diff options
author | Tejun Heo <tj@kernel.org> | 2013-12-10 16:22:30 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-11 07:40:12 +0100 |
commit | a7560a0132cfc93b25d2df1d277a078a05220cf4 (patch) | |
tree | bc534b5b1b10d4a12d08f076b5040717013e35a6 | |
parent | sysfs: bail early from kernfs_file_mmap() to avoid spurious lockdep warning (diff) | |
download | linux-a7560a0132cfc93b25d2df1d277a078a05220cf4.tar.xz linux-a7560a0132cfc93b25d2df1d277a078a05220cf4.zip |
sysfs: fix use-after-free in sysfs_kill_sb()
While restructuring the [u]mount path, 4b93dc9b1c68 ("sysfs, kernfs:
prepare mount path for kernfs") incorrectly updated sysfs_kill_sb() so
that it first kills super_block and then tries to dereference its
namespace tag to drop it. Fix it by caching namespace tag before
killing the superblock and then drop the cached namespace tag.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Tested-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Tested-by: Vlastimil Babka <vbabka@suse.cz>
Link: http://lkml.kernel.org/g/20131205031051.GC5135@yliu-dev.sh.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | fs/sysfs/mount.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c index e7e3aa8e7b78..8d075272cace 100644 --- a/fs/sysfs/mount.c +++ b/fs/sysfs/mount.c @@ -45,8 +45,10 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, static void sysfs_kill_sb(struct super_block *sb) { + void *ns = (void *)kernfs_super_ns(sb); + kernfs_kill_sb(sb); - kobj_ns_drop(KOBJ_NS_TYPE_NET, (void *)kernfs_super_ns(sb)); + kobj_ns_drop(KOBJ_NS_TYPE_NET, ns); } static struct file_system_type sysfs_fs_type = { |