diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2019-05-09 02:32:28 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-05-09 02:32:50 -0400 |
commit | 05883eee857eab4693e7d13ebab06716475c5754 (patch) | |
tree | 686a142254d360a963f010bb573f4db5fb83e7bc | |
parent | 80f232121b69cc69a31ccb2b38c1665d770b0710 (diff) | |
download | linux-05883eee857eab4693e7d13ebab06716475c5754.tar.bz2 |
do_move_mount(): fix an unsafe use of is_anon_ns()
What triggers it is a race between mount --move and umount -l
of the source; we should reject it (the source is parentless *and*
not the root of anon namespace at that), but the check for namespace
being an anon one is broken in that case - is_anon_ns() needs
ns to be non-NULL. Better fixed here than in is_anon_ns(), since
the rest of the callers is guaranteed to get a non-NULL argument...
Reported-by: syzbot+494c7ddf66acac0ad747@syzkaller.appspotmail.com
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/namespace.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 3357c3d65475..ffb13f0562b0 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2599,7 +2599,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path) if (attached && !check_mnt(old)) goto out; - if (!attached && !is_anon_ns(ns)) + if (!attached && !(ns && is_anon_ns(ns))) goto out; if (old->mnt.mnt_flags & MNT_LOCKED) |