dcache: close d_move race in d_splice_alias d_splice_alias will d_move an IS_ROOT() directory dentry into place if one exists. This should be safe as long as the dentry remains IS_ROOT, but I can't see what guarantees that: once we drop the i_lock all we hold here is the i_mutex on an unrelated parent directory. Instead copy the logic of d_materialise_unique. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit: 75a2352d0110960aeee1a28ddc09a55f97c99100 [log] [tgz]
author: J. Bruce Fields <bfields@redhat.com> Mon Feb 17 17:45:56 2014 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> Thu Aug 07 14:40:10 2014 -0400
tree: 09df0569f40eb0a50a752575fa7991c62b98a76b
parent: 3f70bd51cb4405dc5cf8624292ffa474679fc9c7 [diff]
diff --git a/fs/dcache.c b/fs/dcache.c
index 8bdae36..8c09db9 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c

@@ -2676,9 +2676,14 @@
 		new = __d_find_alias(inode, 1);
 		if (new) {
 			BUG_ON(!(new->d_flags & DCACHE_DISCONNECTED));
+			write_seqlock(&rename_lock);
+			__d_materialise_dentry(dentry, new);
+			write_sequnlock(&rename_lock);
+			__d_drop(new);
+			_d_rehash(new);
+			spin_unlock(&new->d_lock);
 			spin_unlock(&inode->i_lock);
 			security_d_instantiate(new, inode);
-			d_move(new, dentry);
 			iput(inode);
 		} else {
 			/* already taking inode->i_lock, so d_add() by hand */
commit	75a2352d0110960aeee1a28ddc09a55f97c99100	[log] [tgz]
author	J. Bruce Fields <bfields@redhat.com>	Mon Feb 17 17:45:56 2014 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	Thu Aug 07 14:40:10 2014 -0400
tree	09df0569f40eb0a50a752575fa7991c62b98a76b
parent	3f70bd51cb4405dc5cf8624292ffa474679fc9c7 [diff]