diff options
author | Piotr Krysiuk <piotras@gmail.com> | 2020-04-27 11:34:12 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-05-02 17:20:40 +0200 |
commit | 83354adbd7a967230bd23a547c5b695567ddba2c (patch) | |
tree | d5fe9018b042b69f6c13d9da0261e2382f0b37ca /drivers | |
parent | 52ae60c243c64a3000b8d5457698d5f1ed809883 (diff) |
fs/namespace.c: fix mountpoint reference counter race
A race condition between threads updating mountpoint reference counter
affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118.
The mountpoint reference counter corruption may occur when:
* one thread increments m_count member of struct mountpoint
[under namespace_sem, but not holding mount_lock]
pivot_root()
* another thread simultaneously decrements the same m_count
[under mount_lock, but not holding namespace_sem]
put_mountpoint()
unhash_mnt()
umount_mnt()
mntput_no_expire()
To fix this race condition, grab mount_lock before updating m_count in
pivot_root().
Reference: CVE-2020-12114
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions