/*
   *  linux/fs/namespace.c
   *
   * (C) Copyright Al Viro 2000, 2001
   *	Released under GPL v2.
   *
   * Based on code from fs/super.c, copyright Linus Torvalds and others.
   * Heavily rewritten.
   */

  #include <linux/syscalls.h>

  #include <linux/export.h>

  #include <linux/capability.h>

  #include <linux/mnt_namespace.h>

  #include <linux/user_namespace.h>

  #include <linux/namei.h>
  #include <linux/security.h>

  #include <linux/cred.h>

  #include <linux/idr.h>

  #include <linux/init.h>		/* init_rootfs */

  #include <linux/fs_struct.h>	/* get_fs_root et.al. */
  #include <linux/fsnotify.h>	/* fsnotify_vfsmount_delete */
  #include <linux/uaccess.h>

  #include <linux/proc_ns.h>

  #include <linux/magic.h>

  #include <linux/bootmem.h>

  #include <linux/task_work.h>

  #include <linux/sched/task.h>

  #include "pnode.h"

  #include "internal.h"

  /* Maximum number of mounts in a mount namespace */
  unsigned int sysctl_mount_max __read_mostly = 100000;

  static unsigned int m_hash_mask __read_mostly;
  static unsigned int m_hash_shift __read_mostly;
  static unsigned int mp_hash_mask __read_mostly;
  static unsigned int mp_hash_shift __read_mostly;
  
  static __initdata unsigned long mhash_entries;
  static int __init set_mhash_entries(char *str)
  {
  	if (!str)
  		return 0;
  	mhash_entries = simple_strtoul(str, &str, 0);
  	return 1;
  }
  __setup("mhash_entries=", set_mhash_entries);
  
  static __initdata unsigned long mphash_entries;
  static int __init set_mphash_entries(char *str)
  {
  	if (!str)
  		return 0;
  	mphash_entries = simple_strtoul(str, &str, 0);
  	return 1;
  }
  __setup("mphash_entries=", set_mphash_entries);

  static u64 event;

  static DEFINE_IDA(mnt_id_ida);

  static DEFINE_IDA(mnt_group_ida);

  static DEFINE_SPINLOCK(mnt_id_lock);

  static int mnt_id_start = 0;
  static int mnt_group_start = 1;

  static struct hlist_head *mount_hashtable __read_mostly;

  static struct hlist_head *mountpoint_hashtable __read_mostly;

  static struct kmem_cache *mnt_cache __read_mostly;

  static DECLARE_RWSEM(namespace_sem);

  /* /sys/fs */

  struct kobject *fs_kobj;
  EXPORT_SYMBOL_GPL(fs_kobj);

  /*
   * vfsmount lock may be taken for read to prevent changes to the
   * vfsmount hash, ie. during mountpoint lookups or walking back
   * up the tree.
   *
   * It should be taken for write in all cases where the vfsmount
   * tree or hash is modified or when a vfsmount structure is modified.
   */

  __cacheline_aligned_in_smp DEFINE_SEQLOCK(mount_lock);

  static inline struct hlist_head *m_hash(struct vfsmount *mnt, struct dentry *dentry)

  {

  	unsigned long tmp = ((unsigned long)mnt / L1_CACHE_BYTES);
  	tmp += ((unsigned long)dentry / L1_CACHE_BYTES);

  	tmp = tmp + (tmp >> m_hash_shift);
  	return &mount_hashtable[tmp & m_hash_mask];
  }
  
  static inline struct hlist_head *mp_hash(struct dentry *dentry)
  {
  	unsigned long tmp = ((unsigned long)dentry / L1_CACHE_BYTES);
  	tmp = tmp + (tmp >> mp_hash_shift);
  	return &mountpoint_hashtable[tmp & mp_hash_mask];

  }

  static int mnt_alloc_id(struct mount *mnt)

  {
  	int res;
  
  retry:
  	ida_pre_get(&mnt_id_ida, GFP_KERNEL);

  	spin_lock(&mnt_id_lock);

  	res = ida_get_new_above(&mnt_id_ida, mnt_id_start, &mnt->mnt_id);

  	if (!res)

  		mnt_id_start = mnt->mnt_id + 1;

  	spin_unlock(&mnt_id_lock);

  	if (res == -EAGAIN)
  		goto retry;
  
  	return res;
  }

  static void mnt_free_id(struct mount *mnt)

  {

  	int id = mnt->mnt_id;

  	spin_lock(&mnt_id_lock);

  	ida_remove(&mnt_id_ida, id);
  	if (mnt_id_start > id)
  		mnt_id_start = id;

  	spin_unlock(&mnt_id_lock);

  }

  /*
   * Allocate a new peer group ID
   *
   * mnt_group_ida is protected by namespace_sem
   */

  static int mnt_alloc_group_id(struct mount *mnt)

  {

  	int res;

  	if (!ida_pre_get(&mnt_group_ida, GFP_KERNEL))
  		return -ENOMEM;

  	res = ida_get_new_above(&mnt_group_ida,
  				mnt_group_start,

  				&mnt->mnt_group_id);

  	if (!res)

  		mnt_group_start = mnt->mnt_group_id + 1;

  
  	return res;

  }
  
  /*
   * Release a peer group ID
   */

  void mnt_release_group_id(struct mount *mnt)

  {

  	int id = mnt->mnt_group_id;

  	ida_remove(&mnt_group_ida, id);
  	if (mnt_group_start > id)
  		mnt_group_start = id;

  	mnt->mnt_group_id = 0;

  }

  /*
   * vfsmount lock must be held for read
   */

  static inline void mnt_add_count(struct mount *mnt, int n)

  {
  #ifdef CONFIG_SMP

  	this_cpu_add(mnt->mnt_pcp->mnt_count, n);

  #else
  	preempt_disable();

  	mnt->mnt_count += n;

  	preempt_enable();
  #endif
  }

  /*
   * vfsmount lock must be held for write
   */

  unsigned int mnt_get_count(struct mount *mnt)

  {
  #ifdef CONFIG_SMP

  	unsigned int count = 0;

  	int cpu;
  
  	for_each_possible_cpu(cpu) {

  		count += per_cpu_ptr(mnt->mnt_pcp, cpu)->mnt_count;

  	}
  
  	return count;
  #else

  	return mnt->mnt_count;

  #endif
  }

  static void drop_mountpoint(struct fs_pin *p)
  {
  	struct mount *m = container_of(p, struct mount, mnt_umount);
  	dput(m->mnt_ex_mountpoint);
  	pin_remove(p);
  	mntput(&m->mnt);
  }

  static struct mount *alloc_vfsmnt(const char *name)

  {

  	struct mount *mnt = kmem_cache_zalloc(mnt_cache, GFP_KERNEL);
  	if (mnt) {

  		int err;

  		err = mnt_alloc_id(mnt);

  		if (err)
  			goto out_free_cache;
  
  		if (name) {

  			mnt->mnt_devname = kstrdup_const(name, GFP_KERNEL);

  			if (!mnt->mnt_devname)

  				goto out_free_id;

  		}

  #ifdef CONFIG_SMP

  		mnt->mnt_pcp = alloc_percpu(struct mnt_pcp);
  		if (!mnt->mnt_pcp)

  			goto out_free_devname;

  		this_cpu_add(mnt->mnt_pcp->mnt_count, 1);

  #else

  		mnt->mnt_count = 1;
  		mnt->mnt_writers = 0;

  #endif

  		INIT_HLIST_NODE(&mnt->mnt_hash);

  		INIT_LIST_HEAD(&mnt->mnt_child);
  		INIT_LIST_HEAD(&mnt->mnt_mounts);
  		INIT_LIST_HEAD(&mnt->mnt_list);
  		INIT_LIST_HEAD(&mnt->mnt_expire);
  		INIT_LIST_HEAD(&mnt->mnt_share);
  		INIT_LIST_HEAD(&mnt->mnt_slave_list);
  		INIT_LIST_HEAD(&mnt->mnt_slave);

  		INIT_HLIST_NODE(&mnt->mnt_mp_list);

  		INIT_LIST_HEAD(&mnt->mnt_umounting);

  		init_fs_pin(&mnt->mnt_umount, drop_mountpoint);

  	}

  	return mnt;

  #ifdef CONFIG_SMP
  out_free_devname:

  	kfree_const(mnt->mnt_devname);

  #endif

  out_free_id:

  	mnt_free_id(mnt);

  out_free_cache:

  	kmem_cache_free(mnt_cache, mnt);

  	return NULL;

  }

  /*
   * Most r/o checks on a fs are for operations that take
   * discrete amounts of time, like a write() or unlink().
   * We must keep track of when those operations start
   * (for permission checks) and when they end, so that
   * we can determine when writes are able to occur to
   * a filesystem.
   */

  /*
   * __mnt_is_readonly: check whether a mount is read-only
   * @mnt: the mount to check for its write status
   *
   * This shouldn't be used directly ouside of the VFS.
   * It does not guarantee that the filesystem will stay
   * r/w, just that it is right *now*.  This can not and
   * should not be used in place of IS_RDONLY(inode).
   * mnt_want/drop_write() will _keep_ the filesystem
   * r/w.
   */
  int __mnt_is_readonly(struct vfsmount *mnt)
  {

  	if (mnt->mnt_flags & MNT_READONLY)
  		return 1;

  	if (sb_rdonly(mnt->mnt_sb))

  		return 1;
  	return 0;

  }
  EXPORT_SYMBOL_GPL(__mnt_is_readonly);

  static inline void mnt_inc_writers(struct mount *mnt)

  {
  #ifdef CONFIG_SMP

  	this_cpu_inc(mnt->mnt_pcp->mnt_writers);

  #else

  	mnt->mnt_writers++;

  #endif
  }

  static inline void mnt_dec_writers(struct mount *mnt)

  {

  #ifdef CONFIG_SMP

  	this_cpu_dec(mnt->mnt_pcp->mnt_writers);

  #else

  	mnt->mnt_writers--;

  #endif

  }

  static unsigned int mnt_get_writers(struct mount *mnt)

  {

  #ifdef CONFIG_SMP
  	unsigned int count = 0;

  	int cpu;

  
  	for_each_possible_cpu(cpu) {

  		count += per_cpu_ptr(mnt->mnt_pcp, cpu)->mnt_writers;

  	}

  	return count;
  #else
  	return mnt->mnt_writers;
  #endif

  }

  static int mnt_is_readonly(struct vfsmount *mnt)
  {
  	if (mnt->mnt_sb->s_readonly_remount)
  		return 1;
  	/* Order wrt setting s_flags/s_readonly_remount in do_remount() */
  	smp_rmb();
  	return __mnt_is_readonly(mnt);
  }

  /*

   * Most r/o & frozen checks on a fs are for operations that take discrete
   * amounts of time, like a write() or unlink().  We must keep track of when
   * those operations start (for permission checks) and when they end, so that we
   * can determine when writes are able to occur to a filesystem.

   */

  /**

   * __mnt_want_write - get write access to a mount without freeze protection

   * @m: the mount on which to take a write

   *

   * This tells the low-level filesystem that a write is about to be performed to
   * it, and makes sure that writes are allowed (mnt it read-write) before
   * returning success. This operation does not protect against filesystem being
   * frozen. When the write operation is finished, __mnt_drop_write() must be
   * called. This is effectively a refcount.

   */

  int __mnt_want_write(struct vfsmount *m)

  {

  	struct mount *mnt = real_mount(m);

  	int ret = 0;

  	preempt_disable();

  	mnt_inc_writers(mnt);

  	/*

  	 * The store to mnt_inc_writers must be visible before we pass

  	 * MNT_WRITE_HOLD loop below, so that the slowpath can see our
  	 * incremented count after it has set MNT_WRITE_HOLD.
  	 */
  	smp_mb();

  	while (ACCESS_ONCE(mnt->mnt.mnt_flags) & MNT_WRITE_HOLD)

  		cpu_relax();
  	/*
  	 * After the slowpath clears MNT_WRITE_HOLD, mnt_is_readonly will
  	 * be set to match its requirements. So we must not load that until
  	 * MNT_WRITE_HOLD is cleared.
  	 */
  	smp_rmb();

  	if (mnt_is_readonly(m)) {

  		mnt_dec_writers(mnt);

  		ret = -EROFS;

  	}

  	preempt_enable();

  
  	return ret;
  }
  
  /**
   * mnt_want_write - get write access to a mount
   * @m: the mount on which to take a write
   *
   * This tells the low-level filesystem that a write is about to be performed to
   * it, and makes sure that writes are allowed (mount is read-write, filesystem
   * is not frozen) before returning success.  When the write operation is
   * finished, mnt_drop_write() must be called.  This is effectively a refcount.
   */
  int mnt_want_write(struct vfsmount *m)
  {
  	int ret;
  
  	sb_start_write(m->mnt_sb);
  	ret = __mnt_want_write(m);
  	if (ret)
  		sb_end_write(m->mnt_sb);

  	return ret;

  }
  EXPORT_SYMBOL_GPL(mnt_want_write);
  
  /**

   * mnt_clone_write - get write access to a mount
   * @mnt: the mount on which to take a write
   *
   * This is effectively like mnt_want_write, except
   * it must only be used to take an extra write reference
   * on a mountpoint that we already know has a write reference
   * on it. This allows some optimisation.
   *
   * After finished, mnt_drop_write must be called as usual to
   * drop the reference.
   */
  int mnt_clone_write(struct vfsmount *mnt)
  {
  	/* superblock may be r/o */
  	if (__mnt_is_readonly(mnt))
  		return -EROFS;
  	preempt_disable();

  	mnt_inc_writers(real_mount(mnt));

  	preempt_enable();
  	return 0;
  }
  EXPORT_SYMBOL_GPL(mnt_clone_write);
  
  /**

   * __mnt_want_write_file - get write access to a file's mount

   * @file: the file who's mount on which to take a write
   *

   * This is like __mnt_want_write, but it takes a file and can

   * do some optimisations if the file is open for write already
   */

  int __mnt_want_write_file(struct file *file)

  {

  	if (!(file->f_mode & FMODE_WRITER))

  		return __mnt_want_write(file->f_path.mnt);

  	else
  		return mnt_clone_write(file->f_path.mnt);
  }

  
  /**

   * mnt_want_write_file_path - get write access to a file's mount

   * @file: the file who's mount on which to take a write
   *
   * This is like mnt_want_write, but it takes a file and can
   * do some optimisations if the file is open for write already

   *
   * Called by the vfs for cases when we have an open file at hand, but will do an
   * inode operation on it (important distinction for files opened on overlayfs,
   * since the file operations will come from the real underlying file, while
   * inode operations come from the overlay).

   */

  int mnt_want_write_file_path(struct file *file)

  {
  	int ret;

  	sb_start_write(file->f_path.mnt->mnt_sb);

  	ret = __mnt_want_write_file(file);
  	if (ret)

  		sb_end_write(file->f_path.mnt->mnt_sb);

  	return ret;
  }

  
  static inline int may_write_real(struct file *file)
  {
  	struct dentry *dentry = file->f_path.dentry;
  	struct dentry *upperdentry;
  
  	/* Writable file? */
  	if (file->f_mode & FMODE_WRITER)
  		return 0;
  
  	/* Not overlayfs? */
  	if (likely(!(dentry->d_flags & DCACHE_OP_REAL)))
  		return 0;
  
  	/* File refers to upper, writable layer? */
  	upperdentry = d_real(dentry, NULL, 0, D_REAL_UPPER);

  	if (upperdentry &&
  	    (file_inode(file) == d_inode(upperdentry) ||
  	     file_inode(file) == d_inode(dentry)))

  		return 0;
  
  	/* Lower layer: can't write to real file, sorry... */
  	return -EPERM;
  }
  
  /**
   * mnt_want_write_file - get write access to a file's mount
   * @file: the file who's mount on which to take a write
   *
   * This is like mnt_want_write, but it takes a file and can
   * do some optimisations if the file is open for write already
   *
   * Mostly called by filesystems from their ioctl operation before performing
   * modification.  On overlayfs this needs to check if the file is on a read-only
   * lower layer and deny access in that case.
   */
  int mnt_want_write_file(struct file *file)
  {
  	int ret;
  
  	ret = may_write_real(file);
  	if (!ret) {
  		sb_start_write(file_inode(file)->i_sb);
  		ret = __mnt_want_write_file(file);
  		if (ret)
  			sb_end_write(file_inode(file)->i_sb);
  	}
  	return ret;
  }

  EXPORT_SYMBOL_GPL(mnt_want_write_file);
  
  /**

   * __mnt_drop_write - give up write access to a mount

   * @mnt: the mount on which to give up write access
   *
   * Tells the low-level filesystem that we are done
   * performing writes to it.  Must be matched with

   * __mnt_want_write() call above.

   */

  void __mnt_drop_write(struct vfsmount *mnt)

  {

  	preempt_disable();

  	mnt_dec_writers(real_mount(mnt));

  	preempt_enable();

  }

  
  /**
   * mnt_drop_write - give up write access to a mount
   * @mnt: the mount on which to give up write access
   *
   * Tells the low-level filesystem that we are done performing writes to it and
   * also allows filesystem to be frozen again.  Must be matched with
   * mnt_want_write() call above.
   */
  void mnt_drop_write(struct vfsmount *mnt)
  {
  	__mnt_drop_write(mnt);
  	sb_end_write(mnt->mnt_sb);
  }

  EXPORT_SYMBOL_GPL(mnt_drop_write);

  void __mnt_drop_write_file(struct file *file)
  {
  	__mnt_drop_write(file->f_path.mnt);
  }

  void mnt_drop_write_file_path(struct file *file)

  {

  	mnt_drop_write(file->f_path.mnt);

  }

  
  void mnt_drop_write_file(struct file *file)
  {
  	__mnt_drop_write(file->f_path.mnt);
  	sb_end_write(file_inode(file)->i_sb);
  }

  EXPORT_SYMBOL(mnt_drop_write_file);

  static int mnt_make_readonly(struct mount *mnt)

  {

  	int ret = 0;

  	lock_mount_hash();

  	mnt->mnt.mnt_flags |= MNT_WRITE_HOLD;

  	/*

  	 * After storing MNT_WRITE_HOLD, we'll read the counters. This store
  	 * should be visible before we do.

  	 */

  	smp_mb();

  	/*

  	 * With writers on hold, if this value is zero, then there are
  	 * definitely no active writers (although held writers may subsequently
  	 * increment the count, they'll have to wait, and decrement it after
  	 * seeing MNT_READONLY).
  	 *
  	 * It is OK to have counter incremented on one CPU and decremented on
  	 * another: the sum will add up correctly. The danger would be when we
  	 * sum up each counter, if we read a counter before it is incremented,
  	 * but then read another CPU's count which it has been subsequently
  	 * decremented from -- we would see more decrements than we should.
  	 * MNT_WRITE_HOLD protects against this scenario, because
  	 * mnt_want_write first increments count, then smp_mb, then spins on
  	 * MNT_WRITE_HOLD, so it can't be decremented by another CPU while
  	 * we're counting up here.

  	 */

  	if (mnt_get_writers(mnt) > 0)

  		ret = -EBUSY;
  	else

  		mnt->mnt.mnt_flags |= MNT_READONLY;

  	/*
  	 * MNT_READONLY must become visible before ~MNT_WRITE_HOLD, so writers
  	 * that become unheld will see MNT_READONLY.
  	 */
  	smp_wmb();

  	mnt->mnt.mnt_flags &= ~MNT_WRITE_HOLD;

  	unlock_mount_hash();

  	return ret;

  }

  static void __mnt_unmake_readonly(struct mount *mnt)

  {

  	lock_mount_hash();

  	mnt->mnt.mnt_flags &= ~MNT_READONLY;

  	unlock_mount_hash();

  }

  int sb_prepare_remount_readonly(struct super_block *sb)
  {
  	struct mount *mnt;
  	int err = 0;

  	/* Racy optimization.  Recheck the counter under MNT_WRITE_HOLD */
  	if (atomic_long_read(&sb->s_remove_count))
  		return -EBUSY;

  	lock_mount_hash();

  	list_for_each_entry(mnt, &sb->s_mounts, mnt_instance) {
  		if (!(mnt->mnt.mnt_flags & MNT_READONLY)) {
  			mnt->mnt.mnt_flags |= MNT_WRITE_HOLD;
  			smp_mb();
  			if (mnt_get_writers(mnt) > 0) {
  				err = -EBUSY;
  				break;
  			}
  		}
  	}

  	if (!err && atomic_long_read(&sb->s_remove_count))
  		err = -EBUSY;

  	if (!err) {
  		sb->s_readonly_remount = 1;
  		smp_wmb();
  	}
  	list_for_each_entry(mnt, &sb->s_mounts, mnt_instance) {
  		if (mnt->mnt.mnt_flags & MNT_WRITE_HOLD)
  			mnt->mnt.mnt_flags &= ~MNT_WRITE_HOLD;
  	}

  	unlock_mount_hash();

  
  	return err;
  }

  static void free_vfsmnt(struct mount *mnt)

  {

  	kfree_const(mnt->mnt_devname);

  #ifdef CONFIG_SMP

  	free_percpu(mnt->mnt_pcp);

  #endif

  	kmem_cache_free(mnt_cache, mnt);

  }

  static void delayed_free_vfsmnt(struct rcu_head *head)
  {
  	free_vfsmnt(container_of(head, struct mount, mnt_rcu));
  }

  /* call under rcu_read_lock */

  int __legitimize_mnt(struct vfsmount *bastard, unsigned seq)

  {
  	struct mount *mnt;
  	if (read_seqretry(&mount_lock, seq))

  		return 1;

  	if (bastard == NULL)

  		return 0;

  	mnt = real_mount(bastard);
  	mnt_add_count(mnt, 1);

  	smp_mb();			// see mntput_no_expire()

  	if (likely(!read_seqretry(&mount_lock, seq)))

  		return 0;

  	if (bastard->mnt_flags & MNT_SYNC_UMOUNT) {
  		mnt_add_count(mnt, -1);

  		return 1;
  	}

  	lock_mount_hash();
  	if (unlikely(bastard->mnt_flags & MNT_DOOMED)) {
  		mnt_add_count(mnt, -1);
  		unlock_mount_hash();
  		return 1;
  	}
  	unlock_mount_hash();
  	/* caller will mntput() */

  	return -1;
  }
  
  /* call under rcu_read_lock */
  bool legitimize_mnt(struct vfsmount *bastard, unsigned seq)
  {
  	int res = __legitimize_mnt(bastard, seq);
  	if (likely(!res))
  		return true;
  	if (unlikely(res < 0)) {
  		rcu_read_unlock();
  		mntput(bastard);
  		rcu_read_lock();

  	}

  	return false;
  }

  /*

   * find the first mount at @dentry on vfsmount @mnt.

   * call under rcu_read_lock()

   */

  struct mount *__lookup_mnt(struct vfsmount *mnt, struct dentry *dentry)

  {

  	struct hlist_head *head = m_hash(mnt, dentry);

  	struct mount *p;

  	hlist_for_each_entry_rcu(p, head, mnt_hash)

  		if (&p->mnt_parent->mnt == mnt && p->mnt_mountpoint == dentry)
  			return p;
  	return NULL;
  }
  
  /*

   * lookup_mnt - Return the first child mount mounted at path
   *
   * "First" means first mounted chronologically.  If you create the
   * following mounts:
   *
   * mount /dev/sda1 /mnt
   * mount /dev/sda2 /mnt
   * mount /dev/sda3 /mnt
   *
   * Then lookup_mnt() on the base /mnt dentry in the root mount will
   * return successively the root dentry and vfsmount of /dev/sda1, then
   * /dev/sda2, then /dev/sda3, then NULL.
   *
   * lookup_mnt takes a reference to the found vfsmount.

   */

  struct vfsmount *lookup_mnt(const struct path *path)

  {

  	struct mount *child_mnt;

  	struct vfsmount *m;
  	unsigned seq;

  	rcu_read_lock();
  	do {
  		seq = read_seqbegin(&mount_lock);
  		child_mnt = __lookup_mnt(path->mnt, path->dentry);
  		m = child_mnt ? &child_mnt->mnt : NULL;
  	} while (!legitimize_mnt(m, seq));
  	rcu_read_unlock();
  	return m;

  }

  /*
   * __is_local_mountpoint - Test to see if dentry is a mountpoint in the
   *                         current mount namespace.
   *
   * The common case is dentries are not mountpoints at all and that
   * test is handled inline.  For the slow case when we are actually
   * dealing with a mountpoint of some kind, walk through all of the
   * mounts in the current mount namespace and test to see if the dentry
   * is a mountpoint.
   *
   * The mount_hashtable is not usable in the context because we
   * need to identify all mounts that may be in the current mount
   * namespace not just a mount that happens to have some specified
   * parent mount.
   */
  bool __is_local_mountpoint(struct dentry *dentry)
  {
  	struct mnt_namespace *ns = current->nsproxy->mnt_ns;
  	struct mount *mnt;
  	bool is_covered = false;
  
  	if (!d_mountpoint(dentry))
  		goto out;
  
  	down_read(&namespace_sem);
  	list_for_each_entry(mnt, &ns->list, mnt_list) {
  		is_covered = (mnt->mnt_mountpoint == dentry);
  		if (is_covered)
  			break;
  	}
  	up_read(&namespace_sem);
  out:
  	return is_covered;
  }

  static struct mountpoint *lookup_mountpoint(struct dentry *dentry)

  {

  	struct hlist_head *chain = mp_hash(dentry);

  	struct mountpoint *mp;

  	hlist_for_each_entry(mp, chain, m_hash) {

  		if (mp->m_dentry == dentry) {
  			/* might be worth a WARN_ON() */
  			if (d_unlinked(dentry))
  				return ERR_PTR(-ENOENT);
  			mp->m_count++;
  			return mp;
  		}
  	}

  	return NULL;
  }

  static struct mountpoint *get_mountpoint(struct dentry *dentry)

  {

  	struct mountpoint *mp, *new = NULL;

  	int ret;

  	if (d_mountpoint(dentry)) {
  mountpoint:
  		read_seqlock_excl(&mount_lock);
  		mp = lookup_mountpoint(dentry);
  		read_sequnlock_excl(&mount_lock);
  		if (mp)
  			goto done;
  	}
  
  	if (!new)
  		new = kmalloc(sizeof(struct mountpoint), GFP_KERNEL);
  	if (!new)

  		return ERR_PTR(-ENOMEM);

  
  	/* Exactly one processes may set d_mounted */

  	ret = d_set_mounted(dentry);

  	/* Someone else set d_mounted? */
  	if (ret == -EBUSY)
  		goto mountpoint;
  
  	/* The dentry is not available as a mountpoint? */
  	mp = ERR_PTR(ret);
  	if (ret)
  		goto done;
  
  	/* Add the new mountpoint to the hash table */
  	read_seqlock_excl(&mount_lock);
  	new->m_dentry = dentry;
  	new->m_count = 1;
  	hlist_add_head(&new->m_hash, mp_hash(dentry));
  	INIT_HLIST_HEAD(&new->m_list);
  	read_sequnlock_excl(&mount_lock);
  
  	mp = new;
  	new = NULL;
  done:
  	kfree(new);

  	return mp;
  }
  
  static void put_mountpoint(struct mountpoint *mp)
  {
  	if (!--mp->m_count) {
  		struct dentry *dentry = mp->m_dentry;

  		BUG_ON(!hlist_empty(&mp->m_list));

  		spin_lock(&dentry->d_lock);
  		dentry->d_flags &= ~DCACHE_MOUNTED;
  		spin_unlock(&dentry->d_lock);

  		hlist_del(&mp->m_hash);

  		kfree(mp);
  	}
  }

  static inline int check_mnt(struct mount *mnt)

  {

  	return mnt->mnt_ns == current->nsproxy->mnt_ns;

  }

  /*
   * vfsmount lock must be held for write
   */

  static void touch_mnt_namespace(struct mnt_namespace *ns)

  {
  	if (ns) {
  		ns->event = ++event;
  		wake_up_interruptible(&ns->poll);
  	}
  }

  /*
   * vfsmount lock must be held for write
   */

  static void __touch_mnt_namespace(struct mnt_namespace *ns)

  {
  	if (ns && ns->event != event) {
  		ns->event = event;
  		wake_up_interruptible(&ns->poll);
  	}
  }

  /*
   * vfsmount lock must be held for write
   */

  static void unhash_mnt(struct mount *mnt)

  {

  	mnt->mnt_parent = mnt;

  	mnt->mnt_mountpoint = mnt->mnt.mnt_root;

  	list_del_init(&mnt->mnt_child);

  	hlist_del_init_rcu(&mnt->mnt_hash);

  	hlist_del_init(&mnt->mnt_mp_list);

  	put_mountpoint(mnt->mnt_mp);
  	mnt->mnt_mp = NULL;

  }

  /*
   * vfsmount lock must be held for write
   */

  static void detach_mnt(struct mount *mnt, struct path *old_path)
  {
  	old_path->dentry = mnt->mnt_mountpoint;
  	old_path->mnt = &mnt->mnt_parent->mnt;
  	unhash_mnt(mnt);
  }
  
  /*
   * vfsmount lock must be held for write
   */

  static void umount_mnt(struct mount *mnt)
  {
  	/* old mountpoint will be dropped when we can do that */
  	mnt->mnt_ex_mountpoint = mnt->mnt_mountpoint;
  	unhash_mnt(mnt);
  }
  
  /*
   * vfsmount lock must be held for write
   */

  void mnt_set_mountpoint(struct mount *mnt,
  			struct mountpoint *mp,

  			struct mount *child_mnt)

  {

  	mp->m_count++;

  	mnt_add_count(mnt, 1);	/* essentially, that's mntget */

  	child_mnt->mnt_mountpoint = dget(mp->m_dentry);

  	child_mnt->mnt_parent = mnt;

  	child_mnt->mnt_mp = mp;

  	hlist_add_head(&child_mnt->mnt_mp_list, &mp->m_list);

  }

  static void __attach_mnt(struct mount *mnt, struct mount *parent)
  {
  	hlist_add_head_rcu(&mnt->mnt_hash,
  			   m_hash(&parent->mnt, mnt->mnt_mountpoint));
  	list_add_tail(&mnt->mnt_child, &parent->mnt_mounts);
  }

  /*
   * vfsmount lock must be held for write
   */

  static void attach_mnt(struct mount *mnt,
  			struct mount *parent,
  			struct mountpoint *mp)

  {

  	mnt_set_mountpoint(parent, mp, mnt);

  	__attach_mnt(mnt, parent);

  }

  void mnt_change_mountpoint(struct mount *parent, struct mountpoint *mp, struct mount *mnt)

  {

  	struct mountpoint *old_mp = mnt->mnt_mp;
  	struct dentry *old_mountpoint = mnt->mnt_mountpoint;
  	struct mount *old_parent = mnt->mnt_parent;
  
  	list_del_init(&mnt->mnt_child);
  	hlist_del_init(&mnt->mnt_mp_list);
  	hlist_del_init_rcu(&mnt->mnt_hash);
  
  	attach_mnt(mnt, parent, mp);
  
  	put_mountpoint(old_mp);
  
  	/*
  	 * Safely avoid even the suggestion this code might sleep or
  	 * lock the mount hash by taking advantage of the knowledge that
  	 * mnt_change_mountpoint will not release the final reference
  	 * to a mountpoint.
  	 *
  	 * During mounting, the mount passed in as the parent mount will
  	 * continue to use the old mountpoint and during unmounting, the
  	 * old mountpoint will continue to exist until namespace_unlock,
  	 * which happens well after mnt_change_mountpoint.
  	 */
  	spin_lock(&old_mountpoint->d_lock);
  	old_mountpoint->d_lockref.count--;
  	spin_unlock(&old_mountpoint->d_lock);
  
  	mnt_add_count(old_parent, -1);

  }

  /*

   * vfsmount lock must be held for write

   */

  static void commit_tree(struct mount *mnt)

  {

  	struct mount *parent = mnt->mnt_parent;

  	struct mount *m;

  	LIST_HEAD(head);

  	struct mnt_namespace *n = parent->mnt_ns;

  	BUG_ON(parent == mnt);

  	list_add_tail(&head, &mnt->mnt_list);

  	list_for_each_entry(m, &head, mnt_list)

  		m->mnt_ns = n;

  	list_splice(&head, n->list.prev);

  	n->mounts += n->pending_mounts;
  	n->pending_mounts = 0;

  	__attach_mnt(mnt, parent);

  	touch_mnt_namespace(n);

  }

  static struct mount *next_mnt(struct mount *p, struct mount *root)

  {

  	struct list_head *next = p->mnt_mounts.next;
  	if (next == &p->mnt_mounts) {

  		while (1) {

  			if (p == root)

  				return NULL;

  			next = p->mnt_child.next;
  			if (next != &p->mnt_parent->mnt_mounts)

  				break;

  			p = p->mnt_parent;

  		}
  	}

  	return list_entry(next, struct mount, mnt_child);

  }

  static struct mount *skip_mnt_tree(struct mount *p)

  {

  	struct list_head *prev = p->mnt_mounts.prev;
  	while (prev != &p->mnt_mounts) {
  		p = list_entry(prev, struct mount, mnt_child);
  		prev = p->mnt_mounts.prev;

  	}
  	return p;
  }

  struct vfsmount *
  vfs_kern_mount(struct file_system_type *type, int flags, const char *name, void *data)
  {

  	struct mount *mnt;

  	struct dentry *root;
  
  	if (!type)
  		return ERR_PTR(-ENODEV);
  
  	mnt = alloc_vfsmnt(name);
  	if (!mnt)
  		return ERR_PTR(-ENOMEM);

  	if (flags & SB_KERNMOUNT)

  		mnt->mnt.mnt_flags = MNT_INTERNAL;

  
  	root = mount_fs(type, flags, name, data);
  	if (IS_ERR(root)) {

  		mnt_free_id(mnt);

  		free_vfsmnt(mnt);
  		return ERR_CAST(root);
  	}

  	mnt->mnt.mnt_root = root;
  	mnt->mnt.mnt_sb = root->d_sb;

  	mnt->mnt_mountpoint = mnt->mnt.mnt_root;

  	mnt->mnt_parent = mnt;

  	lock_mount_hash();

  	list_add_tail(&mnt->mnt_instance, &root->d_sb->s_mounts);

  	unlock_mount_hash();

  	return &mnt->mnt;

  }
  EXPORT_SYMBOL_GPL(vfs_kern_mount);

  struct vfsmount *
  vfs_submount(const struct dentry *mountpoint, struct file_system_type *type,
  	     const char *name, void *data)
  {
  	/* Until it is worked out how to pass the user namespace
  	 * through from the parent mount to the submount don't support
  	 * unprivileged mounts with submounts.
  	 */
  	if (mountpoint->d_sb->s_user_ns != &init_user_ns)
  		return ERR_PTR(-EPERM);

  	return vfs_kern_mount(type, SB_SUBMOUNT, name, data);

  }
  EXPORT_SYMBOL_GPL(vfs_submount);

  static struct mount *clone_mnt(struct mount *old, struct dentry *root,

  					int flag)

  {

  	struct super_block *sb = old->mnt.mnt_sb;

  	struct mount *mnt;
  	int err;

  	mnt = alloc_vfsmnt(old->mnt_devname);
  	if (!mnt)
  		return ERR_PTR(-ENOMEM);

  	if (flag & (CL_SLAVE | CL_PRIVATE | CL_SHARED_TO_SLAVE))

  		mnt->mnt_group_id = 0; /* not a peer of original */
  	else
  		mnt->mnt_group_id = old->mnt_group_id;

  	if ((flag & CL_MAKE_SHARED) && !mnt->mnt_group_id) {
  		err = mnt_alloc_group_id(mnt);
  		if (err)
  			goto out_free;

  	}

  	mnt->mnt.mnt_flags = old->mnt.mnt_flags;
  	mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);

  	/* Don't allow unprivileged users to change mount flags */

  	if (flag & CL_UNPRIVILEGED) {
  		mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
  
  		if (mnt->mnt.mnt_flags & MNT_READONLY)
  			mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
  
  		if (mnt->mnt.mnt_flags & MNT_NODEV)
  			mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
  
  		if (mnt->mnt.mnt_flags & MNT_NOSUID)
  			mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
  
  		if (mnt->mnt.mnt_flags & MNT_NOEXEC)
  			mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
  	}

  	/* Don't allow unprivileged users to reveal what is under a mount */

  	if ((flag & CL_UNPRIVILEGED) &&
  	    (!(flag & CL_EXPIRE) || list_empty(&old->mnt_expire)))

  		mnt->mnt.mnt_flags |= MNT_LOCKED;

  	atomic_inc(&sb->s_active);
  	mnt->mnt.mnt_sb = sb;
  	mnt->mnt.mnt_root = dget(root);
  	mnt->mnt_mountpoint = mnt->mnt.mnt_root;
  	mnt->mnt_parent = mnt;

  	lock_mount_hash();

  	list_add_tail(&mnt->mnt_instance, &sb->s_mounts);

  	unlock_mount_hash();

  	if ((flag & CL_SLAVE) ||
  	    ((flag & CL_SHARED_TO_SLAVE) && IS_MNT_SHARED(old))) {

  		list_add(&mnt->mnt_slave, &old->mnt_slave_list);
  		mnt->mnt_master = old;
  		CLEAR_MNT_SHARED(mnt);
  	} else if (!(flag & CL_PRIVATE)) {
  		if ((flag & CL_MAKE_SHARED) || IS_MNT_SHARED(old))
  			list_add(&mnt->mnt_share, &old->mnt_share);
  		if (IS_MNT_SLAVE(old))
  			list_add(&mnt->mnt_slave, &old->mnt_slave);
  		mnt->mnt_master = old->mnt_master;

  	} else {
  		CLEAR_MNT_SHARED(mnt);

  	}
  	if (flag & CL_MAKE_SHARED)
  		set_mnt_shared(mnt);
  
  	/* stick the duplicate mount on the same expiry list
  	 * as the original if that was on one */
  	if (flag & CL_EXPIRE) {
  		if (!list_empty(&old->mnt_expire))
  			list_add(&mnt->mnt_expire, &old->mnt_expire);
  	}

  	return mnt;

  
   out_free:

  	mnt_free_id(mnt);

  	free_vfsmnt(mnt);

  	return ERR_PTR(err);

  }

  static void cleanup_mnt(struct mount *mnt)
  {
  	/*
  	 * This probably indicates that somebody messed
  	 * up a mnt_want/drop_write() pair.  If this
  	 * happens, the filesystem was probably unable
  	 * to make r/w->r/o transitions.
  	 */
  	/*
  	 * The locking used to deal with mnt_count decrement provides barriers,
  	 * so mnt_get_writers() below is safe.
  	 */
  	WARN_ON(mnt_get_writers(mnt));
  	if (unlikely(mnt->mnt_pins.first))
  		mnt_pin_kill(mnt);
  	fsnotify_vfsmount_delete(&mnt->mnt);
  	dput(mnt->mnt.mnt_root);
  	deactivate_super(mnt->mnt.mnt_sb);
  	mnt_free_id(mnt);
  	call_rcu(&mnt->mnt_rcu, delayed_free_vfsmnt);
  }
  
  static void __cleanup_mnt(struct rcu_head *head)
  {
  	cleanup_mnt(container_of(head, struct mount, mnt_rcu));
  }
  
  static LLIST_HEAD(delayed_mntput_list);
  static void delayed_mntput(struct work_struct *unused)
  {
  	struct llist_node *node = llist_del_all(&delayed_mntput_list);

  	struct mount *m, *t;

  	llist_for_each_entry_safe(m, t, node, mnt_llist)
  		cleanup_mnt(m);

  }
  static DECLARE_DELAYED_WORK(delayed_mntput_work, delayed_mntput);

  static void mntput_no_expire(struct mount *mnt)

  {

  	rcu_read_lock();

  	if (likely(READ_ONCE(mnt->mnt_ns))) {
  		/*
  		 * Since we don't do lock_mount_hash() here,
  		 * ->mnt_ns can change under us.  However, if it's
  		 * non-NULL, then there's a reference that won't
  		 * be dropped until after an RCU delay done after
  		 * turning ->mnt_ns NULL.  So if we observe it
  		 * non-NULL under rcu_read_lock(), the reference
  		 * we are dropping is not the final one.
  		 */
  		mnt_add_count(mnt, -1);

  		rcu_read_unlock();

  		return;

  	}

  	lock_mount_hash();

  	/*
  	 * make sure that if __legitimize_mnt() has not seen us grab
  	 * mount_lock, we'll see their refcount increment here.
  	 */
  	smp_mb();

  	mnt_add_count(mnt, -1);

  	if (mnt_get_count(mnt)) {

  		rcu_read_unlock();

  		unlock_mount_hash();

  		return;
  	}

  	if (unlikely(mnt->mnt.mnt_flags & MNT_DOOMED)) {
  		rcu_read_unlock();
  		unlock_mount_hash();
  		return;
  	}
  	mnt->mnt.mnt_flags |= MNT_DOOMED;
  	rcu_read_unlock();

  	list_del(&mnt->mnt_instance);

  
  	if (unlikely(!list_empty(&mnt->mnt_mounts))) {
  		struct mount *p, *tmp;
  		list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts,  mnt_child) {
  			umount_mnt(p);
  		}
  	}

  	unlock_mount_hash();

  	if (likely(!(mnt->mnt.mnt_flags & MNT_INTERNAL))) {
  		struct task_struct *task = current;
  		if (likely(!(task->flags & PF_KTHREAD))) {
  			init_task_work(&mnt->mnt_rcu, __cleanup_mnt);
  			if (!task_work_add(task, &mnt->mnt_rcu, true))
  				return;
  		}
  		if (llist_add(&mnt->mnt_llist, &delayed_mntput_list))
  			schedule_delayed_work(&delayed_mntput_work, 1);
  		return;
  	}
  	cleanup_mnt(mnt);

  }

  
  void mntput(struct vfsmount *mnt)
  {
  	if (mnt) {

  		struct mount *m = real_mount(mnt);

  		/* avoid cacheline pingpong, hope gcc doesn't get "smart" */

  		if (unlikely(m->mnt_expiry_mark))
  			m->mnt_expiry_mark = 0;
  		mntput_no_expire(m);

  	}
  }
  EXPORT_SYMBOL(mntput);
  
  struct vfsmount *mntget(struct vfsmount *mnt)
  {
  	if (mnt)

  		mnt_add_count(real_mount(mnt), 1);

  	return mnt;
  }
  EXPORT_SYMBOL(mntget);

  /* path_is_mountpoint() - Check if path is a mount in the current
   *                          namespace.
   *
   *  d_mountpoint() can only be used reliably to establish if a dentry is
   *  not mounted in any namespace and that common case is handled inline.
   *  d_mountpoint() isn't aware of the possibility there may be multiple
   *  mounts using a given dentry in a different namespace. This function
   *  checks if the passed in path is a mountpoint rather than the dentry
   *  alone.
   */
  bool path_is_mountpoint(const struct path *path)
  {
  	unsigned seq;
  	bool res;
  
  	if (!d_mountpoint(path->dentry))
  		return false;
  
  	rcu_read_lock();
  	do {
  		seq = read_seqbegin(&mount_lock);
  		res = __path_is_mountpoint(path);
  	} while (read_seqretry(&mount_lock, seq));
  	rcu_read_unlock();
  
  	return res;
  }
  EXPORT_SYMBOL(path_is_mountpoint);

  struct vfsmount *mnt_clone_internal(const struct path *path)

  {

  	struct mount *p;
  	p = clone_mnt(real_mount(path->mnt), path->dentry, CL_PRIVATE);
  	if (IS_ERR(p))
  		return ERR_CAST(p);
  	p->mnt.mnt_flags |= MNT_INTERNAL;
  	return &p->mnt;

  }

  #ifdef CONFIG_PROC_FS

  /* iterator; we want it to have access to namespace_sem, thus here... */

  static void *m_start(struct seq_file *m, loff_t *pos)
  {

  	struct proc_mounts *p = m->private;

  	down_read(&namespace_sem);

  	if (p->cached_event == p->ns->event) {
  		void *v = p->cached_mount;
  		if (*pos == p->cached_index)
  			return v;
  		if (*pos == p->cached_index + 1) {
  			v = seq_list_next(v, &p->ns->list, &p->cached_index);
  			return p->cached_mount = v;
  		}
  	}
  
  	p->cached_event = p->ns->event;
  	p->cached_mount = seq_list_start(&p->ns->list, *pos);
  	p->cached_index = *pos;
  	return p->cached_mount;

  }
  
  static void *m_next(struct seq_file *m, void *v, loff_t *pos)
  {

  	struct proc_mounts *p = m->private;

  	p->cached_mount = seq_list_next(v, &p->ns->list, pos);
  	p->cached_index = *pos;
  	return p->cached_mount;

  }
  
  static void m_stop(struct seq_file *m, void *v)
  {

  	up_read(&namespace_sem);

  }

  static int m_show(struct seq_file *m, void *v)

  {

  	struct proc_mounts *p = m->private;

  	struct mount *r = list_entry(v, struct mount, mnt_list);

  	return p->show(m, &r->mnt);

  }

  const struct seq_operations mounts_op = {

  	.start	= m_start,
  	.next	= m_next,
  	.stop	= m_stop,

  	.show	= m_show,

  };

  #endif  /* CONFIG_PROC_FS */

  /**
   * may_umount_tree - check if a mount tree is busy
   * @mnt: root of mount tree
   *
   * This is called to check if a tree of mounts has any
   * open files, pwds, chroots or sub mounts that are
   * busy.
   */

  int may_umount_tree(struct vfsmount *m)

  {

  	struct mount *mnt = real_mount(m);

  	int actual_refs = 0;
  	int minimum_refs = 0;

  	struct mount *p;

  	BUG_ON(!m);

  	/* write lock needed for mnt_get_count */

  	lock_mount_hash();

  	for (p = mnt; p; p = next_mnt(p, mnt)) {

  		actual_refs += mnt_get_count(p);

  		minimum_refs += 2;

  	}

  	unlock_mount_hash();

  
  	if (actual_refs > minimum_refs)

  		return 0;

  	return 1;

  }
  
  EXPORT_SYMBOL(may_umount_tree);
  
  /**
   * may_umount - check if a mount point is busy
   * @mnt: root of mount
   *
   * This is called to check if a mount point has any
   * open files, pwds, chroots or sub mounts. If the
   * mount has sub mounts this will return busy
   * regardless of whether the sub mounts are busy.
   *
   * Doesn't take quota and stuff into account. IOW, in some cases it will
   * give false negatives. The main reason why it's here is that we need
   * a non-destructive way to look for easily umountable filesystems.
   */
  int may_umount(struct vfsmount *mnt)
  {

  	int ret = 1;

  	down_read(&namespace_sem);

  	lock_mount_hash();

  	if (propagate_mount_busy(real_mount(mnt), 2))

  		ret = 0;

  	unlock_mount_hash();

  	up_read(&namespace_sem);

  	return ret;

  }
  
  EXPORT_SYMBOL(may_umount);

  static HLIST_HEAD(unmounted);	/* protected by namespace_sem */

  static void namespace_unlock(void)

  {

  	struct hlist_head head;

  	hlist_move_list(&unmounted, &head);

  	up_write(&namespace_sem);

  	if (likely(hlist_empty(&head)))
  		return;

  	synchronize_rcu();

  	group_pin_kill(&head);

  }

  static inline void namespace_lock(void)

  {

  	down_write(&namespace_sem);

  }

  enum umount_tree_flags {
  	UMOUNT_SYNC = 1,
  	UMOUNT_PROPAGATE = 2,

  	UMOUNT_CONNECTED = 4,

  };

  
  static bool disconnect_mount(struct mount *mnt, enum umount_tree_flags how)
  {
  	/* Leaving mounts connected is only valid for lazy umounts */
  	if (how & UMOUNT_SYNC)
  		return true;
  
  	/* A mount without a parent has nothing to be connected to */
  	if (!mnt_has_parent(mnt))
  		return true;
  
  	/* Because the reference counting rules change when mounts are
  	 * unmounted and connected, umounted mounts may not be
  	 * connected to mounted mounts.
  	 */
  	if (!(mnt->mnt_parent->mnt.mnt_flags & MNT_UMOUNT))
  		return true;
  
  	/* Has it been requested that the mount remain connected? */
  	if (how & UMOUNT_CONNECTED)
  		return false;
  
  	/* Is the mount locked such that it needs to remain connected? */
  	if (IS_MNT_LOCKED(mnt))
  		return false;
  
  	/* By default disconnect the mount */
  	return true;
  }

  /*

   * mount_lock must be held

   * namespace_sem must be held for write
   */

  static void umount_tree(struct mount *mnt, enum umount_tree_flags how)

  {

  	LIST_HEAD(tmp_list);

  	struct mount *p;

  	if (how & UMOUNT_PROPAGATE)
  		propagate_mount_unlock(mnt);

  	/* Gather the mounts to umount */

  	for (p = mnt; p; p = next_mnt(p, mnt)) {
  		p->mnt.mnt_flags |= MNT_UMOUNT;

  		list_move(&p->mnt_list, &tmp_list);

  	}

  	/* Hide the mounts from mnt_mounts */

  	list_for_each_entry(p, &tmp_list, mnt_list) {

  		list_del_init(&p->mnt_child);

  	}

  	/* Add propogated mounts to the tmp_list */

  	if (how & UMOUNT_PROPAGATE)

  		propagate_umount(&tmp_list);

  	while (!list_empty(&tmp_list)) {

  		struct mnt_namespace *ns;

  		bool disconnect;

  		p = list_first_entry(&tmp_list, struct mount, mnt_list);

  		list_del_init(&p->mnt_expire);

  		list_del_init(&p->mnt_list);

  		ns = p->mnt_ns;
  		if (ns) {
  			ns->mounts--;
  			__touch_mnt_namespace(ns);
  		}

  		p->mnt_ns = NULL;

  		if (how & UMOUNT_SYNC)

  			p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;

  		disconnect = disconnect_mount(p, how);

  
  		pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt,
  				 disconnect ? &unmounted : NULL);

  		if (mnt_has_parent(p)) {

  			mnt_add_count(p->mnt_parent, -1);

  			if (!disconnect) {
  				/* Don't forget about p */
  				list_add_tail(&p->mnt_child, &p->mnt_parent->mnt_mounts);
  			} else {
  				umount_mnt(p);
  			}

  		}

  		change_mnt_propagation(p, MS_PRIVATE);

  	}
  }

  static void shrink_submounts(struct mount *mnt);

  static int do_umount(struct mount *mnt, int flags)

  {

  	struct super_block *sb = mnt->mnt.mnt_sb;

  	int retval;

  	retval = security_sb_umount(&mnt->mnt, flags);

  	if (retval)
  		return retval;
  
  	/*
  	 * Allow userspace to request a mountpoint be expired rather than
  	 * unmounting unconditionally. Unmount only happens if:
  	 *  (1) the mark is already set (the mark is cleared by mntput())
  	 *  (2) the usage count == 1 [parent vfsmount] + 1 [sys_umount]
  	 */
  	if (flags & MNT_EXPIRE) {

  		if (&mnt->mnt == current->fs->root.mnt ||

  		    flags & (MNT_FORCE | MNT_DETACH))
  			return -EINVAL;

  		/*
  		 * probably don't strictly need the lock here if we examined
  		 * all race cases, but it's a slowpath.
  		 */

  		lock_mount_hash();

  		if (mnt_get_count(mnt) != 2) {

  			unlock_mount_hash();

  			return -EBUSY;

  		}

  		unlock_mount_hash();

  		if (!xchg(&mnt->mnt_expiry_mark, 1))

  			return -EAGAIN;
  	}
  
  	/*
  	 * If we may have to abort operations to get out of this
  	 * mount, and they will themselves hold resources we must
  	 * allow the fs to do things. In the Unix tradition of
  	 * 'Gee thats tricky lets do it in userspace' the umount_begin
  	 * might fail to complete on the first run through as other tasks
  	 * must return, and the like. Thats for the mount program to worry
  	 * about for the moment.
  	 */

  	if (flags & MNT_FORCE && sb->s_op->umount_begin) {

  		sb->s_op->umount_begin(sb);

  	}

  
  	/*
  	 * No sense to grab the lock for this test, but test itself looks
  	 * somewhat bogus. Suggestions for better replacement?
  	 * Ho-hum... In principle, we might treat that as umount + switch
  	 * to rootfs. GC would eventually take care of the old vfsmount.
  	 * Actually it makes sense, especially if rootfs would contain a
  	 * /reboot - static binary that would close all descriptors and
  	 * call reboot(9). Then init(8) could umount root and exec /reboot.
  	 */

  	if (&mnt->mnt == current->fs->root.mnt && !(flags & MNT_DETACH)) {

  		/*
  		 * Special case for "unmounting" root ...
  		 * we just try to remount it readonly.
  		 */

  		if (!capable(CAP_SYS_ADMIN))
  			return -EPERM;

  		down_write(&sb->s_umount);

  		if (!sb_rdonly(sb))

  			retval = do_remount_sb(sb, SB_RDONLY, NULL, 0);

  		up_write(&sb->s_umount);
  		return retval;
  	}