On Tue, Jun 10, 2025 at 09:21:31AM +0100, Al Viro wrote: > The underlying rules are simple: > * MNT_SHARED should be set iff ->mnt_group_id of new mount ends up > non-zero. > * mounts should be on the same ->mnt_share cyclic list iff they have > the same non-zero ->mnt_group_id value. > * CL_PRIVATE is mutually exclusive with MNT_SHARED, MNT_SLAVE, > MNT_SHARED_TO_SLAVE and MNT_EXPIRE; the whole point of that thing is to > get a clone of old mount that would *not* be on any namespace-related > lists. > > The above allows to make the logics more straightforward; what's more, > it makes the proof that invariants are maintained much simpler. > The variant in mainline is safe (aside of a very narrow race with > unsafe modification of mnt_flags right after we had the mount exposed > in superblock's ->s_mounts; theoretically it can race with ro remount > of the original, but it's not easy to hit), but proof of its correctness > is really unpleasant. > > Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > --- Reviewed-by: Christian Brauner <brauner@xxxxxxxxxx>
