On Mon, Mar 12, 2018 at 03:23:44PM -0500, Eric W. Biederman wrote: > Of the two code paths you are concert about: > > For path path_connected looking at s_root is a heuristic to avoid > calling is_subdir every time we need to do that check. If the heuristic > fails we still have is_subdir which should remain accurate. If > is_subdir fails the path is genuinely not connected at that moment > and failing is the correct thing to do. Umm... That might be not good enough - the logics is "everything's reachable from ->s_root anyway, so we might as well not bother checking". For NFS it's simply not true.
We can mount server:/foo/bar/baz on /tmp/a, then server:/foo on /tmp/b and we'll have ->s_root pointing to a subtree of what's reachable at /tmp/b. Play with renames under /tmp/b and you just might end up with a problem. And mount on /tmp/a will be (mistakenly) considered to be safe, since it satisfies the heuristics in path_connected().
