6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner brauner@kernel.org
commit e8c84e2082e69335f66c8ade4895e80ec270d7c4 upstream.
Massage statmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked.
Fixes: 46eae99ef733 ("add statmount(2) syscall") Cc: stable@vger.kernel.org # v6.8+ Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/namespace.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
--- a/fs/namespace.c +++ b/fs/namespace.c @@ -5711,7 +5711,6 @@ static int grab_requested_root(struct mn static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id, struct mnt_namespace *ns) { - struct path root __free(path_put) = {}; struct mount *m; int err;
@@ -5723,7 +5722,7 @@ static int do_statmount(struct kstatmoun if (!s->mnt) return -ENOENT;
- err = grab_requested_root(ns, &root); + err = grab_requested_root(ns, &s->root); if (err) return err;
@@ -5732,7 +5731,7 @@ static int do_statmount(struct kstatmoun * mounts to show users. */ m = real_mount(s->mnt); - if (!is_path_reachable(m, m->mnt.mnt_root, &root) && + if (!is_path_reachable(m, m->mnt.mnt_root, &s->root) && !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN)) return -EPERM;
@@ -5740,8 +5739,6 @@ static int do_statmount(struct kstatmoun if (err) return err;
- s->root = root; - /* * Note that mount properties in mnt->mnt_flags, mnt->mnt_idmap * can change concurrently as we only hold the read-side of the @@ -5963,6 +5960,7 @@ retry: if (!ret) ret = copy_statmount_to_user(ks); kvfree(ks->seq.buf); + path_put(&ks->root); if (retry_statmount(ret, &seq_size)) goto retry; return ret;