diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-07-18 18:43:29 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-07-20 00:49:01 -0400 |
commit | 59430262401bec02d415179c43dbe5b8819c09ce (patch) | |
tree | 18caba988f1fb650bb804727de06adc73953b2c6 /fs | |
parent | fec11dd9a0109fe52fd631e5c510778d6cbff6cc (diff) |
vfs: fix race in rcu lookup of pruned dentry
Don't update *inode in __follow_mount_rcu() until we'd verified that
there is mountpoint there. Kudos to Hugh Dickins for catching that
one in the first place and eventually figuring out the solution (and
catching a braino in the earlier version of patch).
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/namei.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/namei.c b/fs/namei.c index 5c867dd1c0b3..14ab8d3f2f0c 100644 --- a/fs/namei.c +++ b/fs/namei.c | |||
@@ -942,7 +942,6 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, | |||
942 | * Don't forget we might have a non-mountpoint managed dentry | 942 | * Don't forget we might have a non-mountpoint managed dentry |
943 | * that wants to block transit. | 943 | * that wants to block transit. |
944 | */ | 944 | */ |
945 | *inode = path->dentry->d_inode; | ||
946 | if (unlikely(managed_dentry_might_block(path->dentry))) | 945 | if (unlikely(managed_dentry_might_block(path->dentry))) |
947 | return false; | 946 | return false; |
948 | 947 | ||
@@ -955,6 +954,12 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, | |||
955 | path->mnt = mounted; | 954 | path->mnt = mounted; |
956 | path->dentry = mounted->mnt_root; | 955 | path->dentry = mounted->mnt_root; |
957 | nd->seq = read_seqcount_begin(&path->dentry->d_seq); | 956 | nd->seq = read_seqcount_begin(&path->dentry->d_seq); |
957 | /* | ||
958 | * Update the inode too. We don't need to re-check the | ||
959 | * dentry sequence number here after this d_inode read, | ||
960 | * because a mount-point is always pinned. | ||
961 | */ | ||
962 | *inode = path->dentry->d_inode; | ||
958 | } | 963 | } |
959 | return true; | 964 | return true; |
960 | } | 965 | } |