From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> This patch has been added to the 4.1 stable tree. If you have any objections, please let us know. =============== [ Upstream commit d4565649b6d6923369112758212b851adc407f0c ] both do_last() and walk_component() risk picking a NULL inode out of dentry about to become positive, *then* checking its flags and seeing that it's not negative anymore and using (already stale by then) value they'd fetched earlier. Usually ends up oopsing soon after that... Cc: stable@xxxxxxxxxxxxxxx # v3.13+ Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx> --- fs/namei.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 4385722..f3cc848 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1619,10 +1619,10 @@ static inline int walk_component(struct nameidata *nd, struct path *path, if (err < 0) goto out_err; - inode = path->dentry->d_inode; err = -ENOENT; if (d_is_negative(path->dentry)) goto out_path_put; + inode = path->dentry->d_inode; } if (should_follow_link(path->dentry, follow)) { @@ -3078,6 +3078,7 @@ retry_lookup: path_to_nameidata(path, nd); goto out; } + inode = path->dentry->d_inode; finish_lookup: /* we _can_ be in RCU mode here */ if (should_follow_link(path->dentry, !symlink_ok)) { -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html