summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTejun Heo <tj@kernel.org>2013-12-10 10:22:30 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-12-10 22:40:12 -0800
commita7560a0132cfc93b25d2df1d277a078a05220cf4 (patch)
treebc534b5b1b10d4a12d08f076b5040717013e35a6
parent9b2db6e1894577d48f4e290381bac6e573593838 (diff)
downloadop-kernel-dev-a7560a0132cfc93b25d2df1d277a078a05220cf4.zip
op-kernel-dev-a7560a0132cfc93b25d2df1d277a078a05220cf4.tar.gz
sysfs: fix use-after-free in sysfs_kill_sb()
While restructuring the [u]mount path, 4b93dc9b1c68 ("sysfs, kernfs: prepare mount path for kernfs") incorrectly updated sysfs_kill_sb() so that it first kills super_block and then tries to dereference its namespace tag to drop it. Fix it by caching namespace tag before killing the superblock and then drop the cached namespace tag. Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: Yuanhan Liu <yuanhan.liu@linux.intel.com> Tested-by: Yuanhan Liu <yuanhan.liu@linux.intel.com> Tested-by: Vlastimil Babka <vbabka@suse.cz> Link: http://lkml.kernel.org/g/20131205031051.GC5135@yliu-dev.sh.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--fs/sysfs/mount.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index e7e3aa8..8d07527 100644
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -45,8 +45,10 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
static void sysfs_kill_sb(struct super_block *sb)
{
+ void *ns = (void *)kernfs_super_ns(sb);
+
kernfs_kill_sb(sb);
- kobj_ns_drop(KOBJ_NS_TYPE_NET, (void *)kernfs_super_ns(sb));
+ kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
}
static struct file_system_type sysfs_fs_type = {
OpenPOWER on IntegriCloud