Skip to content

Commit

Permalink
sysfs: fix use-after-free in sysfs_kill_sb()
Browse files Browse the repository at this point in the history 
While restructuring the [u]mount path, 4b93dc9 ("sysfs, kernfs:
prepare mount path for kernfs") incorrectly updated sysfs_kill_sb() so
that it first kills super_block and then tries to dereference its
namespace tag to drop it.  Fix it by caching namespace tag before
killing the superblock and then drop the cached namespace tag.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Tested-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Tested-by: Vlastimil Babka <vbabka@suse.cz>
Link: http://lkml.kernel.org/g/20131205031051.GC5135@yliu-dev.sh.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Tejun Heo authored and Greg Kroah-Hartman committed Dec 11, 2013
1 parent 9b2db6e commit a7560a0
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion fs/sysfs/mount.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,10 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,

static void sysfs_kill_sb(struct super_block *sb)
{
void *ns = (void *)kernfs_super_ns(sb);

kernfs_kill_sb(sb);
kobj_ns_drop(KOBJ_NS_TYPE_NET, (void *)kernfs_super_ns(sb));
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
}

static struct file_system_type sysfs_fs_type = {
Expand Down

0 comments on commit a7560a0

Please sign in to comment.