From: Maneesh Soni <maneesh@in.ibm.com>

- hpfs_unlink() can race with lockless d_lookup(), as we can have situations
  where d_lookup() has successfully looked-up a dentry and at the sametime
  hpfs_unlink()--->d_drop() has dropped it. Taking the per dentry lock
  before checking the d_count in hpfs_unlink() solves this race condition.




 fs/hpfs/namei.c |    3 +++
 1 files changed, 3 insertions(+)

diff -puN fs/hpfs/namei.c~hpfs-d_count-fix fs/hpfs/namei.c
--- 25/fs/hpfs/namei.c~hpfs-d_count-fix	2003-06-19 09:53:22.000000000 -0700
+++ 25-akpm/fs/hpfs/namei.c	2003-06-19 09:53:22.000000000 -0700
@@ -372,12 +372,15 @@ again:
 		if (rep)
 			goto ret;
 		d_drop(dentry);
+		spin_lock(&dentry->d_lock);
 		if (atomic_read(&dentry->d_count) > 1 ||
 		    permission(inode, MAY_WRITE) ||
 		    get_write_access(inode)) {
+			spin_unlock(&dentry->d_lock);
 			d_rehash(dentry);
 			goto ret;
 		}
+		spin_unlock(&dentry->d_lock);
 		/*printk("HPFS: truncating file before delete.\n");*/
 		newattrs.ia_size = 0;
 		newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;

_