Miklos Szeredi wrote:
> This patch clears mnt_namespace on unmount.
>
> Not clearing mnt_namespace has two effects:
>
> 1) It is possible to attach a new mount to a detached mount,
> because check_mnt() returns true.
>
> This means, that when no other references to the detached mount
> remain, it still can't be freed. This causes a resource leak,
> and possibly un-removable modules.
>
> 2) If mnt_namespace is dereferenced (only in mark_mounts_for_expiry())
> after the namspace has been freed, it can cause an Oops, memory
> corruption, etc.
>
> 1) has been tested before and after the patch, 2) is only speculation.
You're right - I was just thinking the same thing. There is also
another side effect, which is ironic in the context of recent discussion:
3) Because mnt_namespace may refer to freed memory, it may refer
to memory that's then allocated for _another_ namespace. So the
check for mounting in the correct namespace which prevents
recursive bind mounts could erronously _allow_ the recursive
bind to succeed (though without taking the correct lock).
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
