mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix cgroup_do_mount() handling of failure exits

Browse source 
same story as with last May fixes in sysfs (7b745a4e40
"unfuck sysfs_mount()"); new_sb is left uninitialized
in case of early errors in kernfs_mount_ns() and papering
over it by treating any error from kernfs_mount_ns() as
equivalent to !new_ns ends up conflating the cases when
objects had never been transferred to a superblock with
ones when that has happened and resulting new superblock
had been dropped.  Easily fixed (same way as in sysfs
case).  Additionally, there's a superblock leak on
kernfs_node_dentry() failure *and* a dentry leak inside
kernfs_node_dentry() itself - the latter on probably
impossible errors, but the former not impossible to trigger
(as the matter of fact, injecting allocation failures
at that point *does* trigger it).

Cc: stable@kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro 2019-01-06 11:41:29 -05:00
parent 1c7fc5cbc3
commit 399504e21a
2 changed files with 12 additions and 5 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

8
fs/kernfs/mount.c
View file

@ -196,8 +196,10 @@ struct dentry *kernfs_node_dentry(struct kernfs_node *kn,
return dentry; return dentry;
knparent = find_next_ancestor(kn, NULL); knparent = find_next_ancestor(kn, NULL);
if (WARN_ON(!knparent)) if (WARN_ON(!knparent)) {
dput(dentry);
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
}
do { do {
struct dentry *dtmp; struct dentry *dtmp;
@ -206,8 +208,10 @@ struct dentry *kernfs_node_dentry(struct kernfs_node *kn,
if (kn == knparent) if (kn == knparent)
return dentry; return dentry;
kntmp = find_next_ancestor(kn, knparent); kntmp = find_next_ancestor(kn, knparent);
if (WARN_ON(!kntmp)) if (WARN_ON(!kntmp)) {
dput(dentry);
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
}
dtmp = lookup_one_len_unlocked(kntmp->name, dentry, dtmp = lookup_one_len_unlocked(kntmp->name, dentry,
strlen(kntmp->name)); strlen(kntmp->name));
dput(dentry); dput(dentry);

9
kernel/cgroup/cgroup.c
View file

@ -2033,7 +2033,7 @@ struct dentry *cgroup_do_mount(struct file_system_type *fs_type, int flags,
struct cgroup_namespace *ns) struct cgroup_namespace *ns)
{ {
struct dentry *dentry; struct dentry *dentry;
bool new_sb; bool new_sb = false;
dentry = kernfs_mount(fs_type, flags, root->kf_root, magic, &new_sb); dentry = kernfs_mount(fs_type, flags, root->kf_root, magic, &new_sb);
@ -2043,6 +2043,7 @@ struct dentry *cgroup_do_mount(struct file_system_type *fs_type, int flags,
*/ */
if (!IS_ERR(dentry) && ns != &init_cgroup_ns) { if (!IS_ERR(dentry) && ns != &init_cgroup_ns) {
struct dentry *nsdentry; struct dentry *nsdentry;
struct super_block *sb = dentry->d_sb;
struct cgroup *cgrp; struct cgroup *cgrp;
mutex_lock(&cgroup_mutex); mutex_lock(&cgroup_mutex);
@ -2053,12 +2054,14 @@ struct dentry *cgroup_do_mount(struct file_system_type *fs_type, int flags,
spin_unlock_irq(&css_set_lock); spin_unlock_irq(&css_set_lock);
mutex_unlock(&cgroup_mutex); mutex_unlock(&cgroup_mutex);
nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb); nsdentry = kernfs_node_dentry(cgrp->kn, sb);
dput(dentry); dput(dentry);
if (IS_ERR(nsdentry))
deactivate_locked_super(sb);
dentry = nsdentry; dentry = nsdentry;
} }
if (IS_ERR(dentry) || !new_sb) if (!new_sb)
cgroup_put(&root->cgrp); cgroup_put(&root->cgrp);
return dentry; return dentry;