vfs_rename_dir() doesn't properly account for filesystems with
FS_RENAME_DOES_D_MOVE. If new_dentry has a target inode attached, it
unhashes the new_dentry prior to the rename() iop and rehashes it after,
but doesn't account for the possibility that rename() may have swapped
{old,new}_dentry. For FS_RENAME_DOES_D_MOVE filesystems, it rehashes
new_dentry (now the old renamed-from name, which d_move() expected to go
away), such that a subsequent lookup will find it... and the overwritte
target inode.
To correct this call d_rehash only in case of error or in if the
file systems doesn't do d_move itself.
Based on the original patch by Sage Weil <sage@xxxxxxxxxxxx>
http://kerneltrap.org/mailarchive/linux-fsdevel/2008/4/18/1498534
Cc: Zach Brown <zach.brown@xxxxxxxxxx
Cc: Sage Weil <sage@xxxxxxxxxxxx>
Cc: Miklos Szeredi <mszeredi@xxxxxxx>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
---
fs/namei.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 7d77f24..5631ccf 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3259,8 +3259,15 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
dont_mount(new_dentry);
}
mutex_unlock(&target->i_mutex);
- if (d_unhashed(new_dentry))
- d_rehash(new_dentry);
+ /*
+ * if rename callback returned success and we have
+ * FS_RENAME_DOES_D_MOVE set, then don't do the
+ * rehash.
+ */
+ if (error ||
+ !(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE))
+ if (d_unhashed(new_dentry))
+ d_rehash(new_dentry);
dput(new_dentry);
}
if (!error)
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
