From patchwork Tue Mar 15 12:08:50 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
X-Patchwork-Id: 8587601
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 492D59F54C
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 15 Mar 2016 12:32:26 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A577C20121
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 15 Mar 2016 12:32:25 +0000 (UTC)
Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 16B66202DD
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 15 Mar 2016 12:32:24 +0000 (UTC)
X-TM-IMSS-Message-ID: <79868e680003b113@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	79868e680003b113 ; Tue, 15 Mar 2016 08:34:33 -0400
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u2FCUI32002885;
	Tue, 15 Mar 2016 08:30:25 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u2FCBF8F266551 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 15 Mar 2016 08:11:15 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u2FCBFUU030553
	for <selinux@tycho.nsa.gov>; Tue, 15 Mar 2016 08:11:15 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1D7DgBt+udW/xno1sNeGQEBAhIBAYQuASW4QIQNhg0CggMBAQEBAQFlhGkBAQQnTQUQUVcGARKIKb0FKoYajTcFjiqJJY4DjwECjn9igTaCMjkuimMBAQE
X-IPAS-Result: 
 A1D7DgBt+udW/xno1sNeGQEBAhIBAYQuASW4QIQNhg0CggMBAQEBAQFlhGkBAQQnTQUQUVcGARKIKb0FKoYajTcFjiqJJY4DjwECjn9igTaCMjkuimMBAQE
X-IronPort-AV: E=Sophos;i="5.24,339,1454994000"; d="scan'208";a="5291652"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 15 Mar 2016 08:11:15 -0400
X-TM-IMSS-Message-ID: <9d47253600103ab7@nsa.gov>
Received: from relay.sw.ru (mailhub.sw.ru [195.214.232.25]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1;
	TLSv1/SSLv3 DHE-RSA-AES256-SHA (256/256)) id 9d47253600103ab7 ;
	Tue, 15 Mar 2016 08:10:58 -0400
Received: from dhcp-10-30-28-101.sw.ru ([10.30.16.121])
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id u2FC8vOl001527;
	Tue, 15 Mar 2016 15:08:58 +0300 (MSK)
From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
To: Seth Forshee <seth.forshee@canonical.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>, <devel@openvz.org>
Subject: [PATCH] fs: fix a posible leak of allocated superblock
Date: Tue, 15 Mar 2016 15:08:50 +0300
Message-Id: <1458043730-14296-1-git-send-email-ptikhomirov@virtuozzo.com>
X-Mailer: git-send-email 1.9.3
In-Reply-To: <1443039368-55445-2-git-send-email-seth.forshee@canonical.com>
References: <1443039368-55445-2-git-send-email-seth.forshee@canonical.com>
X-TM-AS-MML: disable
X-Mailman-Approved-At: Tue, 15 Mar 2016 08:26:27 -0400
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	Konstantin Khorenko <khorenko@virtuozzo.com>,
	Andy Lutomirski <luto@amacapital.net>,
	"J. Bruce Fields" <bfields@fieldses.org>,
	linux-security-module@vger.kernel.org, linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org, Jeff Layton <jlayton@poochiereds.net>,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
	Pavel Emelyanov <xemul@virtuozzo.com>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

We probably need to fix superblock leak in patch (v4 "fs: Add user
namesapace member to struct super_block"):

Imagine posible code path in sget_userns: we iterate through
type->fs_supers and do not find suitable sb, we drop sb_lock to
allocate s and go to retry. After we dropped sb_lock some other
task from different userns takes sb_lock, it is already in retry
stage and has s allocated, so it puts its s in type->fs_supers
list. So in retry we will find these sb in list and check it has
a different userns, and finally we will return without freeing s.

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
---
 fs/super.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/super.c b/fs/super.c
index b4ee02b..24771b5 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -458,6 +458,10 @@ struct super_block *sget_userns(struct file_system_type *type,
 				continue;
 			if (user_ns != old->s_user_ns) {
 				spin_unlock(&sb_lock);
+				if (s) {
+					up_write(&s->s_umount);
+					destroy_super(s);
+				}
 				return ERR_PTR(-EBUSY);
 			}
 			if (!grab_super(old))