diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2010-10-29 03:30:42 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2010-10-29 04:14:56 -0400 |
commit | d893f1bc2a9f0f7dcb4b433452c59f9bedac0d7d (patch) | |
tree | b3cf84a271ccb19529d83a544b6024bbb23a7801 /fs/open.c | |
parent | a4118ee1d80b527c385cadd14db79559efb8a493 (diff) | |
download | lwn-d893f1bc2a9f0f7dcb4b433452c59f9bedac0d7d.tar.gz lwn-d893f1bc2a9f0f7dcb4b433452c59f9bedac0d7d.zip |
fix open/umount race
nameidata_to_filp() drops nd->path or transfers it to opened
file. In the former case it's a Bad Idea(tm) to do mnt_drop_write()
on nd->path.mnt, since we might race with umount and vfsmount in
question might be gone already.
Fix: don't drop it, then... IOW, have nameidata_to_filp() grab nd->path
in case it transfers it to file and do path_drop() in callers. After
they are through with accessing nd->path...
Reported-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/open.c')
-rw-r--r-- | fs/open.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/open.c b/fs/open.c index d74e1983e8dc..4197b9ed023d 100644 --- a/fs/open.c +++ b/fs/open.c @@ -786,11 +786,11 @@ struct file *nameidata_to_filp(struct nameidata *nd) /* Pick up the filp from the open intent */ filp = nd->intent.open.file; /* Has the filesystem initialised the file for us? */ - if (filp->f_path.dentry == NULL) + if (filp->f_path.dentry == NULL) { + path_get(&nd->path); filp = __dentry_open(nd->path.dentry, nd->path.mnt, filp, NULL, cred); - else - path_put(&nd->path); + } return filp; } |