From: Al Viro <viro@zeniv.linux.org.uk>
To: Trond Myklebust <trondmy@hammerspace.com>
Cc: "anna@kernel.org" <anna@kernel.org>,
"hch@infradead.org" <hch@infradead.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] NFS: Fix directory delegation verifier checks
Date: Sun, 5 Apr 2026 03:39:53 +0100 [thread overview]
Message-ID: <20260405023953.GU3836593@ZenIV> (raw)
In-Reply-To: <20260404183247.GA2798238@ZenIV>
On Sat, Apr 04, 2026 at 07:32:47PM +0100, Al Viro wrote:
> [cc to fsdevel added]
>
> On Wed, Dec 31, 2025 at 09:52:35PM +0000, Trond Myklebust wrote:
>
> > +static void nfs_clear_verifier_directory(struct inode *dir)
> > +{
> > + struct dentry *this_parent;
> > + struct dentry *dentry;
> > + struct inode *inode;
> > +
> > + if (hlist_empty(&dir->i_dentry))
> > + return;
> > + this_parent =
> > + hlist_entry(dir->i_dentry.first, struct dentry, d_u.d_alias);
> > +
> > + spin_lock(&this_parent->d_lock);
> > + nfs_unset_verifier_delegated(&this_parent->d_time);
> > + dentry = d_first_child(this_parent);
> > + hlist_for_each_entry_from(dentry, d_sib) {
> > + if (unlikely(dentry->d_flags & DCACHE_DENTRY_CURSOR))
> > + continue;
> > + inode = d_inode_rcu(dentry);
> > + if (inode &&
> > + NFS_PROTO(inode)->have_delegation(inode, FMODE_READ, 0))
> > + continue;
>
> What's to stop the inode from being freed right under you? You are *not*
> guaranteed to be holding rcu_read_lock(), unless I'm missing something
> in the call chain, so... what's going on here?
Incidentally, nfs_clear_verifier_file() doesn't need to bother with
checking for NULL dir - alias is found in ->i_dentry of inode with
->i_lock held, which means it can't have progressed through
__dentry_kill() to dropping the reference to parent. So holding
alias->d_lock (which stabilizes ->d_parent) is enough - ->d_parent
is still pinned by alias and it can't have become negative.
"Can't have progressed through __dentry_kill()" is critical here -
that's the difference from nfs_set_verifier_locked() case.
Folks, this stuff can get seriously subtle; _please_ ask around on
fsdevel if you are doing something non-trivial with it.
prev parent reply other threads:[~2026-04-05 2:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20251219201344.380279-1-anna@kernel.org>
[not found] ` <aUnHnlnDtwMJGP3u@infradead.org>
[not found] ` <aUnq_d93Wo9e-oUD@infradead.org>
[not found] ` <53d40f4781783f9b79196bb30975b788be8bb969.camel@hammerspace.com>
2026-04-04 18:32 ` [PATCH] NFS: Fix directory delegation verifier checks Al Viro
2026-04-04 19:07 ` Al Viro
2026-04-05 2:39 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260405023953.GU3836593@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=anna@kernel.org \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox