Patch "namespace: update event counter when umounting a deleted dentry" has been added to the 4.6-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "namespace: update event counter when umounting a deleted dentry" has been added to the 4.6-stable tree
@ 2016-08-03  6:05 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-08-03  6:05 UTC (permalink / raw)
  To: andreyu, gregkh, viro; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    namespace: update event counter when umounting a deleted dentry

to the 4.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     namespace-update-event-counter-when-umounting-a-deleted-dentry.patch
and it can be found in the queue-4.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From e06b933e6ded42384164d28a2060b7f89243b895 Mon Sep 17 00:00:00 2001
From: Andrey Ulanov <andreyu@google.com>
Date: Fri, 15 Apr 2016 14:24:41 -0700
Subject: namespace: update event counter when umounting a deleted dentry

From: Andrey Ulanov <andreyu@google.com>

commit e06b933e6ded42384164d28a2060b7f89243b895 upstream.

- m_start() in fs/namespace.c expects that ns->event is incremented each
  time a mount added or removed from ns->list.
- umount_tree() removes items from the list but does not increment event
  counter, expecting that it's done before the function is called.
- There are some codepaths that call umount_tree() without updating
  "event" counter. e.g. from __detach_mounts().
- When this happens m_start may reuse a cached mount structure that no
  longer belongs to ns->list (i.e. use after free which usually leads
  to infinite loop).

This change fixes the above problem by incrementing global event counter
before invoking umount_tree().

Change-Id: I622c8e84dcb9fb63542372c5dbf0178ee86bb589
Signed-off-by: Andrey Ulanov <andreyu@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1562,6 +1562,7 @@ void __detach_mounts(struct dentry *dent
 		goto out_unlock;
 
 	lock_mount_hash();
+	event++;
 	while (!hlist_empty(&mp->m_list)) {
 		mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
 		if (mnt->mnt.mnt_flags & MNT_UMOUNT) {


Patches currently in stable-queue which might be from andreyu@google.com are

queue-4.6/namespace-update-event-counter-when-umounting-a-deleted-dentry.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-08-03  6:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-03  6:05 Patch "namespace: update event counter when umounting a deleted dentry" has been added to the 4.6-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).