From: Al Viro OK, here comes a patch series that hopefully should close all too-early-mntput() races in fs/namei.c. Entire area is convoluted as hell, so I'm splitting that series into _very_ small chunks. Patches alread in the tree close only (very wide) races in following symlinks (see "busy inodes after umount" thread some time ago). Unfortunately, quite a few narrower races of the same nature were not closed. Hopefully this should take care of all of them. Signed-off-by: Andrew Morton --- fs/namei.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) diff -puN fs/namei.c~namei-fixes-01-19 fs/namei.c --- 25/fs/namei.c~namei-fixes-01-19 Fri May 20 15:41:52 2005 +++ 25-akpm/fs/namei.c Fri May 20 15:41:52 2005 @@ -493,6 +493,11 @@ fail: return PTR_ERR(link); } +struct path { + struct vfsmount *mnt; + struct dentry *dentry; +}; + static inline int __do_follow_link(struct dentry *dentry, struct nameidata *nd) { int error; @@ -518,7 +523,7 @@ static inline int __do_follow_link(struc * Without that kind of total limit, nasty chains of consecutive * symlinks can cause almost arbitrarily long lookups. */ -static inline int do_follow_link(struct dentry *dentry, struct nameidata *nd) +static inline int do_follow_link(struct path *path, struct nameidata *nd) { int err = -ELOOP; if (current->link_count >= MAX_NESTED_LINKS) @@ -527,13 +532,13 @@ static inline int do_follow_link(struct goto loop; BUG_ON(nd->depth >= MAX_NESTED_LINKS); cond_resched(); - err = security_inode_follow_link(dentry, nd); + err = security_inode_follow_link(path->dentry, nd); if (err) goto loop; current->link_count++; current->total_link_count++; nd->depth++; - err = __do_follow_link(dentry, nd); + err = __do_follow_link(path->dentry, nd); current->link_count--; nd->depth--; return err; @@ -641,11 +646,6 @@ static inline void follow_dotdot(struct follow_mount(mnt, dentry); } -struct path { - struct vfsmount *mnt; - struct dentry *dentry; -}; - /* * It's more convoluted than I'd like it to be, but... it's still fairly * small and for now I'd prefer to have fast path as straight as possible. @@ -784,7 +784,7 @@ static fastcall int __link_path_walk(con if (inode->i_op->follow_link) { mntget(next.mnt); - err = do_follow_link(next.dentry, nd); + err = do_follow_link(&next, nd); dput(next.dentry); mntput(next.mnt); if (err) @@ -838,7 +838,7 @@ last_component: if ((lookup_flags & LOOKUP_FOLLOW) && inode && inode->i_op && inode->i_op->follow_link) { mntget(next.mnt); - err = do_follow_link(next.dentry, nd); + err = do_follow_link(&next, nd); dput(next.dentry); mntput(next.mnt); if (err) _