summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristoph Hellwig <hch@lst.de>2020-08-06 16:07:10 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2020-08-08 01:21:30 +0200
commit25ccd24ffd9119c452d711efa2604a7a0c35956e (patch)
tree411e1a18fe2bbf87e454d815e2eff696fbd6dfe9
parentinit: add an init_dup helper (diff)
downloadlinux-25ccd24ffd9119c452d711efa2604a7a0c35956e.tar.xz
linux-25ccd24ffd9119c452d711efa2604a7a0c35956e.zip
fs: fix a struct path leak in path_umount
Make sure we also put the dentry and vfsmnt in the illegal flags and !may_umount cases. Fixes: 41525f56e256 ("fs: refactor ksys_umount") Reported-by: Vikas Kumar <vikas.kumar2@arm.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/namespace.c32
1 files changed, 18 insertions, 14 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index a7301790abb2..1c74a46367df 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1706,34 +1706,38 @@ static inline bool may_mandlock(void)
}
#endif
-int path_umount(struct path *path, int flags)
+static int can_umount(const struct path *path, int flags)
{
- struct mount *mnt;
- int retval;
+ struct mount *mnt = real_mount(path->mnt);
if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
return -EINVAL;
if (!may_mount())
return -EPERM;
-
- mnt = real_mount(path->mnt);
- retval = -EINVAL;
if (path->dentry != path->mnt->mnt_root)
- goto dput_and_out;
+ return -EINVAL;
if (!check_mnt(mnt))
- goto dput_and_out;
+ return -EINVAL;
if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
- goto dput_and_out;
- retval = -EPERM;
+ return -EINVAL;
if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
- goto dput_and_out;
+ return -EPERM;
+ return 0;
+}
+
+int path_umount(struct path *path, int flags)
+{
+ struct mount *mnt = real_mount(path->mnt);
+ int ret;
+
+ ret = can_umount(path, flags);
+ if (!ret)
+ ret = do_umount(mnt, flags);
- retval = do_umount(mnt, flags);
-dput_and_out:
/* we mustn't call path_put() as that would clear mnt_expiry_mark */
dput(path->dentry);
mntput_no_expire(mnt);
- return retval;
+ return ret;
}
static int ksys_umount(char __user *name, int flags)