APPLIED: [PATCH][SRU][Disco] UBUNTU: SAUCE: shiftfs: prevent use-after-free when verifying mount options
Seth Forshee
seth.forshee at canonical.com
Mon Apr 15 14:20:30 UTC 2019
On Mon, Apr 15, 2019 at 03:21:55PM +0200, Christian Brauner wrote:
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824735
>
> Copy up the passthrough mount settings of the mark mount point to the
> shiftfs overlay.
>
> Before this commit we used to keep a reference to the shiftfs mark
> mount's shiftfs_super_info which was stashed in the superblock of the
> mark mount. The problem is that we only take a reference to the mount of
> the underlay, i.e. the filesystem that is *under* the shiftfs mark
> mount. This means when someone performs a shiftfs mark mount, then a
> shiftfs overlay mount and then immediately unmounts the shiftfs mark
> mount we muck with invalid memory since shiftfs_put_super might have
> already been called freeing that memory.
>
> Another solution would be to start reference counting. But this would be
> overkill. We only care about the passthrough mount option of the mark
> mount. And we only need it to verify that on remount the new passthrough
> options of the shiftfs overlay are a subset of the mark mount's
> passthrough options. In other scenarios we don't care. So copying up is
> good enough and also only needs to happen once on mount, i.e. when a new
> superblock is created and the .fill_super method is called.
>
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Applied to disco/master-next, thanks!
More information about the kernel-team
mailing list