From: Al Viro <viro@www.linux.org.uk>

Conditional mntput() moved into __do_follow_link().  There it collapses with
unconditional mntget() on the same sucker, closing another too-early-mntput()
race.

Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/namei.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

diff -puN fs/namei.c~namei-fixes-16-19 fs/namei.c
--- 25/fs/namei.c~namei-fixes-16-19	Fri May 20 15:42:40 2005
+++ 25-akpm/fs/namei.c	Fri May 20 15:42:40 2005
@@ -506,7 +506,8 @@ static inline int __do_follow_link(struc
 	touch_atime(nd->mnt, dentry);
 	nd_set_link(nd, NULL);
 
-	mntget(path->mnt);
+	if (path->mnt == nd->mnt)
+		mntget(path->mnt);
 	error = dentry->d_inode->i_op->follow_link(dentry, nd);
 	if (!error) {
 		char *s = nd_get_link(nd);
@@ -543,8 +544,6 @@ static inline int do_follow_link(struct 
 	current->link_count++;
 	current->total_link_count++;
 	nd->depth++;
-	if (path->mnt != nd->mnt)
-		mntput(path->mnt);
 	err = __do_follow_link(path, nd);
 	current->link_count--;
 	nd->depth--;
@@ -1550,8 +1549,6 @@ do_link:
 	error = security_inode_follow_link(path.dentry, nd);
 	if (error)
 		goto exit_dput;
-	if (nd->mnt != path.mnt)
-		mntput(path.mnt);
 	error = __do_follow_link(&path, nd);
 	if (error)
 		return error;
_