From: J. Bruce Fields Date: Mon, 17 Feb 2014 22:45:56 +0000 (-0500) Subject: dcache: close d_move race in d_splice_alias X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=75a2352d0110960aeee1a28ddc09a55f97c99100;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git dcache: close d_move race in d_splice_alias d_splice_alias will d_move an IS_ROOT() directory dentry into place if one exists. This should be safe as long as the dentry remains IS_ROOT, but I can't see what guarantees that: once we drop the i_lock all we hold here is the i_mutex on an unrelated parent directory. Instead copy the logic of d_materialise_unique. Reviewed-by: Christoph Hellwig Signed-off-by: J. Bruce Fields Signed-off-by: Al Viro --- diff --git a/fs/dcache.c b/fs/dcache.c index 8bdae36a095f..8c09db9bb2a4 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2676,9 +2676,14 @@ struct dentry *d_splice_alias(struct inode *inode, struct dentry *dentry) new = __d_find_alias(inode, 1); if (new) { BUG_ON(!(new->d_flags & DCACHE_DISCONNECTED)); + write_seqlock(&rename_lock); + __d_materialise_dentry(dentry, new); + write_sequnlock(&rename_lock); + __d_drop(new); + _d_rehash(new); + spin_unlock(&new->d_lock); spin_unlock(&inode->i_lock); security_d_instantiate(new, inode); - d_move(new, dentry); iput(inode); } else { /* already taking inode->i_lock, so d_add() by hand */