From: Eric Biggers <ebiggers@xxxxxxxxxx>
fc->sb_flags can be modified up until fc->uapi_mutex is taken, so the
permission check for SB_MANDLOCK needs to happen under the mutex.
Also move the may_mount() check as early as possible.
Fixes: 0c65353ab9f5 ("vfs: Implement fsmount() to effect a pre-configured mount")
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
fs/namespace.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 8ac9e8fb31c9f..7f0191bb5db46 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3237,6 +3237,9 @@ SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags, unsigned int, ms_flags
unsigned int mnt_flags = 0;
long ret;
+ if (!may_mount())
+ return -EPERM;
+
if ((flags & ~(FSMOUNT_CLOEXEC)) != 0)
return -EINVAL;
@@ -3275,11 +3278,6 @@ SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags, unsigned int, ms_flags
fc = f.file->private_data;
- ret = -EPERM;
- if (!may_mount() ||
- ((fc->sb_flags & SB_MANDLOCK) && !may_mandlock()))
- goto err_fsfd;
-
/* There must be a valid superblock or we can't mount it */
ret = -EINVAL;
if (!fc->root)
@@ -3300,6 +3298,10 @@ SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags, unsigned int, ms_flags
if (fc->phase != FS_CONTEXT_AWAITING_MOUNT)
goto err_unlock;
+ ret = -EPERM;
+ if ((fc->sb_flags & SB_MANDLOCK) && !may_mandlock())
+ goto err_unlock;
+
newmount.mnt = vfs_create_mount(fc, mnt_flags);
if (IS_ERR(newmount.mnt)) {
ret = PTR_ERR(newmount.mnt);
--
2.18.0
