[RHEL7,COMMIT] ms/fs: Don't leak MNT_INTERNAL away from internal mounts

Submitted by Konstantin Khorenko on April 27, 2018, 10:13 a.m.


Message ID 201804271013.w3RADK3X032271@finist_ce7.work
State New
Series "ms/fs: Don't leak MNT_INTERNAL away from internal mounts"
Headers show

Commit Message

Konstantin Khorenko April 27, 2018, 10:13 a.m.
The commit is pushed to "branch-rh7-3.10.0-693.21.1.vz7.47.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.21.1.vz7.47.1
commit 4f34ee3327bedea25f0057a123b9fb7621e62cf7
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Apr 27 13:13:20 2018 +0300

    ms/fs: Don't leak MNT_INTERNAL away from internal mounts
    commit 16a34adb9392b2fe4195267475ab5b472e55292c upstream.
    We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for
    their copies.  As it is, creating a deep stack of bindings of /proc/*/ns/*
    somewhere in a new namespace and exiting yields a stack overflow.
    Cc: stable@kernel.org
    Reported-by: Alexander Aring <aring@mojatatu.com>
    Bisected-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Tested-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Tested-by: Alexander Aring <aring@mojatatu.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [Problem commit existing in our kernel,
     but it doesn't reproduce with our config:
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
 fs/namespace.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/namespace.c b/fs/namespace.c
index 46b521b8d16a..98e5fb577e15 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1014,7 +1014,8 @@  static struct mount *clone_mnt(struct mount *old, struct dentry *root,
 			goto out_free;
-	mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
+	mnt->mnt.mnt_flags = old->mnt.mnt_flags;
+	mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
 	/* Don't allow unprivileged users to change mount flags */
 	if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
 		mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;