From 39ca6d49759346d4710c759d443eec8048b27213 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@www.linux.org.uk>
Date: Mon, 6 Jun 2005 13:36:12 -0700
Subject: [PATCH] [PATCH] namei fixes (16/19)

Conditional mntput() moved into __do_follow_link().  There it collapses with
unconditional mntget() on the same sucker, closing another too-early-mntput()
race.

Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 fs/namei.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 6a884682b0a7..444086d441e1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -506,7 +506,8 @@ static inline int __do_follow_link(struct path *path, struct nameidata *nd)
 	touch_atime(nd->mnt, dentry);
 	nd_set_link(nd, NULL);
 
-	mntget(path->mnt);
+	if (path->mnt == nd->mnt)
+		mntget(path->mnt);
 	error = dentry->d_inode->i_op->follow_link(dentry, nd);
 	if (!error) {
 		char *s = nd_get_link(nd);
@@ -543,8 +544,6 @@ static inline int do_follow_link(struct path *path, struct nameidata *nd)
 	current->link_count++;
 	current->total_link_count++;
 	nd->depth++;
-	if (path->mnt != nd->mnt)
-		mntput(path->mnt);
 	err = __do_follow_link(path, nd);
 	current->link_count--;
 	nd->depth--;
@@ -1550,8 +1549,6 @@ do_link:
 	error = security_inode_follow_link(path.dentry, nd);
 	if (error)
 		goto exit_dput;
-	if (nd->mnt != path.mnt)
-		mntput(path.mnt);
 	error = __do_follow_link(&path, nd);
 	if (error)
 		return error;