From d1e7fe3e7e530ab56580b7b57f526af8f8fb2524 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Aug 2021 14:47:51 +0200 Subject: [PATCH] 4.9-stable patches added patches: ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch --- ...e-clone-if-bind-mount-is-not-allowed.patch | 98 +++++++++++++++++++ queue-4.9/series | 1 + 2 files changed, 99 insertions(+) create mode 100644 queue-4.9/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch diff --git a/queue-4.9/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch b/queue-4.9/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch new file mode 100644 index 00000000000..51153f803a8 --- /dev/null +++ b/queue-4.9/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch @@ -0,0 +1,98 @@ +From 427215d85e8d1476da1a86b8d67aceb485eb3631 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 9 Aug 2021 10:19:47 +0200 +Subject: ovl: prevent private clone if bind mount is not allowed + +From: Miklos Szeredi + +commit 427215d85e8d1476da1a86b8d67aceb485eb3631 upstream. + +Add the following checks from __do_loopback() to clone_private_mount() as +well: + + - verify that the mount is in the current namespace + + - verify that there are no locked children + +Reported-by: Alois Wohlschlager +Fixes: c771d683a62e ("vfs: introduce clone_private_mount()") +Cc: # v3.18 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1853,6 +1853,20 @@ void drop_collected_mounts(struct vfsmou + namespace_unlock(); + } + ++static bool has_locked_children(struct mount *mnt, struct dentry *dentry) ++{ ++ struct mount *child; ++ ++ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { ++ if (!is_subdir(child->mnt_mountpoint, dentry)) ++ continue; ++ ++ if (child->mnt.mnt_flags & MNT_LOCKED) ++ return true; ++ } ++ return false; ++} ++ + /** + * clone_private_mount - create a private clone of a path + * +@@ -1867,16 +1881,27 @@ struct vfsmount *clone_private_mount(str + struct mount *old_mnt = real_mount(path->mnt); + struct mount *new_mnt; + ++ down_read(&namespace_sem); + if (IS_MNT_UNBINDABLE(old_mnt)) +- return ERR_PTR(-EINVAL); ++ goto invalid; ++ ++ if (!check_mnt(old_mnt)) ++ goto invalid; ++ ++ if (has_locked_children(old_mnt, path->dentry)) ++ goto invalid; + +- down_read(&namespace_sem); + new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE); + up_read(&namespace_sem); ++ + if (IS_ERR(new_mnt)) + return ERR_CAST(new_mnt); + + return &new_mnt->mnt; ++ ++invalid: ++ up_read(&namespace_sem); ++ return ERR_PTR(-EINVAL); + } + EXPORT_SYMBOL_GPL(clone_private_mount); + +@@ -2192,19 +2217,6 @@ static int do_change_type(struct path *p + return err; + } + +-static bool has_locked_children(struct mount *mnt, struct dentry *dentry) +-{ +- struct mount *child; +- list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { +- if (!is_subdir(child->mnt_mountpoint, dentry)) +- continue; +- +- if (child->mnt.mnt_flags & MNT_LOCKED) +- return true; +- } +- return false; +-} +- + /* + * do loopback mount. + */ diff --git a/queue-4.9/series b/queue-4.9/series index d811fb0b0f8..1dbc787bc06 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -27,3 +27,4 @@ net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch usb-ehci-fix-kunpeng920-ehci-hardware-problem.patch ppp-fix-generating-ppp-unit-id-when-ifname-is-not-specified.patch net-xilinx_emaclite-do-not-print-real-iomem-pointer.patch +ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch -- 2.47.3