From 601309611a1714cca934161550291dc5553b6b63 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Tue, 26 Jul 2011 13:04:16 -0700 Subject: [PATCH] vfs: fix race in rcu lookup of pruned dentry Backport of commit 59430262401bec02d415179c43dbe5b8819c09ce done by Hugh Dickins Don't update *inode in __follow_mount_rcu() until we'd verified that there is mountpoint there. Kudos to Hugh Dickins for catching that one in the first place and eventually figuring out the solution (and catching a braino in the earlier version of patch). Signed-off-by: Linus Torvalds Cc: Hugh Dickins Signed-off-by: Al Viro --- fs/namei.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 6ff858c049c0..732a754d536e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1013,7 +1013,6 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, * Don't forget we might have a non-mountpoint managed dentry * that wants to block transit. */ - *inode = path->dentry->d_inode; if (!reverse_transit && unlikely(managed_dentry_might_block(path->dentry))) return false; @@ -1027,6 +1026,12 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, path->mnt = mounted; path->dentry = mounted->mnt_root; nd->seq = read_seqcount_begin(&path->dentry->d_seq); + /* + * Update the inode too. We don't need to re-check the + * dentry sequence number here after this d_inode read, + * because a mount-point is always pinned. + */ + *inode = path->dentry->d_inode; } if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT)) -- 2.39.5