Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp3331485ima;
        Tue, 23 Oct 2018 04:20:51 -0700 (PDT)
X-Google-Smtp-Source: AJdET5dJXcN/PWaSqYHraxGf91LmAZfoAnfjJpglA99n+elcwMAK72qvRvNSEmkRtQYoEWpCcmA0
X-Received: by 2002:a63:dc0c:: with SMTP id s12mr2829724pgg.398.1540293651400;
        Tue, 23 Oct 2018 04:20:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540293651; cv=none;
        d=google.com; s=arc-20160816;
        b=dqOreWgwxw0fhNrEaEvFpH8KnsOZdMzx8vNFtIuWc4cAk28osJ5L+xZyLa3W+UCCwj
         4jAUhD+nZh6ytVB1NyhtpodamyuIsXVo5qFTYBhxQHq1jQIeTRYBbfuhqXN8j2795bLW
         /E2SkStUoMEkRY8GfFwy6CNHHIS99lw209vYdy34eOu+aWJp6Rp8IeDXObvQ3z2cRoOe
         Gu03JKFw/pD8Wt6bsXdwNCs2bLEejbHEI9o85Z5p3ZUgDYh+Nle8D7x2u6I6rbou2KNo
         vl0IXmBBNutHgbxozCe4svfMVWFAwia9uER1oMVLhAzjDG/MOFA4/+9v/ExW8/I8I8ig
         hgrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=xTscv4Cyqb7mWU/FFwbVyr2C9Pa2YtNZBj8B54t8jME=;
        b=fnLlwJbtA6rHOSRH829y80W+cDmxFxOCqeVaHaY1cqXK2DysQoupFfE4VK7yQ/aVQb
         fLTAwJCC2RaZR0knnG+y2+Yi09ahysrHaSDDZZv34ZK5CBsGaQZBDK/knhKbdfEVZS/h
         gW4b29h+5f9tlKuBh1G/1QUOJdIywqQ9jIRvX/+gQfo+7xgFOGSWwvZBR1qj02GyF86w
         0lp9o/86gjoYMGcQIjl04xCJisZCeKidY99ei6ZR9rrcgUJKUWpCufKJ4kavUbrr0efS
         SJKJeblBvQ5/ND5O19sw4i2uLx//74aJ+RhjhkdM8kZAaE6oCuUjT8hXWSxuHWRk9gOs
         sPTw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ok+4gX5u;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g22-v6si982648pgg.575.2018.10.23.04.20.35;
        Tue, 23 Oct 2018 04:20:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ok+4gX5u;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728207AbeJWTml (ORCPT <rfc822;krseo358@gmail.com> + 99 others);
        Tue, 23 Oct 2018 15:42:41 -0400
Received: from mail-wr1-f67.google.com ([209.85.221.67]:37584 "EHLO
        mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727568AbeJWTml (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Oct 2018 15:42:41 -0400
Received: by mail-wr1-f67.google.com with SMTP id g9-v6so1255164wrq.4;
        Tue, 23 Oct 2018 04:19:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=xTscv4Cyqb7mWU/FFwbVyr2C9Pa2YtNZBj8B54t8jME=;
        b=Ok+4gX5usggfWgpZRKxs2dbIq5CGsN2Y6i7t7RDGyMXRdtgbUnOuxVOt66h0gYCUwS
         48vbNWRpcRBP853YqfIdhcZoYpOpK/2u7+Oavf7s6wNU3qM/E/IFmSiGVWLQdnCkdOzK
         0+TGlM2jHg/aY3aTx/vK33XMrL4/oRVw0fUuBCy47MXNREujxAYegVJm1XfThAfDNDX4
         0cLTfsp/M7mApqHltA304HzIIJWviDTDqB5ROH8zw9YLm7ciVGSnfDo7Juw36FFm9djE
         2d98Y3ofyyJhzo14iIv00BHLLsTRhJnhaO9gT8fWw6oLjSwUTezxxg+3G5hT+7g1AX5/
         3b6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=xTscv4Cyqb7mWU/FFwbVyr2C9Pa2YtNZBj8B54t8jME=;
        b=IdwjK90+xrQt/r0Z5+t7pBO31QNOHUtvmPdjr/KtElLNUQuld0aYX3bcAahn3YUN6j
         1i3Pgysr+T2bxK76p1XcdrUYf+BnDk6vY7NuL6pSM2Efb4JEmbqJn3l5gJGixCf7lj1O
         UwY4RvWbE3d5piWUFQfcqDkAVj1mFg9jrimQphenE+AnNAtcIPg19nOSvT7li8kGL7tL
         aZZHitQpkASxhmn0kCQQI5tTadgRSCfGx5sMxX3XU0ZvuX+GoXeAaJSiBJRyv0APW4Jp
         oHuWFj3BkH6sk4FWY0hYUBq8aF8RN6etPwBMYwWrdmtR43SN+H8lqdcElyw3Ckl3tKSs
         JhDw==
X-Gm-Message-State: ABuFfoiztgUDmw0h862ONuge4gwqWkLIiLkD2FuRxzqBvKSeFp29DSbR
        JqLbj0jivV8xRLzW7Wqwqd8=
X-Received: by 2002:a5d:424c:: with SMTP id s12-v6mr28187689wrr.260.1540293577644;
        Tue, 23 Oct 2018 04:19:37 -0700 (PDT)
Received: from [172.16.1.192] (host-89-243-172-161.as13285.net. [89.243.172.161])
        by smtp.gmail.com with ESMTPSA id 64-v6sm1426279wrr.64.2018.10.23.04.19.36
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 23 Oct 2018 04:19:36 -0700 (PDT)
Subject: Re: [PATCH 03/34] teach move_mount(2) to work with OPEN_TREE_CLONE
 [ver #12]
To:     David Howells <dhowells@redhat.com>, viro@zeniv.linux.org.uk
Cc:     torvalds@linux-foundation.org, ebiederm@xmission.com,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        mszeredi@redhat.com
References: <153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk>
 <153754743491.17872.12115848333103740766.stgit@warthog.procyon.org.uk>
From:   Alan Jenkins <alan.christopher.jenkins@gmail.com>
Message-ID: <df9e6cd1-415b-4ad1-b506-79e9604e6b68@gmail.com>
Date:   Tue, 23 Oct 2018 12:19:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <153754743491.17872.12115848333103740766.stgit@warthog.procyon.org.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 21/09/2018 17:30, David Howells wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
> 
> Allow a detached tree created by open_tree(..., OPEN_TREE_CLONE) to be
> attached by move_mount(2).
> 
> If by the time of final fput() of OPEN_TREE_CLONE-opened file its tree is
> not detached anymore, it won't be dissolved.  move_mount(2) is adjusted
> to handle detached source.
> 
> That gives us equivalents of mount --bind and mount --rbind.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
> 
>   fs/namespace.c |   26 ++++++++++++++++++++------
>   1 file changed, 20 insertions(+), 6 deletions(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index dd38141b1723..caf5c55ef555 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1785,8 +1785,10 @@ void dissolve_on_fput(struct vfsmount *mnt)
>   {
>   	namespace_lock();
>   	lock_mount_hash();
> -	mntget(mnt);
> -	umount_tree(real_mount(mnt), UMOUNT_CONNECTED);
> +	if (!real_mount(mnt)->mnt_ns) {
> +		mntget(mnt);
> +		umount_tree(real_mount(mnt), UMOUNT_CONNECTED);
> +	}
>   	unlock_mount_hash();
>   	namespace_unlock();
>   }
> @@ -2393,6 +2395,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
>   	struct mount *old;
>   	struct mountpoint *mp;
>   	int err;
> +	bool attached;
>   
>   	mp = lock_mount(new_path);
>   	err = PTR_ERR(mp);
> @@ -2403,10 +2406,19 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
>   	p = real_mount(new_path->mnt);
>   
>   	err = -EINVAL;
> -	if (!check_mnt(p) || !check_mnt(old))
> +	/* The mountpoint must be in our namespace. */
> +	if (!check_mnt(p))
> +		goto out1;
> +	/* The thing moved should be either ours or completely unattached. */
> +	if (old->mnt_ns && !check_mnt(old))
>   		goto out1;
>   
> -	if (!mnt_has_parent(old))
> +	attached = mnt_has_parent(old);
> +	/*
> +	 * We need to allow open_tree(OPEN_TREE_CLONE) followed by
> +	 * move_mount(), but mustn't allow "/" to be moved.
> +	 */
> +	if (old->mnt_ns && !attached)
>   		goto out1;
>   
>   	if (old->mnt.mnt_flags & MNT_LOCKED)
> @@ -2421,7 +2433,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
>   	/*
>   	 * Don't move a mount residing in a shared parent.
>   	 */
> -	if (IS_MNT_SHARED(old->mnt_parent))
> +	if (attached && IS_MNT_SHARED(old->mnt_parent))
>   		goto out1;
>   	/*
>   	 * Don't move a mount tree containing unbindable mounts to a destination
> @@ -2435,7 +2447,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
>   			goto out1;
>   
>   	err = attach_recursive_mnt(old, real_mount(new_path->mnt), mp,
> -				   &parent_path);
> +				   attached ? &parent_path : NULL);
>   	if (err)
>   		goto out1;
>   

I think there's another small hole.  It is possible to move a sub-mount 
from a detached tree (instead of moving the root of the tree).  Then 
do_move_mount() calls attach_recursive_mnt() with a non-NULL parent_path.

This causes it to skip count_mounts().  So, it doesn't count the number 
of attached mounts, and it allows you to exceed sysctl_mount_max.

Regards
Alan

(I've tested to confirm the code lets you move a sub-mount.  I didn't 
test whether it allows exceeding sysctl_mount_max.

# unshare -m --propagation private
# mkdir -p /tmp/mnt
# mount --bind /tmp/mnt /tmp/mnt
# open_tree_clone 3</tmp 3 sh
# cd /proc/self/fd/3
# mount --move mnt /mnt
# exit
exit
# exit
logout
#