From ba7a4c1a76f56c607560f1676680ff491747bdae Mon Sep 17 00:00:00 2001
From: Al Viro <viro@www.linux.org.uk>
Date: Mon, 6 Jun 2005 13:36:08 -0700
Subject: [PATCH] [PATCH] namei fixes (13/19)

In open_namei() exit_dput: we have mntput() done in the wrong order -
if nd->mnt != path.mnt we end up doing
	mntput(nd->mnt);
	nd->mnt = path.mnt;
	dput(nd->dentry);
	mntput(nd->mnt);
which drops nd->dentry too late.  Fixed by having path.mnt go first.
That allows to switch O_NOFOLLOW under if (__follow_mount(...)) back
to exit_dput, while we are at it.

Fix for early-mntput() race + equivalent transformation.

Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 fs/namei.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 37fcf941fa..5153f57ee6 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1501,11 +1501,8 @@ do_last:
 
 	if (__follow_mount(&path)) {
 		error = -ELOOP;
-		if (flag & O_NOFOLLOW) {
-			dput(path.dentry);
-			mntput(path.mnt);
-			goto exit;
-		}
+		if (flag & O_NOFOLLOW)
+			goto exit_dput;
 	}
 	error = -ENOENT;
 	if (!path.dentry->d_inode)
@@ -1530,8 +1527,7 @@ ok:
 exit_dput:
 	dput(path.dentry);
 	if (nd->mnt != path.mnt)
-		mntput(nd->mnt);
-	nd->mnt = path.mnt;
+		mntput(path.mnt);
 exit:
 	path_release(nd);
 	return error;
-- 
2.20.1