summaryrefslogtreecommitdiff
path: root/include/linux/crypto.h
diff options
context:
space:
mode:
authorDavid Lee <david.lee@trailofbits.com>2026-07-01 11:44:28 +0000
committerChristian Brauner <brauner@kernel.org>2026-07-01 15:26:32 +0200
commit6c732471740bc2ac9b0946134f9f551dc75f4369 (patch)
treea1c6931c434fdd5ebe41d0da5e1584a049155228 /include/linux/crypto.h
parente0df90e4c6021d6c8b540cbcd370cad23c7ff111 (diff)
downloadlwn-6c732471740bc2ac9b0946134f9f551dc75f4369.tar.gz
lwn-6c732471740bc2ac9b0946134f9f551dc75f4369.zip
fhandle: reject detached mounts in capable_wrt_mount()
The recent fhandle RCU fix moved the mount namespace capability check into capable_wrt_mount(), so a non-NULL mnt_namespace survives the ns_capable() dereference. The helper still assumes the later READ_ONCE(mount->mnt_ns) must be non-NULL because may_decode_fh() checked is_mounted() first. That assumption is not stable. A detached mount from open_tree(..., OPEN_TREE_CLONE) can be dissolved on fput while open_by_handle_at() is between those checks, and umount_tree() can clear mount->mnt_ns. If the helper observes NULL, it dereferences mnt_ns->user_ns and panics. Return false when the RCU read observes a detached mount. This keeps the relaxed permission path conservative: a mount no longer attached to a namespace cannot authorize open_by_handle_at() access. Fixes: 620c266f3949 ("fhandle: relax open_by_handle_at() permission checks") Cc: stable@vger.kernel.org Signed-off-by: David Lee <david.lee@trailofbits.com> Assisted-by: LLM Link: https://patch.msgid.link/20260701114438.24431-1-david.lee@trailofbits.com Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Diffstat (limited to 'include/linux/crypto.h')
0 files changed, 0 insertions, 0 deletions