Some full-OS container software bind mounts debugfs into containers to satisfy the assumptions of older userspaces which expect to be able to mount debugfs. This regressed in 4.1 due to the addition of tracefs, which gets automounted in the tracing subdirectory of debugfs. In a cloned mount namespace the bind mount now fails because the tracefs mount is a locked child of the debugfs mount. For new mounts we already make an exception to the "locked child mount" rule. Directories in psuedo filesystems created for the sole purpose of being mountpoints are created as permanently empty directories which can never contain any entries, therefore the kernel can know than any mounts on these directories are not for security purposes. These mounts are then excluded from locked mount tests in some circumstances. The same logic clearly applies to directories created in debugfs_create_automount(). The following patches update this function to create permanently empty directories for mountpoints and adds an exclusion to the tests for bind mounts to exclude child mounts on permanently empty directories. Thanks, Seth Seth Forshee (2): fs: Allow bind mounts with locked children on permaenetly empty directories debugfs: Make automount point inodes permanently empty fs/debugfs/inode.c | 2 +- fs/namespace.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html