From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from zeniv.linux.org.uk ([195.92.253.2]:53920 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753912AbdAKCvi (ORCPT ); Tue, 10 Jan 2017 21:51:38 -0500 Date: Wed, 11 Jan 2017 02:51:33 +0000 From: Al Viro To: "Eric W. Biederman" Cc: Krister Johansen , linux-fsdevel@vger.kernel.org, containers@lists.linux-foundation.org Subject: Re: Possible bug: detached mounts difficult to cleanup Message-ID: <20170111025132.GP1555@ZenIV.linux.org.uk> References: <20170111012454.GB2497@templeofstupid.com> <87fukqwcue.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87fukqwcue.fsf@xmission.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Wed, Jan 11, 2017 at 03:27:05PM +1300, Eric W. Biederman wrote: > The design is for the parent mount to hold a reference to the submounts. > And when the reference on the parent drops to 0. The references on > all of the submounts will also be dropped. Parent does _not_ hold any references to submounts. Never had. What happens in umount_tree() is that any surviving submounts a) are inserted into ->mnt_pins of parent, but not into unmounted. a) have the reference to parent dropped. When the last reference to parent gets dropped, all remaining submounts get unhashed and when we get to cleanup_mnt() on parent, ->mnt_pins gets pulled. Which does dput() on (ex)mountpoints and mntput() on those submounts. > I was hoping to read the code and point it out to you quickly, but I am > not seeing it now. I am wondering if in all of the refactoring of that > code something was dropped/missed :( > > Somewhere there is supposed to be the equivalent of: > pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted); > when we unhash those mounts because the last count has gone away. > Either it is very sophisticated or I am missing it. Grr.... What you are missing is that they never end up on 'unmounted' - only on ->mnt_pin of parent. It's the same pin_insert_group() in umount_tree() as for everything else, the only difference being that it does _not_ get kicked out on the namespace_unlock().