From b052f24552527d2f73c6911720739001be430c57 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 24 Jul 2014 12:02:58 -0400 Subject: [PATCH] CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482) --- fs-umount-on-symlink-leaks-mnt-count.patch | 41 ++++++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 48 insertions(+) create mode 100644 fs-umount-on-symlink-leaks-mnt-count.patch diff --git a/fs-umount-on-symlink-leaks-mnt-count.patch b/fs-umount-on-symlink-leaks-mnt-count.patch new file mode 100644 index 000000000..ed0e8a397 --- /dev/null +++ b/fs-umount-on-symlink-leaks-mnt-count.patch @@ -0,0 +1,41 @@ +Bugzilla: 1122482 +Upstream-status: Sent for 3.16 +From: Vasily Averin +Subject: [PATCH v4] fs: umount on symlink leaks mnt count +Currently umount on symlink blocks following umount: + +/vz is separate mount + +# ls /vz/ -al | grep test +drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir +lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir +# umount -l /vz/testlink +umount: /vz/testlink: not mounted (expected) +# lsof /vz +# umount /vz +umount: /vz: device is busy. (unexpected) + +In this case mountpoint_last() gets an extra refcount on path->mnt + +Signed-off-by: Vasily Averin +--- + fs/namei.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) +diff --git a/fs/namei.c b/fs/namei.c +index 985c6f3..9eb787e 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2256,9 +2256,10 @@ done: + goto out; + } + path->dentry = dentry; +- path->mnt = mntget(nd->path.mnt); ++ path->mnt = nd->path.mnt; + if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW)) + return 1; ++ mntget(path->mnt); + follow_mount(path); + error = 0; + out: +-- +1.7.5.4 diff --git a/kernel.spec b/kernel.spec index 29a8a41fc..f4fbcd813 100644 --- a/kernel.spec +++ b/kernel.spec @@ -639,6 +639,9 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch #rhbz 1117942 Patch25118: sched-fix-sched_setparam-policy-1-logic.patch +#CVE-2014-5045 rhbz 1122472 1122482 +Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1364,6 +1367,9 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch #rhbz 1117942 ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch +#CVE-2014-5045 rhbz 1122472 1122482 +ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2247,6 +2253,7 @@ fi # || || %changelog * Thu Jul 24 2014 Josh Boyer +- CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482) - Fix regression in sched_setparam (rhbz 1117942) * Tue Jul 22 2014 Justin M. Forbes - 3.16.0-0.rc6.git1.1