[PATCH] namespace.c: fix mnt_namespace clearing

This patch clears mnt_namespace on unmount.

Not clearing mnt_namespace has two effects:

   1) It is possible to attach a new mount to a detached mount,
      because check_mnt() returns true.

      This means, that when no other references to the detached mount
      remain, it still can't be freed.  This causes a resource leak,
      and possibly un-removable modules.

   2) If mnt_namespace is dereferenced (only in mark_mounts_for_expiry())
      after the namspace has been freed, it can cause an Oops, memory
      corruption, etc.

1) has been tested before and after the patch, 2) is only speculation.

Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/namespace.c b/fs/namespace.c
index 208c079e9fdbf240ce848e27903b237c9c9d764f..a0d0ef1f1a4864f453b95fc39f10888b1b19b222 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -345,6 +345,7 @@ static void umount_tree(struct vfsmount *mnt)
        for (p = mnt; p; p = next_mnt(p, mnt)) {
                list_del(&p->mnt_list);
                list_add(&p->mnt_list, &kill);
+               p->mnt_namespace = NULL;
        }
 
        while (!list_empty(&kill)) {
@@ -1449,15 +1450,8 @@ void __init mnt_init(unsigned long mempages)
 
 void __put_namespace(struct namespace *namespace)
 {
-       struct vfsmount *mnt;
-
        down_write(&namespace->sem);
        spin_lock(&vfsmount_lock);
-
-       list_for_each_entry(mnt, &namespace->list, mnt_list) {
-               mnt->mnt_namespace = NULL;
-       }
-
        umount_tree(namespace->root);
        spin_unlock(&vfsmount_lock);
        up_write(&namespace->sem);