Commit 25ccd24f authored by Christoph Hellwig's avatar Christoph Hellwig Committed by Al Viro
Browse files

fs: fix a struct path leak in path_umount 



Make sure we also put the dentry and vfsmnt in the illegal flags
and !may_umount cases.

Fixes: 41525f56 ("fs: refactor ksys_umount")
Reported-by: default avatarVikas Kumar <vikas.kumar2@arm.com>
Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent f0735310

fs/namespace.c

+18 −14
Original line number Diff line number Diff line
@@ -1706,34 +1706,38 @@ static inline bool may_mandlock(void) 
}

#endif



int path_umount(struct path *path, int flags)

static int can_umount(const struct path *path, int flags)

{

	struct mount *mnt;

	int retval;

	struct mount *mnt = real_mount(path->mnt);



	if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))

		return -EINVAL;

	if (!may_mount())

		return -EPERM;



	mnt = real_mount(path->mnt);

	retval = -EINVAL;

	if (path->dentry != path->mnt->mnt_root)

		goto dput_and_out;

		return -EINVAL;

	if (!check_mnt(mnt))

		goto dput_and_out;

		return -EINVAL;

	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */

		goto dput_and_out;

	retval = -EPERM;

		return -EINVAL;

	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))

		goto dput_and_out;

		return -EPERM;

	return 0;

}



int path_umount(struct path *path, int flags)

{

	struct mount *mnt = real_mount(path->mnt);

	int ret;



	ret = can_umount(path, flags);

	if (!ret)

		ret = do_umount(mnt, flags);



	retval = do_umount(mnt, flags);

dput_and_out:

	/* we mustn't call path_put() as that would clear mnt_expiry_mark */

	dput(path->dentry);

	mntput_no_expire(mnt);

	return retval;

	return ret;

}



static int ksys_umount(char __user *name, int flags)

CRA Git | Maintained and supported by SUSTech CRA and CCSE