mount_subtree() pointless use-after-free

d'oh... we'd carefully pinned mnt->mnt_sb down, dropped mnt and attempt to grab s_umount on mnt->mnt_sb. The trouble is, *mnt might've been overwritten by now... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2011-11-22 12:31:21 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2011-11-22 12:31:21 -0500
commit: d31da0f0ba3bc0a827a63879310818c22d9a95be (patch)
tree: d89bbdf299c4cbc37f49a9964b8127f09eedd50b /fs
parent: b46413367961c2e8bd827e067a231be982aaeee2 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index 50ee30345b4f..6d3a1963879b 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2493,6 +2493,7 @@ EXPORT_SYMBOL(create_mnt_ns);
 struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
 {
        struct mnt_namespace *ns;
+        struct super_block *s;
        struct path path;
        int err;
@@ -2509,10 +2510,11 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
                return ERR_PTR(err);
        /* trade a vfsmount reference for active sb one */
-        atomic_inc(&path.mnt->mnt_sb->s_active);
+        s = path.mnt->mnt_sb;
+        atomic_inc(&s->s_active);
        mntput(path.mnt);
        /* lock the sucker */
-        down_write(&path.mnt->mnt_sb->s_umount);
+        down_write(&s->s_umount);
        /* ... and return the root of (sub)tree on it */
        return path.dentry;
 }
author	Al Viro <viro@zeniv.linux.org.uk>	2011-11-22 12:31:21 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2011-11-22 12:31:21 -0500
commit	d31da0f0ba3bc0a827a63879310818c22d9a95be (patch)
tree	d89bbdf299c4cbc37f49a9964b8127f09eedd50b /fs
parent	b46413367961c2e8bd827e067a231be982aaeee2 (diff)