fix the struct mount leak in umount_tree()
authorAl Viro <viro@zeniv.linux.org.uk>
Wed, 24 Jul 2019 16:45:46 +0000 (12:45 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Fri, 26 Jul 2019 11:59:06 +0000 (07:59 -0400)
We need to drop everything we remove from the tree, whether
mnt_has_parent() is true or not.  Usually the bug manifests as a slow
memory leak (leaked struct mount for initramfs); it becomes much more
visible in mount_subtree() users, such as btrfs.  There we leak
a struct mount for btrfs superblock being mounted, which prevents
fs shutdown on subsequent umount.

Fixes: 56cbb429d911 ("switch the remnants of releasing the mountpoint away from fs_pin")
Reported-by: Nikolay Borisov <nborisov@suse.com>
Tested-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namespace.c

index 6464ea4acba9418f489fe8d5f867f55ef232b4e3..d28d30b1304397eac7c92a4be3f60e02a9a536d7 100644 (file)
@@ -1463,7 +1463,6 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how)
                        p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
 
                disconnect = disconnect_mount(p, how);
-
                if (mnt_has_parent(p)) {
                        mnt_add_count(p->mnt_parent, -1);
                        if (!disconnect) {
@@ -1471,10 +1470,11 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how)
                                list_add_tail(&p->mnt_child, &p->mnt_parent->mnt_mounts);
                        } else {
                                umount_mnt(p);
-                               hlist_add_head(&p->mnt_umount, &unmounted);
                        }
                }
                change_mnt_propagation(p, MS_PRIVATE);
+               if (disconnect)
+                       hlist_add_head(&p->mnt_umount, &unmounted);
        }
 }