(16/19)
Conditional mntput() moved into __do_follow_link(). There it collapses with
unconditional mntget() on the same sucker, closing another too-early-mntput()
race.
Signed-off-by: Al Viro <[email protected]>
----
diff -urN RC12-rc4-15/fs/namei.c RC12-rc4-16/fs/namei.c
--- RC12-rc4-15/fs/namei.c 2005-05-19 16:39:44.743587923 -0400
+++ RC12-rc4-16/fs/namei.c 2005-05-19 16:39:45.837369971 -0400
@@ -506,7 +506,8 @@
touch_atime(nd->mnt, dentry);
nd_set_link(nd, NULL);
- mntget(path->mnt);
+ if (path->mnt == nd->mnt)
+ mntget(path->mnt);
error = dentry->d_inode->i_op->follow_link(dentry, nd);
if (!error) {
char *s = nd_get_link(nd);
@@ -543,8 +544,6 @@
current->link_count++;
current->total_link_count++;
nd->depth++;
- if (path->mnt != nd->mnt)
- mntput(path->mnt);
err = __do_follow_link(path, nd);
current->link_count--;
nd->depth--;
@@ -1550,8 +1549,6 @@
error = security_inode_follow_link(path.dentry, nd);
if (error)
goto exit_dput;
- if (nd->mnt != path.mnt)
- mntput(path.mnt);
error = __do_follow_link(&path, nd);
if (error)
return error;