From: Al Viro mntget(path->mnt) in do_follow_link() moved down to right before the __do_follow_link() call and rigth after loop: resp. dput()+mntput() on non-ELOOP branch moved up to right after __do_follow_link() call. resulting loop: mntget(path->mnt); path_release(nd); dput(path->mnt); mntput(path->mnt); replaced with equivalent dput(path->mnt); path_release(nd); Equivalent transformations - the reason why we have that mntget() is that __do_follow_link() can drop a reference to nd->mnt and that's what holds path->mnt. So that call can happen at any point prior to __do_follow_link() touching nd->mnt. The rest is obvious. NOTE: current tree relies on symlinks *never* being mounted on anything. It's not hard to get rid of that assumption (actually, that will come for free later in the series). For now we are just not making the situation worse than it is. Signed-off-by: Al Viro Signed-off-by: Andrew Morton --- fs/namei.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) diff -puN fs/namei.c~namei-fixes-06-19 fs/namei.c --- 25/fs/namei.c~namei-fixes-06-19 Fri May 20 15:42:08 2005 +++ 25-akpm/fs/namei.c Fri May 20 15:42:08 2005 @@ -526,7 +526,6 @@ static inline int __do_follow_link(struc static inline int do_follow_link(struct path *path, struct nameidata *nd) { int err = -ELOOP; - mntget(path->mnt); if (current->link_count >= MAX_NESTED_LINKS) goto loop; if (current->total_link_count >= 40) @@ -539,16 +538,16 @@ static inline int do_follow_link(struct current->link_count++; current->total_link_count++; nd->depth++; + mntget(path->mnt); err = __do_follow_link(path->dentry, nd); - current->link_count--; - nd->depth--; dput(path->dentry); mntput(path->mnt); + current->link_count--; + nd->depth--; return err; loop: - path_release(nd); dput(path->dentry); - mntput(path->mnt); + path_release(nd); return err; } _