@@ -1710,10 +1710,6 @@ static int can_umount(const struct path *path, int flags)
{
struct mount *mnt = real_mount(path->mnt);
- if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
- return -EINVAL;
- if (!may_mount())
- return -EPERM;
if (path->dentry != path->mnt->mnt_root)
return -EINVAL;
if (!check_mnt(mnt))
@@ -1746,6 +1742,12 @@ static int ksys_umount(char __user *name, int flags)
struct path path;
int ret;
+ if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
+ return -EINVAL;
+
+ if (!may_mount())
+ return -EPERM;
+
if (!(flags & UMOUNT_NOFOLLOW))
lookup_flags |= LOOKUP_FOLLOW;
ret = user_path_at(AT_FDCWD, name, lookup_flags, &path);
ksys_umount was refactored to into split into another function (path_umount) to enable sharing code. This changed the order that flags and permissions are validated in, and made it so that user_path_at was called before validating flags and capabilities. Unfortunately, libfuse2[1] and libmount[2] rely on the old flag validation behaviour to determine whether or not the kernel supports UMOUNT_NOFOLLOW. The other path that this validation is being checked on is init_umount->path_umount->can_umount. That's all internal to the kernel. [1]: https://github.com/libfuse/libfuse/blob/9bfbeb576c5901b62a171d35510f0d1a922020b7/util/fusermount.c#L403 [2]: https://github.com/karelzak/util-linux/blob/7ed579523b556b1270f28dbdb7ee07dee310f157/libmount/src/context_umount.c#L813 Signed-off-by: Sargun Dhillon <sargun@sargun.me> Cc: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Fixes: 41525f56e256 ("fs: refactor ksys_umount") --- fs/namespace.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)