vfs: fix race in rcu lookup of pruned dentry

Don't update *inode in __follow_mount_rcu() until we'd verified that
there is mountpoint there.  Kudos to Hugh Dickins for catching that
one in the first place and eventually figuring out the solution (and
catching a braino in the earlier version of patch).

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 6 insertions, 1 deletions

diff --git a/fs/namei.c b/fs/namei.c
index 5c867dd1c0b3..14ab8d3f2f0c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -942,7 +942,6 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
                  * Don't forget we might have a non-mountpoint managed dentry
                  * that wants to block transit.
                  */
-                *inode = path->dentry->d_inode;
                 if (unlikely(managed_dentry_might_block(path->dentry)))
                         return false;
 
@@ -955,6 +954,12 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
                 path->mnt = mounted;
                 path->dentry = mounted->mnt_root;
                 nd->seq = read_seqcount_begin(&path->dentry->d_seq);
+                /*
+                 * Update the inode too. We don't need to re-check the
+                 * dentry sequence number here after this d_inode read,
+                 * because a mount-point is always pinned.
+                 */
+                *inode = path->dentry->d_inode;
         }
         return true;
 }