diff options
author | Christoph Hellwig <hch@lst.de> | 2020-08-06 16:07:10 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2020-08-08 01:21:30 +0200 |
commit | 25ccd24ffd9119c452d711efa2604a7a0c35956e (patch) | |
tree | 411e1a18fe2bbf87e454d815e2eff696fbd6dfe9 | |
parent | init: add an init_dup helper (diff) | |
download | linux-25ccd24ffd9119c452d711efa2604a7a0c35956e.tar.xz linux-25ccd24ffd9119c452d711efa2604a7a0c35956e.zip |
fs: fix a struct path leak in path_umount
Make sure we also put the dentry and vfsmnt in the illegal flags
and !may_umount cases.
Fixes: 41525f56e256 ("fs: refactor ksys_umount")
Reported-by: Vikas Kumar <vikas.kumar2@arm.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/namespace.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index a7301790abb2..1c74a46367df 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1706,34 +1706,38 @@ static inline bool may_mandlock(void) } #endif -int path_umount(struct path *path, int flags) +static int can_umount(const struct path *path, int flags) { - struct mount *mnt; - int retval; + struct mount *mnt = real_mount(path->mnt); if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW)) return -EINVAL; if (!may_mount()) return -EPERM; - - mnt = real_mount(path->mnt); - retval = -EINVAL; if (path->dentry != path->mnt->mnt_root) - goto dput_and_out; + return -EINVAL; if (!check_mnt(mnt)) - goto dput_and_out; + return -EINVAL; if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ - goto dput_and_out; - retval = -EPERM; + return -EINVAL; if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN)) - goto dput_and_out; + return -EPERM; + return 0; +} + +int path_umount(struct path *path, int flags) +{ + struct mount *mnt = real_mount(path->mnt); + int ret; + + ret = can_umount(path, flags); + if (!ret) + ret = do_umount(mnt, flags); - retval = do_umount(mnt, flags); -dput_and_out: /* we mustn't call path_put() as that would clear mnt_expiry_mark */ dput(path->dentry); mntput_no_expire(mnt); - return retval; + return ret; } static int ksys_umount(char __user *name, int flags) |