Commit a7560a01 authored by Tejun Heo's avatar Tejun Heo Committed by Greg Kroah-Hartman

sysfs: fix use-after-free in sysfs_kill_sb()

While restructuring the [u]mount path, 4b93dc9b ("sysfs, kernfs:
prepare mount path for kernfs") incorrectly updated sysfs_kill_sb() so
that it first kills super_block and then tries to dereference its
namespace tag to drop it.  Fix it by caching namespace tag before
killing the superblock and then drop the cached namespace tag.
Signed-off-by: default avatarTejun Heo <>
Reported-by: default avatarYuanhan Liu <>
Tested-by: default avatarYuanhan Liu <>
Tested-by: default avatarVlastimil Babka <>
Link: default avatarGreg Kroah-Hartman <>
parent 9b2db6e1
......@@ -45,8 +45,10 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
static void sysfs_kill_sb(struct super_block *sb)
void *ns = (void *)kernfs_super_ns(sb);
kobj_ns_drop(KOBJ_NS_TYPE_NET, (void *)kernfs_super_ns(sb));
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
static struct file_system_type sysfs_fs_type = {
