From: Miklos Szeredi This patch clears mnt_namespace on unmount. Not clearing mnt_namespace has two effects: 1) It is possible to attach a new mount to a detached mount, because check_mnt() returns true. This means, that when no other references to the detached mount remain, it still can't be freed. This causes a resource leak, and possibly un-removable modules. 2) If mnt_namespace is dereferenced (only in mark_mounts_for_expiry()) after the namspace has been freed, it can cause an Oops, memory corruption, etc. 1) has been tested before and after the patch, 2) is only speculation. Signed-off-by: Miklos Szeredi Signed-off-by: Andrew Morton --- fs/namespace.c | 8 +------- 1 files changed, 1 insertion(+), 7 deletions(-) diff -puN fs/namespace.c~namespacec-fix-mnt_namespace-clearing fs/namespace.c --- 25/fs/namespace.c~namespacec-fix-mnt_namespace-clearing Mon May 16 14:56:47 2005 +++ 25-akpm/fs/namespace.c Mon May 16 14:56:47 2005 @@ -345,6 +345,7 @@ void umount_tree(struct vfsmount *mnt) for (p = mnt; p; p = next_mnt(p, mnt)) { list_del(&p->mnt_list); list_add(&p->mnt_list, &kill); + p->mnt_namespace = NULL; } while (!list_empty(&kill)) { @@ -1449,15 +1450,8 @@ void __init mnt_init(unsigned long mempa void __put_namespace(struct namespace *namespace) { - struct vfsmount *mnt; - down_write(&namespace->sem); spin_lock(&vfsmount_lock); - - list_for_each_entry(mnt, &namespace->list, mnt_list) { - mnt->mnt_namespace = NULL; - } - umount_tree(namespace->root); spin_unlock(&vfsmount_lock); up_write(&namespace->sem); _