diff options
author | Miklos Szeredi <mszeredi@suse.cz> | 2010-10-05 12:31:09 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2010-10-25 21:24:16 -0400 |
commit | be1a16a0ae29a7c90081a657b64aa51cb1a65a27 (patch) | |
tree | 18bef9178b1142d839b906ce3bf38c92eb650ee8 /fs/namespace.c | |
parent | 89b0fc38cca4e6c92a90b58960881ffc5dddd89c (diff) | |
download | op-kernel-dev-be1a16a0ae29a7c90081a657b64aa51cb1a65a27.zip op-kernel-dev-be1a16a0ae29a7c90081a657b64aa51cb1a65a27.tar.gz |
vfs: fix infinite loop caused by clone_mnt race
If clone_mnt() happens while mnt_make_readonly() is running, the
cloned mount might have MNT_WRITE_HOLD flag set, which results in
mnt_want_write() spinning forever on this mount.
Needs CAP_SYS_ADMIN to trigger deliberately and unlikely to happen
accidentally. But if it does happen it can hang the machine.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/namespace.c')
-rw-r--r-- | fs/namespace.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 7ca5182..8a415c9 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -595,7 +595,7 @@ static struct vfsmount *clone_mnt(struct vfsmount *old, struct dentry *root, goto out_free; } - mnt->mnt_flags = old->mnt_flags; + mnt->mnt_flags = old->mnt_flags & ~MNT_WRITE_HOLD; atomic_inc(&sb->s_active); mnt->mnt_sb = sb; mnt->mnt_root = dget(root); |