Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5977367ybi; Wed, 12 Jun 2019 11:44:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqyggGI+D0TV9+bGS+0PxzDjPR8KC5X0EspJA+vq6Oqvv7758tQqoVtPxTKQ6b8VK7o3cqtc X-Received: by 2002:a62:15c3:: with SMTP id 186mr24227984pfv.141.1560365073954; Wed, 12 Jun 2019 11:44:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560365073; cv=none; d=google.com; s=arc-20160816; b=nI70mNrJbGAmZNdOVJQQ0d9KNaqpYdoTY7gZSD6VHH9RMg6otW1wZmOK0yv+6LhNMI 1PF/97RA4veXF1V15ncjvIt5gXhPgH0+bvL++tSk663hdUzUd5m9Htr4EYkqGpA9bCSq gAcAxzNeH+uR1h8uJfiim9IEcwDzQmdByI1GOT1/iTqBng6mgUrTJ+zfZW6ubEVI77lr z/DEArYyzGFYwRiRCkEXztk3clKD97JWqCOro7vItD/cbuNzZRaMo+3WJ/OBSw78j5An WpdsyEXG5B38RQ6TO/gtq3pCRpkr8GxU1+ghER+28Zgj0og0Guy9jD+gNC7z1slZaMxS e8FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=/gAhiE28mgMgkK0gkbHTcthoouRlkly68/o2uKUvs3Y=; b=iodoPbPbkBTyraym/Uvo89zw4ip/xstw0wR/qwrOXiHGoMMVL1n0fcoEo1YwPTOtzB BgdGXFpFd7chWktCzjERvp3s3wZJ/39tQy7dSpeLnCjLbJlSxPeS2TTmx03EuTnizNvh 8imI6TcAGcEMPWrFObMuhVpyv9Pkl127M4lEOP6XveBNjCT3fWOhjkFaXXytI/YhzSj0 6cSqfju/OzS6MTix7xBPiJZOIyUbfaf3jKe9zdxO5eyMBDW7b1UpHPtTK1CxcF6FcnXl Hi5ExNmR6/XcvbK+3YuVcJZXpFEFm7L6e3F5FfMDodCchlB2JUd15BAQvpZAzJMzVrWe FwMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gHvfgg1h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si380720pla.259.2019.06.12.11.44.19; Wed, 12 Jun 2019 11:44:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gHvfgg1h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727875AbfFLSoL (ORCPT + 99 others); Wed, 12 Jun 2019 14:44:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:56080 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726454AbfFLSoL (ORCPT ); Wed, 12 Jun 2019 14:44:11 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 562BF206E0; Wed, 12 Jun 2019 18:44:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560365050; bh=k6XhKo4tLkZYiTtqJuhymE61FS6ceGjNgw92LnacGLA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gHvfgg1hqasjQa2CDaeC2qWRoB52XpPScocrDwcWENjw4puUMw9jTrqtm/5N8pYaT kF0kZ8InqQCKAwHdx6S2V2v4MmQzp5e8v+2xgeTj9mO/kM20k6MhRzzEdRN2RrQ9Og e87pXxd15WbSjzRxnTpxnVahlNd8zXEzkVs0BQ+4= From: Eric Biggers To: David Howells , Alexander Viro , linux-fsdevel@vger.kernel.org Cc: Mark Rutland , linux-kernel@vger.kernel.org Subject: [PATCH] vfs: fsmount: add missing mntget() Date: Wed, 12 Jun 2019 11:43:13 -0700 Message-Id: <20190612184313.143456-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.rc2.383.gf4fbbf30c2-goog In-Reply-To: <20190610183031.GE63833@gmail.com> References: <20190610183031.GE63833@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers sys_fsmount() needs to take a reference to the new mount when adding it to the anonymous mount namespace. Otherwise the filesystem can be unmounted while it's still in use, as found by syzkaller. Reported-by: Mark Rutland Reported-by: syzbot+99de05d099a170867f22@syzkaller.appspotmail.com Reported-by: syzbot+7008b8b8ba7df475fdc8@syzkaller.appspotmail.com Fixes: 93766fbd2696 ("vfs: syscall: Add fsmount() to create a mount for a superblock") Signed-off-by: Eric Biggers --- fs/namespace.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/namespace.c b/fs/namespace.c index b26778bdc236e..5dc137a22d406 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3445,6 +3445,7 @@ SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags, ns->root = mnt; ns->mounts = 1; list_add(&mnt->mnt_list, &ns->list); + mntget(newmount.mnt); /* Attach to an apparent O_PATH fd with a note that we need to unmount * it, not just simply put it. -- 2.22.0.rc2.383.gf4fbbf30c2-goog