Re: [PATCH] fs: bound mount propagation fix

From: Andrew Morton
Date: Tue Apr 19 2011 - 17:04:51 EST

Next message: Greg KH: "[26/26] net: fix rds_iovec page count overflow"
Previous message: Greg KH: "[25/26] net: ax25: fix information leak to userland harder"
Next in thread: Roman Borisov: "Re: [PATCH] fs: bound mount propagation fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 1 Apr 2011 18:48:20 +0400
Roman Borisov <ext-roman.borisov@xxxxxxxxx> wrote:

> I think MS_SILENT shouldn't be cleared anywhere. I suppose the bug is in
> MS_SHARED options checking. Please see the patch below.
>
> Fixed MS_SHARED, MS_SLAVE, MS_UNBINDABLE option handling;
> Existing options check doesn't allow to have any options combinations
> because of integer comparison (not bitwise).
>

(when fixing a bug, please include a *complete* description of that bug
in the changelog. It should include a description of the user-visible
misbehaviour and a description of the coding error).

The vfs code is pretty confusing about whether `type' is supposed to be
a scalar or a bitfield.

flags_to_propagation_type() has that is_power_of-two() check in there
to reject more-than-one-bit-set.

> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 2beb0fb..e0cf263 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1434,7 +1434,7 @@ static int do_change_type(struct path *path, int flag)
> return -EINVAL;
>
> down_write(&namespace_sem);
> - if (type == MS_SHARED) {
> + if (type & MS_SHARED) {

So this change won't do anything, because do_change_type() has used
flags_to_propagation_type().

> err = invent_group_ids(mnt, recurse);
> if (err)
> goto out_unlock;
> diff --git a/fs/pnode.c b/fs/pnode.c
> index 8d5f392..0c9dc54 100644
> --- a/fs/pnode.c
> +++ b/fs/pnode.c
> @@ -128,15 +128,15 @@ static int do_make_slave(struct vfsmount *mnt)
>
> void change_mnt_propagation(struct vfsmount *mnt, int type)
> {
> - if (type == MS_SHARED) {
> + if (type & MS_SHARED) {
> set_mnt_shared(mnt);
> return;
> }
> do_make_slave(mnt);
> - if (type != MS_SLAVE) {
> + if (!(type & MS_SLAVE)) {
> list_del_init(&mnt->mnt_slave);
> mnt->mnt_master = NULL;
> - if (type == MS_UNBINDABLE)
> + if (type & MS_UNBINDABLE)
> mnt->mnt_flags |= MNT_UNBINDABLE;
> else
> mnt->mnt_flags &= ~MNT_UNBINDABLE;

And afaict, no caller of change_mnt_propagation() will pass in a `type'
with more than a single bit set. umount_tree() passed MS_PRIVATE and
do_change_type() uses flags_to_propagation_type().

So as far as I can tell, this patch won't fix anything??
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[26/26] net: fix rds_iovec page count overflow"
Previous message: Greg KH: "[25/26] net: ax25: fix information leak to userland harder"
Next in thread: Roman Borisov: "Re: [PATCH] fs: bound mount propagation fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]