[ Upstream commit 2084ac6c ]
The function dentry_connected calls dput(dentry) to drop the previously
acquired reference to dentry. In this case, dentry can be released.
After that, IS_ROOT(dentry) checks the condition
(dentry == dentry->d_parent), which may result in a use-after-free bug.
This patch directly compares dentry with its parent obtained before
dropping the reference.
Fixes: a056cc89("exportfs: stop retrying once we race with
Signed-off-by: Pan Bian <firstname.lastname@example.org>
Signed-off-by: Al Viro <email@example.com>
Signed-off-by: Sasha Levin <firstname.lastname@example.org>