1555,6 +1560,7 @@ static int do_umount(struct mount *mnt, retval = 0; } } +out: unlock_mount_hash(); namespace_unlock(); return retval; @@ -1645,7 +1651,7 @@ int ksys_umount(char __user *name, int f goto dput_and_out; if (!check_mnt(mnt)) goto dput_and_out; - if (mnt->mnt.mnt_flags & MNT_LOCKED) + if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ goto dput_and_out; retval = -EPERM; if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))