fs: drop peer group ids under namespace lock

brauner · brauner · commit cb2239c198ad · 2023-03-31T12:13:37.000+02:00
When cleaning up peer group ids in the failure path we need to make sure to hold on to the namespace lock. Otherwise another thread might just turn the mount from a shared into a non-shared mount concurrently. Link: https://lore.kernel.org/lkml/00000000000088694505f8132d77@google.com Fixes: 2a18672 ("fs: add mount_setattr()") Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # 5.12+ Message-Id: <20230330-vfs-mount_setattr-propagation-fix-v1-1-37548d91533b@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
diff --git a/fs/namespace.c b/fs/namespace.c
@@ -4183,9 +4183,9 @@ static int do_mount_setattr(struct path *path, struct mount_kattr *kattr)
 	unlock_mount_hash();
 
 	if (kattr->propagation) {
-		namespace_unlock();
 		if (err)
 			cleanup_group_ids(mnt, NULL);
+		namespace_unlock();
 	}
 
 	return err;

Original file line number	Diff line number	Diff line change
`@@ -4183,9 +4183,9 @@ static int do_mount_setattr(struct path path, struct mount_kattr kattr)`
`4183`	`4183`	`unlock_mount_hash();`
`4184`	`4184`
`4185`	`4185`	`if (kattr->propagation) {`
`4186`		`- namespace_unlock();`
`4187`	`4186`	`if (err)`
`4188`	`4187`	`cleanup_group_ids(mnt, NULL);`
	`4188`	`+ namespace_unlock();`
`4189`	`4189`	`}`
`4190`	`4190`
`4191`	`4191`	`return err;`