Commit 0748e553 authored Jun 24, 2025 by Al Viro

userns and mnt_idmap leak in open_tree_attr(2)



Once want_mount_setattr() has returned a positive, it does require
finish_mount_kattr() to release ->mnt_userns.  Failing do_mount_setattr()
does not change that.

As the result, we can end up leaking userns and possibly mnt_idmap as
well.

Fixes: c4a16820 ("fs: add open_tree_attr()")
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent ce7df196

fs/namespace.c

+3 −7

Original line number	Diff line number	Diff line
		@@ -5307,16 +5307,12 @@ SYSCALL_DEFINE5(open_tree_attr, int, dfd, const char __user *, filename,
		kattr.kflags \|= MOUNT_KATTR_RECURSE;

		ret = wants_mount_setattr(uattr, usize, &kattr);
		if (ret < 0)
		return ret;

		if (ret) {
		if (ret > 0) {
		ret = do_mount_setattr(&file->f_path, &kattr);
		if (ret)
		return ret;

		finish_mount_kattr(&kattr);
		}
		if (ret)
		return ret;
		}

		fd = get_unused_fd_flags(flags & O_CLOEXEC);