do_add_mount()/umount -l races

normally we deal with lock_mount()/umount races by checking that
mountpoint to be is still in our namespace after lock_mount() has
been done.  However, do_add_mount() skips that check when called
with MNT_SHRINKABLE in flags (i.e. from finish_automount()).  The
reason is that ->mnt_ns may be a temporary namespace created exactly
to contain automounts a-la NFS4 referral handling.  It's not the
namespace of the caller, though, so check_mnt() would fail here.
We still need to check that ->mnt_ns is non-NULL in that case,
though.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 8 insertions, 2 deletions

diff --git a/fs/namespace.c b/fs/namespace.c
index 4d31f73e2561..7bdf7907413f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1886,8 +1886,14 @@ static int do_add_mount(struct mount *newmnt, struct path *path, int mnt_flags)
                 return err;
 
         err = -EINVAL;
-        if (!(mnt_flags & MNT_SHRINKABLE) && !check_mnt(real_mount(path->mnt)))
-                goto unlock;
+        if (unlikely(!check_mnt(real_mount(path->mnt)))) {
+                /* that's acceptable only for automounts done in private ns */
+                if (!(mnt_flags & MNT_SHRINKABLE))
+                        goto unlock;
+                /* ... and for those we'd better have mountpoint still alive */
+                if (!real_mount(path->mnt)->mnt_ns)
+                        goto unlock;
+        }
 
         /* Refuse the same filesystem on the same mount point */
         err = -EBUSY;