From: Linus Torvalds Date: Tue, 26 Jul 2011 20:04:16 +0000 (-0700) Subject: vfs: fix race in rcu lookup of pruned dentry X-Git-Tag: v2.6.39.4~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=601309611a1714cca934161550291dc5553b6b63;p=thirdparty%2Fkernel%2Fstable.git vfs: fix race in rcu lookup of pruned dentry Backport of commit 59430262401bec02d415179c43dbe5b8819c09ce done by Hugh Dickins Don't update *inode in __follow_mount_rcu() until we'd verified that there is mountpoint there. Kudos to Hugh Dickins for catching that one in the first place and eventually figuring out the solution (and catching a braino in the earlier version of patch). Signed-off-by: Linus Torvalds Cc: Hugh Dickins Signed-off-by: Al Viro --- diff --git a/fs/namei.c b/fs/namei.c index 6ff858c049c03..732a754d536e3 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1013,7 +1013,6 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, * Don't forget we might have a non-mountpoint managed dentry * that wants to block transit. */ - *inode = path->dentry->d_inode; if (!reverse_transit && unlikely(managed_dentry_might_block(path->dentry))) return false; @@ -1027,6 +1026,12 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, path->mnt = mounted; path->dentry = mounted->mnt_root; nd->seq = read_seqcount_begin(&path->dentry->d_seq); + /* + * Update the inode too. We don't need to re-check the + * dentry sequence number here after this d_inode read, + * because a mount-point is always pinned. + */ + *inode = path->dentry->d_inode; } if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT))