aufs: bugfix, ignore the being freed dynop object

Aufs DYNOP (Dynamically customizable FS operations) object is managed by
kref, and when its counter reaches zero, the callback function removes
the object from the internal list which is protected by a spinlock and
then frees the object.
Here there is a small time window between
A: the counter reaches zero, and
B: require the lock to remove the object from the list.
If someone else acquires the lock and searches the list, it may find the
counter-zero'ed object which means the object is being freed.
This commit ignores the object whose counter is already zero.
Reported-and-tested-by: Kirill Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: J. R. Okajima <hooanon05g@gmail.com>
(cherry picked from commit b633d7b2635b9615fe294b85257d05008e3747a3)

fs/aufs/dynop.c

@@ -27,8 +27,8 @@ static struct au_dykey *dy_gfind_get(struct hlist_bl_head *hbl,
 	hlist_bl_lock(hbl);
 	hlist_bl_for_each_entry(tmp, pos, hbl, dk_hnode)
 		if (tmp->dk_op.dy_hop == h_op) {
+			if (kref_get_unless_zero(&tmp->dk_kref))
 				key = tmp;
-			kref_get(&key->dk_kref);
 			break;
 		}
 	hlist_bl_unlock(hbl);
@@ -82,7 +82,7 @@ static struct au_dykey *dy_gadd(struct hlist_bl_head *hbl, struct au_dykey *key)
 	hlist_bl_lock(hbl);
 	hlist_bl_for_each_entry(tmp, pos, hbl, dk_hnode)
 		if (tmp->dk_op.dy_hop == h_op) {
-			kref_get(&tmp->dk_kref);
+			if (kref_get_unless_zero(&tmp->dk_kref))
 				found = tmp;
 			break;
 		}