On Wed, Jun 04, 2025 at 12:17:09AM +0100, Al Viro wrote:
> Holding namespace_sem is enough to make sure that result remains valid.
> It is *not* enough to avoid false negatives from __lookup_mnt(). Mounts
> can be unhashed outside of namespace_sem (stuck children getting detached
> on final mntput() of lazy-umounted mount) and having an unrelated mount
> removed from the hash chain while we traverse it may end up with false
> negative from __lookup_mnt(). We need to sample and recheck the seqlock
> component of mount_lock...
>
> Bug predates the introduction of path_overmount() - it had come from
> the code in finish_automount() that got abstracted into that helper.
>
> Fixes: 26df6034fdb2 ("fix automount/automount race properly")
> Fixes: 6ac392815628 ("fs: allow to mount beneath top mount")
> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> ---
Reviewed-by: Christian Brauner <brauner@xxxxxxxxxx>
