fix open/umount race nameidata_to_filp() drops nd->path or transfers it to opened file. In the former case it's a Bad Idea(tm) to do mnt_drop_write() on nd->path.mnt, since we might race with umount and vfsmount in question might be gone already. Fix: don't drop it, then... IOW, have nameidata_to_filp() grab nd->path in case it transfers it to file and do path_drop() in callers. After they are through with accessing nd->path... Reported-by: Miklos Szeredi <miklos@szeredi.hu> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit: d893f1bc2a9f0f7dcb4b433452c59f9bedac0d7d [log] [tgz]
author: Al Viro <viro@zeniv.linux.org.uk> Fri Oct 29 03:30:42 2010 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> Fri Oct 29 04:14:56 2010 -0400
tree: b3cf84a271ccb19529d83a544b6024bbb23a7801
parent: a4118ee1d80b527c385cadd14db79559efb8a493 [diff] [blame]
diff --git a/fs/namei.c b/fs/namei.c
index f7dbc06..5362af9 100644
--- a/fs/namei.c
+++ b/fs/namei.c

@@ -1574,6 +1574,7 @@
 	 */
 	if (will_truncate)
 		mnt_drop_write(nd->path.mnt);
+	path_put(&nd->path);
 	return filp;
 
 exit:
@@ -1675,6 +1676,7 @@
 		}
 		filp = nameidata_to_filp(nd);
 		mnt_drop_write(nd->path.mnt);
+		path_put(&nd->path);
 		if (!IS_ERR(filp)) {
 			error = ima_file_check(filp, acc_mode);
 			if (error) {
commit	d893f1bc2a9f0f7dcb4b433452c59f9bedac0d7d	[log] [tgz]
author	Al Viro <viro@zeniv.linux.org.uk>	Fri Oct 29 03:30:42 2010 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	Fri Oct 29 04:14:56 2010 -0400
tree	b3cf84a271ccb19529d83a544b6024bbb23a7801
parent	a4118ee1d80b527c385cadd14db79559efb8a493 [diff] [blame]