mount_subtree() pointless use-after-free

d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been overwritten by now... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
git-mirror · Nov 22, 2011 · d31da0f · d31da0f
1 parent b464133
commit d31da0f
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/fs/namespace.c b/fs/namespace.c
@@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns);
 struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 {
 	struct mnt_namespace *ns;
+	struct super_block *s;
 	struct path path;
 	int err;
 
@@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 		return ERR_PTR(err);
 
 	/* trade a vfsmount reference for active sb one */
-	atomic_inc(&path.mnt->mnt_sb->s_active);
+	s = path.mnt->mnt_sb;
+	atomic_inc(&s->s_active);
 	mntput(path.mnt);
 	/* lock the sucker */
-	down_write(&path.mnt->mnt_sb->s_umount);
+	down_write(&s->s_umount);
 	/* ... and return the root of (sub)tree on it */
 	return path.dentry;
 }