• Andrey Ulanov's avatar
    namespace: update event counter when umounting a deleted dentry · e06b933e
    Andrey Ulanov authored
    - m_start() in fs/namespace.c expects that ns->event is incremented each
      time a mount added or removed from ns->list.
    - umount_tree() removes items from the list but does not increment event
      counter, expecting that it's done before the function is called.
    - There are some codepaths that call umount_tree() without updating
      "event" counter. e.g. from __detach_mounts().
    - When this happens m_start may reuse a cached mount structure that no
      longer belongs to ns->list (i.e. use after free which usually leads
      to infinite loop).
    
    This change fixes the above problem by incrementing global event counter
    before invoking umount_tree().
    
    Change-Id: I622c8e84dcb9fb63542372c5dbf0178ee86bb589
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarAndrey Ulanov <andreyu@google.com>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    e06b933e
namespace.c 81.6 KB