Merge tag 'pull-coda' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull coda dcache updates from Al Viro:
 "Coda dcache-related cleanups and fixes"

* tag 'pull-coda' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  coda_flag_children(): fix a UAF
  sanitize coda_dentry_delete()
  coda: is_bad_inode() is always false there

Author: torvalds

fs/coda/cache.c

@@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)
 	struct dentry *de;
 
 	spin_lock(&parent->d_lock);
+	rcu_read_lock();
 	hlist_for_each_entry(de, &parent->d_children, d_sib) {
 		struct inode *inode = d_inode_rcu(de);
 		/* don't know what to do with negative dentries */
 		if (inode)
 			coda_flag_inode(inode, flag);
 	}
+	rcu_read_unlock();
 	spin_unlock(&parent->d_lock);
 }
 

fs/coda/dir.c

@@ -449,8 +449,6 @@ static int coda_dentry_revalidate(struct inode *dir, const struct qstr *name,
 	inode = d_inode(de);
 	if (!inode || is_root_inode(inode))
 		goto out;
-	if (is_bad_inode(inode))
-		goto bad;
 
 	cii = ITOC(d_inode(de));
 	if (!(cii->c_flags & (C_PURGE | C_FLUSH)))
@@ -470,7 +468,6 @@ static int coda_dentry_revalidate(struct inode *dir, const struct qstr *name,
 	spin_lock(&cii->c_lock);
 	cii->c_flags &= ~(C_VATTR | C_PURGE | C_FLUSH);
 	spin_unlock(&cii->c_lock);
-bad:
 	return 0;
 out:
 	return 1;
@@ -482,18 +479,12 @@ static int coda_dentry_revalidate(struct inode *dir, const struct qstr *name,
  */
 static int coda_dentry_delete(const struct dentry * dentry)
 {
-	struct inode *inode;
-	struct coda_inode_info *cii;
+	struct inode *inode = d_inode(dentry);
 
-	if (d_really_is_negative(dentry)) 
+	if (!inode)
 		return 0;
 
-	inode = d_inode(dentry);
-	if (!inode || is_bad_inode(inode))
-		return 1;
-
-	cii = ITOC(inode);
-	if (cii->c_flags & C_PURGE)
+	if (ITOC(inode)->c_flags & C_PURGE)
 		return 1;
 
 	return 0;