Commit 05883eee authored by Al Viro's avatar Al Viro

do_move_mount(): fix an unsafe use of is_anon_ns()

What triggers it is a race between mount --move and umount -l
of the source; we should reject it (the source is parentless *and*
not the root of anon namespace at that), but the check for namespace
being an anon one is broken in that case - is_anon_ns() needs
ns to be non-NULL.  Better fixed here than in is_anon_ns(), since
the rest of the callers is guaranteed to get a non-NULL argument...

Reported-by: syzbot+494c7ddf66acac0ad747@syzkaller.appspotmail.com
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 80f23212
...@@ -2599,7 +2599,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path) ...@@ -2599,7 +2599,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
if (attached && !check_mnt(old)) if (attached && !check_mnt(old))
goto out; goto out;
if (!attached && !is_anon_ns(ns)) if (!attached && !(ns && is_anon_ns(ns)))
goto out; goto out;
if (old->mnt.mnt_flags & MNT_LOCKED) if (old->mnt.mnt_flags & MNT_LOCKED)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment