do_add_mount()/umount -l races
normally we deal with lock_mount()/umount races by checking that mountpoint to be is still in our namespace after lock_mount() has been done. However, do_add_mount() skips that check when called with MNT_SHRINKABLE in flags (i.e. from finish_automount()). The reason is that ->mnt_ns may be a temporary namespace created exactly to contain automounts a-la NFS4 referral handling. It's not the namespace of the caller, though, so check_mnt() would fail here. We still need to check that ->mnt_ns is non-NULL in that case, though. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
fea7a08acb
commit
156cacb1d0
|
@ -1886,8 +1886,14 @@ static int do_add_mount(struct mount *newmnt, struct path *path, int mnt_flags)
|
|||
return err;
|
||||
|
||||
err = -EINVAL;
|
||||
if (!(mnt_flags & MNT_SHRINKABLE) && !check_mnt(real_mount(path->mnt)))
|
||||
goto unlock;
|
||||
if (unlikely(!check_mnt(real_mount(path->mnt)))) {
|
||||
/* that's acceptable only for automounts done in private ns */
|
||||
if (!(mnt_flags & MNT_SHRINKABLE))
|
||||
goto unlock;
|
||||
/* ... and for those we'd better have mountpoint still alive */
|
||||
if (!real_mount(path->mnt)->mnt_ns)
|
||||
goto unlock;
|
||||
}
|
||||
|
||||
/* Refuse the same filesystem on the same mount point */
|
||||
err = -EBUSY;
|
||||
|
|
Loading…
Reference in New Issue