diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2015-01-15 17:49:25 +0000 |
---|---|---|
committer | Ziyan <jaraidaniel@gmail.com> | 2016-10-29 01:34:21 +0200 |
commit | d478a9dac767ad4e3c2e2dd3d141c6165387a117 (patch) | |
tree | 288aa0513b7d32edfbe3bfd2fbe2727c94a17258 | |
parent | 8ea971b495ee5a2bfe8f25f13db10c10dfda0875 (diff) | |
download | kernel_samsung_tuna-d478a9dac767ad4e3c2e2dd3d141c6165387a117.zip kernel_samsung_tuna-d478a9dac767ad4e3c2e2dd3d141c6165387a117.tar.gz kernel_samsung_tuna-d478a9dac767ad4e3c2e2dd3d141c6165387a117.tar.bz2 |
vfs: new internal helper: mnt_has_parent(mnt)
vfsmounts have ->mnt_parent pointing either to a different vfsmount
or to itself; it's never NULL and termination condition in loops
traversing the tree towards root is mnt == mnt->mnt_parent. At least
one place (see the next patch) is confused about what's going on;
let's add an explicit helper checking it right way and use it in
all places where we need it. Not that there had been too many,
but...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit b2dba1af3c4157040303a76d25216b1713d333d0)
CVE-2014-7970
BugLink: http://bugs.launchpad.net/bugs/1383356
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Change-Id: Iaa5ab510804f3b17fe71197b8919d663a416bf05
-rw-r--r-- | fs/dcache.c | 6 | ||||
-rw-r--r-- | fs/mount.h | 6 | ||||
-rw-r--r-- | fs/namespace.c | 14 | ||||
-rw-r--r-- | fs/pnode.c | 2 | ||||
-rw-r--r-- | fs/pnode.h | 2 |
5 files changed, 18 insertions, 12 deletions
diff --git a/fs/dcache.c b/fs/dcache.c index 9cb5259..57e163b 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -37,6 +37,7 @@ #include <linux/rculist_bl.h> #include <linux/prefetch.h> #include "internal.h" +#include "mount.h" /* * Usage: @@ -2526,9 +2527,8 @@ static int prepend_path(const struct path *path, if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { /* Global root? */ - if (vfsmnt->mnt_parent == vfsmnt) { + if (!mnt_has_parent(vfsmnt)) goto global_root; - } dentry = vfsmnt->mnt_mountpoint; vfsmnt = vfsmnt->mnt_parent; continue; @@ -2928,7 +2928,7 @@ int path_is_under(struct path *path1, struct path *path2) br_read_lock(&vfsmount_lock); if (mnt != path2->mnt) { for (;;) { - if (mnt->mnt_parent == mnt) { + if (!mnt_has_parent(mnt)) { br_read_unlock(&vfsmount_lock); return 0; } diff --git a/fs/mount.h b/fs/mount.h new file mode 100644 index 0000000..7890e49 --- /dev/null +++ b/fs/mount.h @@ -0,0 +1,6 @@ +#include <linux/mount.h> + +static inline int mnt_has_parent(struct vfsmount *mnt) +{ + return mnt != mnt->mnt_parent; +} diff --git a/fs/namespace.c b/fs/namespace.c index eb6c739..489a74d 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1216,7 +1216,7 @@ void release_mounts(struct list_head *head) while (!list_empty(head)) { mnt = list_first_entry(head, struct vfsmount, mnt_hash); list_del_init(&mnt->mnt_hash); - if (mnt->mnt_parent != mnt) { + if (mnt_has_parent(mnt)) { struct dentry *dentry; struct vfsmount *m; @@ -1255,7 +1255,7 @@ void umount_tree(struct vfsmount *mnt, int propagate, struct list_head *kill) __touch_mnt_namespace(p->mnt_ns); p->mnt_ns = NULL; list_del_init(&p->mnt_child); - if (p->mnt_parent != p) { + if (mnt_has_parent(p)) { p->mnt_parent->mnt_ghosts++; dentry_reset_mounted(p->mnt_parent, p->mnt_mountpoint); } @@ -1934,7 +1934,7 @@ static int do_move_mount(struct path *path, const char *old_name) if (old_path.dentry != old_path.mnt->mnt_root) goto out1; - if (old_path.mnt == old_path.mnt->mnt_parent) + if (!mnt_has_parent(old_path.mnt)) goto out1; if (S_ISDIR(path->dentry->d_inode->i_mode) != @@ -1954,7 +1954,7 @@ static int do_move_mount(struct path *path, const char *old_name) tree_contains_unbindable(old_path.mnt)) goto out1; err = -ELOOP; - for (p = path->mnt; p->mnt_parent != p; p = p->mnt_parent) + for (p = path->mnt; mnt_has_parent(p); p = p->mnt_parent) if (p == old_path.mnt) goto out1; @@ -2658,17 +2658,17 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, error = -EINVAL; if (root.mnt->mnt_root != root.dentry) goto out4; /* not a mountpoint */ - if (root.mnt->mnt_parent == root.mnt) + if (!mnt_has_parent(root.mnt)) goto out4; /* not attached */ if (new.mnt->mnt_root != new.dentry) goto out4; /* not a mountpoint */ - if (new.mnt->mnt_parent == new.mnt) + if (!mnt_has_parent(new.mnt)) goto out4; /* not attached */ /* make sure we can reach put_old from new_root */ tmp = old.mnt; if (tmp != new.mnt) { for (;;) { - if (tmp->mnt_parent == tmp) + if (!mnt_has_parent(tmp)) goto out4; /* already mounted on put_old */ if (tmp->mnt_parent == new.mnt) break; @@ -36,7 +36,7 @@ static inline struct vfsmount *next_slave(struct vfsmount *p) static bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry, const struct path *root) { - while (mnt != root->mnt && mnt->mnt_parent != mnt) { + while (mnt != root->mnt && mnt_has_parent(mnt)) { dentry = mnt->mnt_mountpoint; mnt = mnt->mnt_parent; } @@ -9,7 +9,7 @@ #define _LINUX_PNODE_H #include <linux/list.h> -#include <linux/mount.h> +#include "mount.h" #define IS_MNT_SHARED(mnt) (mnt->mnt_flags & MNT_SHARED) #define IS_MNT_SLAVE(mnt) (mnt->mnt_master) |