unfuck proc_sysctl ->d_compare()

a) struct inode is not going to be freed under ->d_compare();
however, the thing PROC_I(inode)->sysctl points to just might.
Fortunately, it's enough to make freeing that sucker delayed,
provided that we don't step on its ->unregistering, clear
the pointer to it in PROC_I(inode) before dropping the reference
and check if it's NULL in ->d_compare().

b) I'm not sure that we *can* walk into NULL inode here (we recheck
dentry->seq between verifying that it's still hashed / fetching
dentry->d_inode and passing it to ->d_compare() and there's no
negative hashed dentries in /proc/sys/*), but if we can walk into
that, we really should not have ->d_compare() return 0 on it!
Said that, I really suspect that this check can be simply killed.
Nick?

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 5 insertions, 2 deletions

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 09a1f92a34ef..8eb2522111c5 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -408,15 +408,18 @@ static int proc_sys_compare(const struct dentry *parent,
                 const struct dentry *dentry, const struct inode *inode,
                 unsigned int len, const char *str, const struct qstr *name)
 {
+        struct ctl_table_header *head;
         /* Although proc doesn't have negative dentries, rcu-walk means
          * that inode here can be NULL */
+        /* AV: can it, indeed? */
         if (!inode)
-                return 0;
+                return 1;
         if (name->len != len)
                 return 1;
         if (memcmp(name->name, str, len))
                 return 1;
-        return !sysctl_is_seen(PROC_I(inode)->sysctl);
+        head = rcu_dereference(PROC_I(inode)->sysctl);
+        return !head || !sysctl_is_seen(head);
 }
 
 static const struct dentry_operations proc_sys_dentry_operations = {