fix open/umount race
authorAl Viro <viro@zeniv.linux.org.uk>
Fri, 29 Oct 2010 07:30:42 +0000 (03:30 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Fri, 29 Oct 2010 08:14:56 +0000 (04:14 -0400)
commitd893f1bc2a9f0f7dcb4b433452c59f9bedac0d7d
treeb3cf84a271ccb19529d83a544b6024bbb23a7801
parenta4118ee1d80b527c385cadd14db79559efb8a493
fix open/umount race

nameidata_to_filp() drops nd->path or transfers it to opened
file.  In the former case it's a Bad Idea(tm) to do mnt_drop_write()
on nd->path.mnt, since we might race with umount and vfsmount in
question might be gone already.

Fix: don't drop it, then...  IOW, have nameidata_to_filp() grab nd->path
in case it transfers it to file and do path_drop() in callers.  After
they are through with accessing nd->path...

Reported-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c
fs/open.c