From: Al Viro Getting rid of sloppy logics: a) in do_follow_link() we have the wrong vfsmount dropped if our symlink had been mounted on something. Currently it worls only because we never get such situation (modulo filesystem playing dirty tricks on us). And it obfuscates already convoluted logics... b) same goes for open_namei(). c) in __link_path_walk() we have another "it should never happen" sloppiness - out_dput: there does double-free on underlying vfsmount and leaks the covering one if we hit it just after crossing a mountpoint. Again, wrong vfsmount getting dropped. d) another too-early-mntput() race - in do_follow_mount() we need to postpone conditional mntput(path->mnt) until after dput(path->dentry). Again, this one happens only in it-currently-never-happens-unless-some-fs-plays-dirty scenario... Signed-off-by: Al Viro Signed-off-by: Andrew Morton --- fs/namei.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) diff -puN fs/namei.c~namei-fixes-15-19 fs/namei.c --- 25/fs/namei.c~namei-fixes-15-19 Fri May 20 15:42:37 2005 +++ 25-akpm/fs/namei.c Fri May 20 15:42:37 2005 @@ -544,15 +544,15 @@ static inline int do_follow_link(struct current->total_link_count++; nd->depth++; if (path->mnt != nd->mnt) - mntput(nd->mnt); + mntput(path->mnt); err = __do_follow_link(path, nd); current->link_count--; nd->depth--; return err; loop: - if (path->mnt != nd->mnt) - mntput(nd->mnt); dput(path->dentry); + if (path->mnt != nd->mnt) + mntput(path->mnt); path_release(nd); return err; } @@ -906,7 +906,7 @@ return_base: out_dput: dput(next.dentry); if (nd->mnt != next.mnt) - mntput(nd->mnt); + mntput(next.mnt); break; } path_release(nd); @@ -1551,8 +1551,7 @@ do_link: if (error) goto exit_dput; if (nd->mnt != path.mnt) - mntput(nd->mnt); - nd->mnt = path.mnt; + mntput(path.mnt); error = __do_follow_link(&path, nd); if (error) return error; _