aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2015-01-15 17:49:26 +0000
committerAndreas Blaesius <skate4life@gmx.de>2016-10-27 10:30:58 +0200
commit804209d2308edf6f56d29a29e7bb6710e3ea2a0d (patch)
treef1297ada71083c16916349c4cd0d44b6e29a762b
parent9156f1702fafc46af58706ba702540d12a2bf940 (diff)
downloadkernel_samsung_espresso10-804209d2308edf6f56d29a29e7bb6710e3ea2a0d.tar.gz
kernel_samsung_espresso10-804209d2308edf6f56d29a29e7bb6710e3ea2a0d.tar.bz2
kernel_samsung_espresso10-804209d2308edf6f56d29a29e7bb6710e3ea2a0d.zip
vfs: more mnt_parent cleanups
a) mount --move is checking that ->mnt_parent is non-NULL before looking if that parent happens to be shared; ->mnt_parent is never NULL and it's not even an misspelled !mnt_has_parent() b) pivot_root open-codes is_path_reachable(), poorly. c) so does path_is_under(), while we are at it. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (backported from commit afac7cba7ed31968a95e181dc25e204e45009ea8) CVE-2014-7970 BugLink: http://bugs.launchpad.net/bugs/1383356 Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Change-Id: I6b2297f46388f135c1b760a37d45efc0e33542db
-rw-r--r--fs/dcache.c25
-rw-r--r--fs/namespace.c42
-rw-r--r--fs/pnode.c15
-rw-r--r--fs/pnode.h2
4 files changed, 29 insertions, 55 deletions
diff --git a/fs/dcache.c b/fs/dcache.c
index 57e163b38fe..deb6f6a5068 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2919,31 +2919,6 @@ int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
return result;
}
-int path_is_under(struct path *path1, struct path *path2)
-{
- struct vfsmount *mnt = path1->mnt;
- struct dentry *dentry = path1->dentry;
- int res;
-
- br_read_lock(&vfsmount_lock);
- if (mnt != path2->mnt) {
- for (;;) {
- if (!mnt_has_parent(mnt)) {
- br_read_unlock(&vfsmount_lock);
- return 0;
- }
- if (mnt->mnt_parent == path2->mnt)
- break;
- mnt = mnt->mnt_parent;
- }
- dentry = mnt->mnt_mountpoint;
- }
- res = is_subdir(dentry, path2->dentry);
- br_read_unlock(&vfsmount_lock);
- return res;
-}
-EXPORT_SYMBOL(path_is_under);
-
void d_genocide(struct dentry *root)
{
struct dentry *this_parent;
diff --git a/fs/namespace.c b/fs/namespace.c
index 79ce7a7bcac..a239a5c091d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1943,8 +1943,7 @@ static int do_move_mount(struct path *path, const char *old_name)
/*
* Don't move a mount residing in a shared parent.
*/
- if (old_path.mnt->mnt_parent &&
- IS_MNT_SHARED(old_path.mnt->mnt_parent))
+ if (IS_MNT_SHARED(old_path.mnt->mnt_parent))
goto out1;
/*
* Don't move a mount tree containing unbindable mounts to a destination
@@ -2588,6 +2587,31 @@ out_type:
}
/*
+ * Return true if path is reachable from root
+ *
+ * namespace_sem or vfsmount_lock is held
+ */
+bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry,
+ const struct path *root)
+{
+ while (mnt != root->mnt && mnt_has_parent(mnt)) {
+ dentry = mnt->mnt_mountpoint;
+ mnt = mnt->mnt_parent;
+ }
+ return mnt == root->mnt && is_subdir(dentry, root->dentry);
+}
+
+int path_is_under(struct path *path1, struct path *path2)
+{
+ int res;
+ br_read_lock(&vfsmount_lock);
+ res = is_path_reachable(path1->mnt, path1->dentry, path2);
+ br_read_unlock(&vfsmount_lock);
+ return res;
+}
+EXPORT_SYMBOL(path_is_under);
+
+/*
* pivot_root Semantics:
* Moves the root file system of the current process to the directory put_old,
* makes new_root as the new root file system of the current process, and sets
@@ -2615,7 +2639,6 @@ out_type:
SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
const char __user *, put_old)
{
- struct vfsmount *tmp;
struct path new, old, parent_path, root_parent, root;
int error;
@@ -2665,18 +2688,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
if (!mnt_has_parent(new.mnt))
goto out4; /* not attached */
/* make sure we can reach put_old from new_root */
- tmp = old.mnt;
- if (tmp != new.mnt) {
- for (;;) {
- if (!mnt_has_parent(tmp))
- goto out4; /* already mounted on put_old */
- if (tmp->mnt_parent == new.mnt)
- break;
- tmp = tmp->mnt_parent;
- }
- if (!is_subdir(tmp->mnt_mountpoint, new.dentry))
- goto out4;
- } else if (!is_subdir(old.dentry, new.dentry))
+ if (!is_path_reachable(old.mnt, old.dentry, &new))
goto out4;
br_write_lock(&vfsmount_lock);
detach_mnt(new.mnt, &parent_path);
diff --git a/fs/pnode.c b/fs/pnode.c
index b3adaa4c2bc..6e541ba0b89 100644
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -28,21 +28,6 @@ static inline struct vfsmount *next_slave(struct vfsmount *p)
return list_entry(p->mnt_slave.next, struct vfsmount, mnt_slave);
}
-/*
- * Return true if path is reachable from root
- *
- * namespace_sem is held, and mnt is attached
- */
-static bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry,
- const struct path *root)
-{
- while (mnt != root->mnt && mnt_has_parent(mnt)) {
- dentry = mnt->mnt_mountpoint;
- mnt = mnt->mnt_parent;
- }
- return mnt == root->mnt && is_subdir(dentry, root->dentry);
-}
-
static struct vfsmount *get_peer_under_root(struct vfsmount *mnt,
struct mnt_namespace *ns,
const struct path *root)
diff --git a/fs/pnode.h b/fs/pnode.h
index c3cefc7220f..f6630400e56 100644
--- a/fs/pnode.h
+++ b/fs/pnode.h
@@ -37,4 +37,6 @@ int propagate_umount(struct list_head *);
int propagate_mount_busy(struct vfsmount *, int);
void mnt_release_group_id(struct vfsmount *);
int get_dominating_id(struct vfsmount *mnt, const struct path *root);
+bool is_path_reachable(struct vfsmount *, struct dentry *,
+ const struct path *root);
#endif /* _LINUX_PNODE_H */