[PATCH] namespace.c: fix expiring of detached mount

This patch fixes a bug noticed by Al Viro:

   However, we still have a problem here - just what would
   happen if vfsmount is detached while we were grabbing namespace
   semaphore?  Refcount alone is not useful here - we might be held by
   whoever had detached the vfsmount.  IOW, we should check that it's
   still attached (i.e. that mnt->mnt_parent != mnt).  If it's not -
   just leave it alone, do mntput() and let whoever holds it deal with
   the sucker.  No need to put it back on lists.

Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <viro@parcelfarce.linux.theplanet.co.uk>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/namespace.c b/fs/namespace.c
index d82cf18a1a947b381603b28ef9765b3be41aef39..2b4635e43ae84024cac1564231a834f93afc6590 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -829,6 +829,15 @@ static void expire_mount(struct vfsmount *mnt, struct list_head *mounts)
 {
        spin_lock(&vfsmount_lock);
 
+       /*
+        * Check if mount is still attached, if not, let whoever holds it deal
+        * with the sucker
+        */
+       if (mnt->mnt_parent == mnt) {
+               spin_unlock(&vfsmount_lock);
+               return;
+       }
+
        /*
         * Check that it is still dead: the count should now be 2 - as
         * contributed by the vfsmount parent and the mntget above