From: Miklos Szeredi Date: Fri, 8 Jul 2005 00:57:22 +0000 (-0700) Subject: [PATCH] namespace.c: fix mnt_namespace clearing X-Git-Tag: firefly_0821_release~42991 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=202322e6f7cd12e82b5ff0fa92bbdf517fcf0947;p=firefly-linux-kernel-4.4.55.git [PATCH] namespace.c: fix mnt_namespace clearing This patch clears mnt_namespace on unmount. Not clearing mnt_namespace has two effects: 1) It is possible to attach a new mount to a detached mount, because check_mnt() returns true. This means, that when no other references to the detached mount remain, it still can't be freed. This causes a resource leak, and possibly un-removable modules. 2) If mnt_namespace is dereferenced (only in mark_mounts_for_expiry()) after the namspace has been freed, it can cause an Oops, memory corruption, etc. 1) has been tested before and after the patch, 2) is only speculation. Signed-off-by: Miklos Szeredi Acked-by: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/namespace.c b/fs/namespace.c index 208c079e9fdb..a0d0ef1f1a48 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -345,6 +345,7 @@ static void umount_tree(struct vfsmount *mnt) for (p = mnt; p; p = next_mnt(p, mnt)) { list_del(&p->mnt_list); list_add(&p->mnt_list, &kill); + p->mnt_namespace = NULL; } while (!list_empty(&kill)) { @@ -1449,15 +1450,8 @@ void __init mnt_init(unsigned long mempages) void __put_namespace(struct namespace *namespace) { - struct vfsmount *mnt; - down_write(&namespace->sem); spin_lock(&vfsmount_lock); - - list_for_each_entry(mnt, &namespace->list, mnt_list) { - mnt->mnt_namespace = NULL; - } - umount_tree(namespace->root); spin_unlock(&vfsmount_lock); up_write(&namespace->sem);