* [PATCH] namespace.c: fix mnt_namespace clearing
@ 2005-05-16 19:55 Miklos Szeredi
2005-05-17 1:36 ` Jamie Lokier
0 siblings, 1 reply; 2+ messages in thread
From: Miklos Szeredi @ 2005-05-16 19:55 UTC (permalink / raw)
To: akpm, viro; +Cc: linux-kernel, linux-fsdevel
This patch clears mnt_namespace on unmount.
Not clearing mnt_namespace has two effects:
1) It is possible to attach a new mount to a detached mount,
because check_mnt() returns true.
This means, that when no other references to the detached mount
remain, it still can't be freed. This causes a resource leak,
and possibly un-removable modules.
2) If mnt_namespace is dereferenced (only in mark_mounts_for_expiry())
after the namspace has been freed, it can cause an Oops, memory
corruption, etc.
1) has been tested before and after the patch, 2) is only speculation.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Index: linux/fs/namespace.c
===================================================================
--- linux.orig/fs/namespace.c 2005-05-16 21:02:54.000000000 +0200
+++ linux/fs/namespace.c 2005-05-16 21:20:10.000000000 +0200
@@ -345,6 +345,7 @@ static void umount_tree(struct vfsmount
for (p = mnt; p; p = next_mnt(p, mnt)) {
list_del(&p->mnt_list);
list_add(&p->mnt_list, &kill);
+ p->mnt_namespace = NULL;
}
while (!list_empty(&kill)) {
@@ -1449,15 +1450,8 @@ void __init mnt_init(unsigned long mempa
void __put_namespace(struct namespace *namespace)
{
- struct vfsmount *mnt;
-
down_write(&namespace->sem);
spin_lock(&vfsmount_lock);
-
- list_for_each_entry(mnt, &namespace->list, mnt_list) {
- mnt->mnt_namespace = NULL;
- }
-
umount_tree(namespace->root);
spin_unlock(&vfsmount_lock);
up_write(&namespace->sem);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] namespace.c: fix mnt_namespace clearing
2005-05-16 19:55 [PATCH] namespace.c: fix mnt_namespace clearing Miklos Szeredi
@ 2005-05-17 1:36 ` Jamie Lokier
0 siblings, 0 replies; 2+ messages in thread
From: Jamie Lokier @ 2005-05-17 1:36 UTC (permalink / raw)
To: Miklos Szeredi; +Cc: akpm, viro, linux-kernel, linux-fsdevel
Miklos Szeredi wrote:
> This patch clears mnt_namespace on unmount.
>
> Not clearing mnt_namespace has two effects:
>
> 1) It is possible to attach a new mount to a detached mount,
> because check_mnt() returns true.
>
> This means, that when no other references to the detached mount
> remain, it still can't be freed. This causes a resource leak,
> and possibly un-removable modules.
>
> 2) If mnt_namespace is dereferenced (only in mark_mounts_for_expiry())
> after the namspace has been freed, it can cause an Oops, memory
> corruption, etc.
>
> 1) has been tested before and after the patch, 2) is only speculation.
You're right - I was just thinking the same thing. There is also
another side effect, which is ironic in the context of recent discussion:
3) Because mnt_namespace may refer to freed memory, it may refer
to memory that's then allocated for _another_ namespace. So the
check for mounting in the correct namespace which prevents
recursive bind mounts could erronously _allow_ the recursive
bind to succeed (though without taking the correct lock).
-- Jamie
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-05-17 1:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-16 19:55 [PATCH] namespace.c: fix mnt_namespace clearing Miklos Szeredi
2005-05-17 1:36 ` Jamie Lokier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).