From patchwork Mon Sep 10 18:13:22 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [2/2, Oneiric,
 CVE-2012-2127] procfs: fix a vfsmount longterm reference leak
Date: Mon, 10 Sep 2012 08:13:22 -0000
From: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 182941
Message-Id: <1347300802-57353-2-git-send-email-tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com

From: Al Viro <viro@zeniv.linux.org.uk>

CVE-2012-2127

BugLink: http://bugs.launchpad.net/bugs/990365

kern_mount() doesn't pair with plain mntput()...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 905ad269c55fc62bee3da29f7b1d1efeba8aa1e1)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

---
fs/proc/root.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/fs/proc/root.c b/fs/proc/root.c
index d6c3b41..1421d66 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -91,20 +91,18 @@ static struct file_system_type proc_fs_type = {
 
 void __init proc_root_init(void)
 {
-	struct vfsmount *mnt;
 	int err;
 
 	proc_init_inodecache();
 	err = register_filesystem(&proc_fs_type);
 	if (err)
 		return;
-	mnt = kern_mount_data(&proc_fs_type, &init_pid_ns);
-	if (IS_ERR(mnt)) {
+	err = pid_ns_prepare_proc(&init_pid_ns);
+	if (err) {
 		unregister_filesystem(&proc_fs_type);
 		return;
 	}
 
-	init_pid_ns.proc_mnt = mnt;
 	proc_symlink("mounts", NULL, "self/mounts");
 
 	proc_net_init();
@@ -209,5 +207,5 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
 
 void pid_ns_release_proc(struct pid_namespace *ns)
 {
-	mntput(ns->proc_mnt);
+	kern_unmount(ns->proc_mnt);
 }