Patch "__follow_mount_rcu(): verify that mount_lock remains unchanged" has been added to the 5.15-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    __follow_mount_rcu(): verify that mount_lock remains unchanged

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     __follow_mount_rcu-verify-that-mount_lock-remains-un.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e40d0d60d2c1e1cf43d222db49ed94322e32d6f7
Author: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Date:   Mon Jul 4 17:26:29 2022 -0400

    __follow_mount_rcu(): verify that mount_lock remains unchanged
    
    [ Upstream commit 20aac6c60981f5bfacd66661d090d907bf1482f0 ]
    
    Validate mount_lock seqcount as soon as we cross into mount in RCU
    mode.  Sure, ->mnt_root is pinned and will remain so until we
    do rcu_read_unlock() anyway, and we will eventually fail to unlazy if
    the mount_lock had been touched, but we might run into a hard error
    (e.g. -ENOENT) before trying to unlazy.  And it's possible to end
    up with RCU pathwalk racing with rename() and umount() in a way
    that would fail with -ENOENT while non-RCU pathwalk would've
    succeeded with any timings.
    
    Once upon a time we hadn't needed that, but analysis had been subtle,
    brittle and went out of window as soon as RENAME_EXCHANGE had been
    added.
    
    It's narrow, hard to hit and won't get you anything other than
    stray -ENOENT that could be arranged in much easier way with the
    same priveleges, but it's a bug all the same.
    
    Cc: stable@xxxxxxxxxx
    X-sky-is-falling: unlikely
    Fixes: da1ce0670c14 "vfs: add cross-rename"
    Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/namei.c b/fs/namei.c
index 66e0fe262a89..1fd854d4cd2c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1461,6 +1461,8 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
 				 * becoming unpinned.
 				 */
 				flags = dentry->d_flags;
+				if (read_seqretry(&mount_lock, nd->m_seq))
+					return false;
 				continue;
 			}
 			if (read_seqretry(&mount_lock, nd->m_seq))