ACK: [PATCH 1/2][T/X/B/C/D] mount: Retest MNT_LOCKED in do_umount

Colin Ian King colin.king at canonical.com
Tue Nov 13 13:55:30 UTC 2018 

On 13/11/2018 07:44, Tyler Hicks wrote:
> From: "Eric W. Biederman" <ebiederm at xmission.com>
> 
> BugLink: https://launchpad.net/bugs/1789161
> 
> It was recently pointed out that the one instance of testing MNT_LOCKED
> outside of the namespace_sem is in ksys_umount.
> 
> Fix that by adding a test inside of do_umount with namespace_sem and
> the mount_lock held.  As it helps to fail fails the existing test is
> maintained with an additional comment pointing out that it may be racy
> because the locks are not held.
> 
> Cc: stable at vger.kernel.org
> Reported-by: Al Viro <viro at ZenIV.linux.org.uk>
> Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
> Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
> (cherry picked from commit 25d202ed820ee347edec0bf3bf553544556bf64b)
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  fs/namespace.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index c53645816531..3fbffe0788d1 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1633,8 +1633,13 @@ static int do_umount(struct mount *mnt, int flags)
>  
>  	namespace_lock();
>  	lock_mount_hash();
> -	event++;
>  
> +	/* Recheck MNT_LOCKED with the locks held */
> +	retval = -EINVAL;
> +	if (mnt->mnt.mnt_flags & MNT_LOCKED)
> +		goto out;
> +
> +	event++;
>  	if (flags & MNT_DETACH) {
>  		if (!list_empty(&mnt->mnt_list))
>  			umount_tree(mnt, UMOUNT_PROPAGATE);
> @@ -1648,6 +1653,7 @@ static int do_umount(struct mount *mnt, int flags)
>  			retval = 0;
>  		}
>  	}
> +out:
>  	unlock_mount_hash();
>  	namespace_unlock();
>  	return retval;
> @@ -1738,7 +1744,7 @@ int ksys_umount(char __user *name, int flags)
>  		goto dput_and_out;
>  	if (!check_mnt(mnt))
>  		goto dput_and_out;
> -	if (mnt->mnt.mnt_flags & MNT_LOCKED)
> +	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
>  		goto dput_and_out;
>  	retval = -EPERM;
>  	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
> 

Clean upstream cherry pick.

Acked-by: Colin Ian King <colin.king at canonical.com>

More information about the kernel-team mailing list