• Eric W. Biederman's avatar
    mnt: Fix a memory stomp in umount · c297abfd
    Eric W. Biederman authored
    While reviewing the code of umount_tree I realized that when we append
    to a preexisting unmounted list we do not change pprev of the former
    first item in the list.
    
    Which means later in namespace_unlock hlist_del_init(&mnt->mnt_hash) on
    the former first item of the list will stomp unmounted.first leaving
    it set to some random mount point which we are likely to free soon.
    
    This isn't likely to hit, but if it does I don't know how anyone could
    track it down.
    
    [ This happened because we don't have all the same operations for
      hlist's as we do for normal doubly-linked lists. In particular,
      list_splice() is easy on our standard doubly-linked lists, while
      hlist_splice() doesn't exist and needs both start/end entries of the
      hlist.  And commit 38129a13 incorrectly open-coded that missing
      hlist_splice().
    
      We should think about making these kinds of "mindless" conversions
      easier to get right by adding the missing hlist helpers   - Linus ]
    
    Fixes: 38129a13 switch mnt_hash to hlist
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    c297abfd
namespace.c 78.4 KB