Commit 65781e19 authored Apr 28, 2025 by Al Viro

do_umount(): add missing barrier before refcount checks in sync case



do_umount() analogue of the race fixed in 119e1ef8 "fix
__legitimize_mnt()/mntput() race".  Here we want to make sure that
if __legitimize_mnt() doesn't notice our lock_mount_hash(), we will
notice their refcount increment.  Harder to hit than mntput_no_expire()
one, fortunately, and consequences are milder (sync umount acting
like umount -l on a rare race with RCU pathwalk hitting at just the
wrong time instead of use-after-free galore mntput_no_expire()
counterpart used to be hit).  Still a bug...

Fixes: 48a066e7 ("RCU'd vfsmounts")
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 250cf369

fs/namespace.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -787,7 +787,7 @@ int __legitimize_mnt(struct vfsmount *bastard, unsigned seq)
		return 0;
		mnt = real_mount(bastard);
		mnt_add_count(mnt, 1);
		smp_mb(); // see mntput_no_expire()
		smp_mb(); // see mntput_no_expire() and do_umount()
		if (likely(!read_seqretry(&mount_lock, seq)))
		return 0;
		lock_mount_hash();
		@@ -2044,6 +2044,7 @@ static int do_umount(struct mount *mnt, int flags)
		umount_tree(mnt, UMOUNT_PROPAGATE);
		retval = 0;
		} else {
		smp_mb(); // paired with __legitimize_mnt()
		shrink_submounts(mnt);
		retval = -EBUSY;
		if (!propagate_mount_busy(mnt, 2)) {