ACK: [PATCH 0/2][SRU][D/E] CVE-2019-15794: ovl/shiftfs refcount underflow

Stefan Bader stefan.bader at
Thu Nov 7 16:50:13 UTC 2019

On 07.11.19 17:08, Seth Forshee wrote:
> BugLink:
> Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
> handlers. On error the original value is not restored, and the reference
> is put for the file to which vm_file points. On upstream kernels this is
> not an issue, as no callers dereference vm_file dereference vm_file
> following after call_mmap() returns an error. However, the aufs patchs
> change mmap_region() to replace the fput() using a local variable with
> vma_fput(), which will fput() vm_file, leading to a refcount underflow.
> Fix: Restore the original vma_file value on error.
> Test Case: A reproducer is provided in the original bug report.
> Regression Potential: Minimal. As stated above, other callers of
> call_mmap() do not dereference vma->vm_file when it returns an error,
> and the one which does is fixed by these patches.
> Notes: Supported kernels prior to disco are not affected as overlayfs
> did not support mmap until 4.19, and shiftfs was not present in Ubuntu
> kernels before disco. The issue is mitigated for overlayfs by another
> bug which is preventing unprivileged mounting; a patch for this issue
> will be sent separately.
> Thanks,
> Seth
> Seth Forshee (2):
>   UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
>   UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails
>  fs/overlayfs/file.c |  6 +++++-
>  fs/shiftfs.c        | 15 +++++++++++----
>  2 files changed, 16 insertions(+), 5 deletions(-)
Acked-by: Stefan Bader <stefan.bader at>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the kernel-team mailing list