From 463ffb2e9d39c2a3fd8c3c1d4a34e01f2078f972 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@www.linux.org.uk>
Date: Mon, 6 Jun 2005 13:36:05 -0700
Subject: [PATCH] namei fixes (9/19)

New helper: __follow_mount(struct path *path).  Same as follow_mount(), except
that we do *not* do mntput() after the first lookup_mnt().

IOW, original path->mnt stays pinned down.  We also take care to do dput()
before mntput() in the loop body (follow_mount() also needs that reordering,
but that will be done later in the series).

The following are equivalent, assuming that path.mnt == x:
(1)
	follow_mount(&path.mnt, &path.dentry)
(2)
	__follow_mount(&path);
	if (path->mnt != x)
		mntput(x);
(3)
	if (__follow_mount(&path))
		mntput(x);

Callers of follow_mount() in __link_path_walk() converted to (2).

Equivalent transformation + fix for too-late-mntput() race in __follow_mount()
loop.

Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 fs/namei.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

(limited to 'fs/namei.c')

diff --git a/fs/namei.c b/fs/namei.c
index 3d08478..23a1ad4 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -576,6 +576,23 @@ int follow_up(struct vfsmount **mnt, struct dentry **dentry)
 /* no need for dcache_lock, as serialization is taken care in
  * namespace.c
  */
+static int __follow_mount(struct path *path)
+{
+	int res = 0;
+	while (d_mountpoint(path->dentry)) {
+		struct vfsmount *mounted = lookup_mnt(path->mnt, path->dentry);
+		if (!mounted)
+			break;
+		dput(path->dentry);
+		if (res)
+			mntput(path->mnt);
+		path->mnt = mounted;
+		path->dentry = dget(mounted->mnt_root);
+		res = 1;
+	}
+	return res;
+}
+
 static int follow_mount(struct vfsmount **mnt, struct dentry **dentry)
 {
 	int res = 0;
@@ -778,7 +795,9 @@ static fastcall int __link_path_walk(const char * name, struct nameidata *nd)
 		if (err)
 			break;
 		/* Check mountpoints.. */
-		follow_mount(&next.mnt, &next.dentry);
+		__follow_mount(&next);
+		if (nd->mnt != next.mnt)
+			mntput(nd->mnt);
 
 		err = -ENOENT;
 		inode = next.dentry->d_inode;
@@ -836,7 +855,9 @@ last_component:
 		err = do_lookup(nd, &this, &next);
 		if (err)
 			break;
-		follow_mount(&next.mnt, &next.dentry);
+		__follow_mount(&next);
+		if (nd->mnt != next.mnt)
+			mntput(nd->mnt);
 		inode = next.dentry->d_inode;
 		if ((lookup_flags & LOOKUP_FOLLOW)
 		    && inode && inode->i_op && inode->i_op->follow_link) {
-- 
cgit v1.1