From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B056ECE599 for ; Thu, 17 Oct 2019 02:49:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E988621925 for ; Thu, 17 Oct 2019 02:49:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571280575; bh=ASNsnE7Fxnf0kkPYLb+v3nUYiyQUYzkO+yfxzPW/f+M=; h=From:To:Cc:Subject:Date:List-ID:From; b=nvMvKblbD7SMOOOnKalznkmILEXpYjea+V1Q7MKaaiM+X1HKoCjmwl4hjHKb4Tfxk ybNBfTvpr8o7mW6uPlk7y0aIVSherjjr/PWt36VcrTPCwuonzqHGqURDGBcty9HuDf KSjfasflPGH9KmCXKyv++wO8GGHp2/GrYcKd8k/Y= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388516AbfJQCte (ORCPT ); Wed, 16 Oct 2019 22:49:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:53464 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387605AbfJQCte (ORCPT ); Wed, 16 Oct 2019 22:49:34 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 59FA32082C; Thu, 17 Oct 2019 02:49:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571280573; bh=ASNsnE7Fxnf0kkPYLb+v3nUYiyQUYzkO+yfxzPW/f+M=; h=From:To:Cc:Subject:Date:From; b=nZ8e+obPLC+CAhuqQ0gVTjqeXlyZu5+iuknMLxXtNHX/AEH0feLWktC4mJif4npni ika4mXuEi6o0n8rtAHiq50Z+fMoPC0ZL0A9eAiwiCOejnTJ0G7AWlzrIM7J7bCMlEb dPhA8FLFdyuhpccwttBWI0pcve7hn6PYWm+EbaME= From: Eric Biggers To: Alexander Viro , linux-fsdevel@vger.kernel.org Cc: Deepa Dinamani , Arnd Bergmann , Jeff Layton Subject: [PATCH v2] fs/namespace.c: fix use-after-free of mount in mnt_warn_timestamp_expiry() Date: Wed, 16 Oct 2019 19:48:14 -0700 Message-Id: <20191017024814.61980-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers After do_add_mount() returns success, the caller doesn't hold a reference to the 'struct mount' anymore. So it's invalid to access it in mnt_warn_timestamp_expiry(). Fix it by calling mnt_warn_timestamp_expiry() before do_add_mount() rather than after, and adjusting the warning message accordingly. Reported-by: syzbot+da4f525235510683d855@syzkaller.appspotmail.com Fixes: f8b92ba67c5d ("mount: Add mount warning for impending timestamp expiry") Signed-off-by: Eric Biggers --- fs/namespace.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index fe0e9e1410fe..2adfe7b166a3 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2478,8 +2478,10 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * time64_to_tm(sb->s_time_max, 0, &tm); - pr_warn("Mounted %s file system at %s supports timestamps until %04ld (0x%llx)\n", - sb->s_type->name, mntpath, + pr_warn("%s filesystem being %s at %s supports timestamps until %04ld (0x%llx)\n", + sb->s_type->name, + is_mounted(mnt) ? "remounted" : "mounted", + mntpath, tm.tm_year+1900, (unsigned long long)sb->s_time_max); free_page((unsigned long)buf); @@ -2764,14 +2766,11 @@ static int do_new_mount_fc(struct fs_context *fc, struct path *mountpoint, if (IS_ERR(mnt)) return PTR_ERR(mnt); - error = do_add_mount(real_mount(mnt), mountpoint, mnt_flags); - if (error < 0) { - mntput(mnt); - return error; - } - mnt_warn_timestamp_expiry(mountpoint, mnt); + error = do_add_mount(real_mount(mnt), mountpoint, mnt_flags); + if (error < 0) + mntput(mnt); return error; } -- 2.23.0