Re: general protection fault in do_move_mount

From: Al Viro
Date: Thu May 09 2019 - 02:31:46 EST

On Wed, May 08, 2019 at 10:40:06PM -0700, syzbot wrote:
> Hello,
> syzbot found the following crash on:
> HEAD commit: 80f23212 Merge git://
> git tree: upstream
> console output:
> kernel config:
> dashboard link:
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> Unfortunately, I don't have any reproducer for this crash yet.
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+494c7ddf66acac0ad747@xxxxxxxxxxxxxxxxxxxxxxxxx


That's a bloody dumb leftover from very old variant of that thing;
the following should fix it.

do_move_mount(): fix an unsafe use of is_anon_ns()

What triggers it is a race between mount --move and umount -l
of the source; we should reject it (the source is parentless *and*
not the root of anon namespace at that), but the check for namespace
being an anon one is broken in that case - is_anon_ns() needs
ns to be non-NULL. Better fixed here than in is_anon_ns(), since
the rest of the callers is guaranteed to get a non-NULL argument...

Reported-by: syzbot+494c7ddf66acac0ad747@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
diff --git a/fs/namespace.c b/fs/namespace.c
index 3357c3d65475..ffb13f0562b0 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2599,7 +2599,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
if (attached && !check_mnt(old))
goto out;

- if (!attached && !is_anon_ns(ns))
+ if (!attached && !(ns && is_anon_ns(ns)))
goto out;

if (old->mnt.mnt_flags & MNT_LOCKED)