From: Al Viro <viro@www.linux.org.uk>

In open_namei() exit_dput: we have mntput() done in the wrong order -
if nd->mnt != path.mnt we end up doing
	mntput(nd->mnt);
	nd->mnt = path.mnt;
	dput(nd->dentry);
	mntput(nd->mnt);
which drops nd->dentry too late.  Fixed by having path.mnt go first.
That allows to switch O_NOFOLLOW under if (__follow_mount(...)) back
to exit_dput, while we are at it.

Fix for early-mntput() race + equivalent transformation.

Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/namei.c |   10 +++-------
 1 files changed, 3 insertions(+), 7 deletions(-)

diff -puN fs/namei.c~namei-fixes-13-19 fs/namei.c
--- 25/fs/namei.c~namei-fixes-13-19	Fri May 20 15:42:31 2005
+++ 25-akpm/fs/namei.c	Fri May 20 15:42:31 2005
@@ -1501,11 +1501,8 @@ do_last:
 
 	if (__follow_mount(&path)) {
 		error = -ELOOP;
-		if (flag & O_NOFOLLOW) {
-			dput(path.dentry);
-			mntput(path.mnt);
-			goto exit;
-		}
+		if (flag & O_NOFOLLOW)
+			goto exit_dput;
 	}
 	error = -ENOENT;
 	if (!path.dentry->d_inode)
@@ -1530,8 +1527,7 @@ ok:
 exit_dput:
 	dput(path.dentry);
 	if (nd->mnt != path.mnt)
-		mntput(nd->mnt);
-	nd->mnt = path.mnt;
+		mntput(path.mnt);
 exit:
 	path_release(nd);
 	return error;
_