[linux] 01/02: fs/pnode.c: treat zero mnt_group_id-s as unequal
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat May 28 05:45:22 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 82af3cb8449203f76ac6932db223c814fbfae1fc
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri May 27 19:58:34 2016 +0200
fs/pnode.c: treat zero mnt_group_id-s as unequal
---
debian/changelog | 1 +
...de.c-treat-zero-mnt_group_id-s-as-unequal.patch | 78 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 80 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c8b1e4f..7de897f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
* [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
* [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961)
* get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
+ * fs/pnode.c: treat zero mnt_group_id-s as unequal
-- Ben Hutchings <ben at decadent.org.uk> Wed, 30 Mar 2016 16:32:07 +0100
diff --git a/debian/patches/bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch b/debian/patches/bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
new file mode 100644
index 0000000..f3fb3b8
--- /dev/null
+++ b/debian/patches/bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
@@ -0,0 +1,78 @@
+From: Maxim Patlasov <mpatlasov at virtuozzo.com>
+Date: Tue, 16 Feb 2016 11:45:33 -0800
+Subject: fs/pnode.c: treat zero mnt_group_id-s as unequal
+Origin: https://git.kernel.org/linus/7ae8fd0351f912b075149a1e03a017be8b903b9a
+
+propagate_one(m) calculates "type" argument for copy_tree() like this:
+
+> if (m->mnt_group_id == last_dest->mnt_group_id) {
+> type = CL_MAKE_SHARED;
+> } else {
+> type = CL_SLAVE;
+> if (IS_MNT_SHARED(m))
+> type |= CL_MAKE_SHARED;
+> }
+
+The "type" argument then governs clone_mnt() behavior with respect to flags
+and mnt_master of new mount. When we iterate through a slave group, it is
+possible that both current "m" and "last_dest" are not shared (although,
+both are slaves, i.e. have non-NULL mnt_master-s). Then the comparison
+above erroneously makes new mount shared and sets its mnt_master to
+last_source->mnt_master. The patch fixes the problem by handling zero
+mnt_group_id-s as though they are unequal.
+
+The similar problem exists in the implementation of "else" clause above
+when we have to ascend upward in the master/slave tree by calling:
+
+> last_source = last_source->mnt_master;
+> last_dest = last_source->mnt_parent;
+
+proper number of times. The last step is governed by
+"n->mnt_group_id != last_dest->mnt_group_id" condition that may lie if
+both are zero. The patch fixes this case in the same way as the former one.
+
+[AV: don't open-code an obvious helper...]
+
+Signed-off-by: Maxim Patlasov <mpatlasov at virtuozzo.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/pnode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/pnode.c b/fs/pnode.c
+index 6367e1e..c524fdd 100644
+--- a/fs/pnode.c
++++ b/fs/pnode.c
+@@ -202,6 +202,11 @@ static struct mount *last_dest, *last_source, *dest_master;
+ static struct mountpoint *mp;
+ static struct hlist_head *list;
+
++static inline bool peers(struct mount *m1, struct mount *m2)
++{
++ return m1->mnt_group_id == m2->mnt_group_id && m1->mnt_group_id;
++}
++
+ static int propagate_one(struct mount *m)
+ {
+ struct mount *child;
+@@ -212,7 +217,7 @@ static int propagate_one(struct mount *m)
+ /* skip if mountpoint isn't covered by it */
+ if (!is_subdir(mp->m_dentry, m->mnt.mnt_root))
+ return 0;
+- if (m->mnt_group_id == last_dest->mnt_group_id) {
++ if (peers(m, last_dest)) {
+ type = CL_MAKE_SHARED;
+ } else {
+ struct mount *n, *p;
+@@ -223,7 +228,7 @@ static int propagate_one(struct mount *m)
+ last_source = last_source->mnt_master;
+ last_dest = last_source->mnt_parent;
+ }
+- if (n->mnt_group_id != last_dest->mnt_group_id) {
++ if (!peers(n, last_dest)) {
+ last_source = last_source->mnt_master;
+ last_dest = last_source->mnt_parent;
+ }
+--
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 4f79419..6115d742 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -675,3 +675,4 @@ bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
+bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list