From f871aeed8bc45158f9e63d06153a236eb9376fd7 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 9 Jun 2015 10:31:14 +0200 Subject: [PATCH 1/2] Revert "util:bind_remount_recursive() fix "use after free"" This reverts commit 46be6129d3e52556eb0f2ae4d07818f9f3f7af7a. --- src/shared/util.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/src/shared/util.c b/src/shared/util.c index 1442301cd7f..311acbb3499 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -4931,15 +4931,11 @@ int bind_remount_recursive(const char *prefix, bool ro) { while ((x = set_steal_first(todo))) { - r = set_put(done, x); - if (r == -EEXIST) { - free(x); + r = set_consume(done, x); + if (r == -EEXIST) continue; - } - if (r < 0) { - free(x); + if (r < 0) return r; - } /* Try to reuse the original flag set, but * don't care for errors, in case of @@ -4949,15 +4945,14 @@ int bind_remount_recursive(const char *prefix, bool ro) { orig_flags &= ~MS_RDONLY; if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0) { + /* Deal with mount points that are * obstructed by a later mount */ - if (errno != ENOENT) { - free(x); + if (errno != ENOENT) return -errno; - } } - free(x); + } } } From 85d834ae8e7d9e2c28ef8c1388e2913ed8fd0e3b Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 9 Jun 2015 10:32:28 +0200 Subject: [PATCH 2/2] util:bind_remount_recursive(): handle return 0 of set_consume() set_consume() does not return -EEXIST, but 0, in case the key is already in the Set. --- src/shared/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/util.c b/src/shared/util.c index 311acbb3499..dc5e9387963 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -4932,7 +4932,7 @@ int bind_remount_recursive(const char *prefix, bool ro) { while ((x = set_steal_first(todo))) { r = set_consume(done, x); - if (r == -EEXIST) + if (r == -EEXIST || r == 0) continue; if (r < 0) return r;