[PATCHES] simple part of ->d_name stuff

[PATCHES] simple part of ->d_name stuff

[Al Viro]

	Rules for ->d_name access are rather unpleasant and so's
verifying that they are followed.  There is a relatively simple part,
though - nobody outside of fs/dcache.c has any business modifying
that thing.

	So let's make sure that all functions we are passing
&dentry->d_name are taking const struct qstr * and replace
->d_name with an anon union of struct qstr *__d_name and
const struct qstr *d_name.

	It is *not* enough to guarantee that another thread will
not call __d_move() right under you - checking the requirements
for that is the hard part.  It does make it easy to verify that
nothing else accidentally starts changing it.

	This stuff lives in
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git #work.qstr
Branch is -rc4-based, individual patches in followups.

	Please, review.  If nobody objects, I'll put that in #for-next.

Shortlog:
      security_dentry_init_security(): constify qstr argument
      exfat_find(): constify qstr argument
      afs_edit_dir_{add,remove}(): constify qstr argument
      afs_dir_search: constify qstr argument
      generic_ci_validate_strict_name(): constify name argument
      make it easier to catch those who try to modify ->d_name

Diffstat:
 fs/afs/dir_edit.c             |  4 ++--
 fs/afs/dir_search.c           |  2 +-
 fs/afs/internal.h             |  6 +++---
 fs/dcache.c                   | 26 +++++++++++++-------------
 fs/exfat/namei.c              |  2 +-
 include/linux/dcache.h        |  5 ++++-
 include/linux/fs.h            |  6 ++++--
 include/linux/lsm_hook_defs.h |  2 +-
 include/linux/security.h      |  4 ++--
 security/security.c           |  2 +-
 security/selinux/hooks.c      |  2 +-
 security/smack/smack_lsm.c    |  2 +-
 12 files changed, 34 insertions(+), 29 deletions(-)

[PATCH 1/6] security_dentry_init_security(): constify qstr argument

[Al Viro]

Nothing outside of fs/dcache.c has any business modifying
dentry names; passing &dentry->d_name as an argument should
have that argument declared as a const pointer.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 include/linux/lsm_hook_defs.h | 2 +-
 include/linux/security.h      | 4 ++--
 security/security.c           | 2 +-
 security/selinux/hooks.c      | 2 +-
 security/smack/smack_lsm.c    | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index fd11fffdd3c3..aa4d6ec9c98b 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -85,7 +85,7 @@ LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry,
 	 int mode, const struct qstr *name, const char **xattr_name,
 	 struct lsm_context *cp)
 LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
-	 struct qstr *name, const struct cred *old, struct cred *new)
+	 const struct qstr *name, const struct cred *old, struct cred *new)
 
 #ifdef CONFIG_SECURITY_PATH
 LSM_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry)
diff --git a/include/linux/security.h b/include/linux/security.h
index 521bcb5b9717..3f694d3ebd70 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -391,7 +391,7 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
 				  const char **xattr_name,
 				  struct lsm_context *lsmcxt);
 int security_dentry_create_files_as(struct dentry *dentry, int mode,
-					struct qstr *name,
+					const struct qstr *name,
 					const struct cred *old,
 					struct cred *new);
 int security_path_notify(const struct path *path, u64 mask,
@@ -871,7 +871,7 @@ static inline int security_dentry_init_security(struct dentry *dentry,
 }
 
 static inline int security_dentry_create_files_as(struct dentry *dentry,
-						  int mode, struct qstr *name,
+						  int mode, const struct qstr *name,
 						  const struct cred *old,
 						  struct cred *new)
 {
diff --git a/security/security.c b/security/security.c
index ad163f06bf7a..db2d75be87cc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1775,7 +1775,7 @@ EXPORT_SYMBOL(security_dentry_init_security);
  * Return: Returns 0 on success, error on failure.
  */
 int security_dentry_create_files_as(struct dentry *dentry, int mode,
-				    struct qstr *name,
+				    const struct qstr *name,
 				    const struct cred *old, struct cred *new)
 {
 	return call_int_hook(dentry_create_files_as, dentry, mode,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c95a5874bf7d..58ce49954206 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2901,7 +2901,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
 }
 
 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
-					  struct qstr *name,
+					  const struct qstr *name,
 					  const struct cred *old,
 					  struct cred *new)
 {
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index fc340a6f0dde..5caa372ffbf3 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4908,7 +4908,7 @@ static int smack_inode_copy_up_xattr(struct dentry *src, const char *name)
 }
 
 static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
-					struct qstr *name,
+					const struct qstr *name,
 					const struct cred *old,
 					struct cred *new)
 {
-- 
2.47.2

[PATCH 2/6] exfat_find(): constify qstr argument

[Al Viro]

Nothing outside of fs/dcache.c has any business modifying
dentry names; passing &dentry->d_name as an argument should
have that argument declared as a const pointer.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/exfat/namei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index f5f1c4e8a29f..c8388a2ec227 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -587,7 +587,7 @@ static int exfat_create(struct mnt_idmap *idmap, struct inode *dir,
 }
 
 /* lookup a file */
-static int exfat_find(struct inode *dir, struct qstr *qname,
+static int exfat_find(struct inode *dir, const struct qstr *qname,
 		struct exfat_dir_entry *info)
 {
 	int ret, dentry, count;
-- 
2.47.2

[PATCH 3/6] afs_edit_dir_{add,remove}(): constify qstr argument

[Al Viro]

Nothing outside of fs/dcache.c has any business modifying
dentry names; passing &dentry->d_name as an argument should
have that argument declared as a const pointer.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/afs/dir_edit.c | 4 ++--
 fs/afs/internal.h | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/afs/dir_edit.c b/fs/afs/dir_edit.c
index 60a549f1d9c5..60b0f70f63a3 100644
--- a/fs/afs/dir_edit.c
+++ b/fs/afs/dir_edit.c
@@ -239,7 +239,7 @@ static void afs_edit_init_block(union afs_xdr_dir_block *meta,
  * The caller must hold the inode locked.
  */
 void afs_edit_dir_add(struct afs_vnode *vnode,
-		      struct qstr *name, struct afs_fid *new_fid,
+		      const struct qstr *name, struct afs_fid *new_fid,
 		      enum afs_edit_dir_reason why)
 {
 	union afs_xdr_dir_block *meta, *block;
@@ -391,7 +391,7 @@ void afs_edit_dir_add(struct afs_vnode *vnode,
  * The caller must hold the inode locked.
  */
 void afs_edit_dir_remove(struct afs_vnode *vnode,
-			 struct qstr *name, enum afs_edit_dir_reason why)
+			 const struct qstr *name, enum afs_edit_dir_reason why)
 {
 	union afs_xdr_dir_block *meta, *block, *pblock;
 	union afs_xdr_dirent *de, *pde;
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 1124ea4000cb..db14882d367b 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1097,9 +1097,9 @@ int afs_single_writepages(struct address_space *mapping,
 /*
  * dir_edit.c
  */
-extern void afs_edit_dir_add(struct afs_vnode *, struct qstr *, struct afs_fid *,
+extern void afs_edit_dir_add(struct afs_vnode *, const struct qstr *, struct afs_fid *,
 			     enum afs_edit_dir_reason);
-extern void afs_edit_dir_remove(struct afs_vnode *, struct qstr *, enum afs_edit_dir_reason);
+extern void afs_edit_dir_remove(struct afs_vnode *, const struct qstr *, enum afs_edit_dir_reason);
 void afs_edit_dir_update_dotdot(struct afs_vnode *vnode, struct afs_vnode *new_dvnode,
 				enum afs_edit_dir_reason why);
 void afs_mkdir_init_dir(struct afs_vnode *dvnode, struct afs_vnode *parent_vnode);
-- 
2.47.2

[PATCH 4/6] afs_dir_search: constify qstr argument

[Al Viro]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/afs/dir_search.c | 2 +-
 fs/afs/internal.h   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/afs/dir_search.c b/fs/afs/dir_search.c
index b25bd892db4d..d2516e55b5ed 100644
--- a/fs/afs/dir_search.c
+++ b/fs/afs/dir_search.c
@@ -188,7 +188,7 @@ int afs_dir_search_bucket(struct afs_dir_iter *iter, const struct qstr *name,
 /*
  * Search the appropriate hash chain in the contents of an AFS directory.
  */
-int afs_dir_search(struct afs_vnode *dvnode, struct qstr *name,
+int afs_dir_search(struct afs_vnode *dvnode, const struct qstr *name,
 		   struct afs_fid *_fid, afs_dataversion_t *_dir_version)
 {
 	struct afs_dir_iter iter = { .dvnode = dvnode, };
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index db14882d367b..1ce5deaf6019 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1112,7 +1112,7 @@ bool afs_dir_init_iter(struct afs_dir_iter *iter, const struct qstr *name);
 union afs_xdr_dir_block *afs_dir_find_block(struct afs_dir_iter *iter, size_t block);
 int afs_dir_search_bucket(struct afs_dir_iter *iter, const struct qstr *name,
 			  struct afs_fid *_fid);
-int afs_dir_search(struct afs_vnode *dvnode, struct qstr *name,
+int afs_dir_search(struct afs_vnode *dvnode, const struct qstr *name,
 		   struct afs_fid *_fid, afs_dataversion_t *_dir_version);
 
 /*
-- 
2.47.2

[PATCH 5/6] generic_ci_validate_strict_name(): constify name argument

[Al Viro]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 include/linux/fs.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/fs.h b/include/linux/fs.h
index d7ab4f96d705..6dcfc1c399ca 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -3719,7 +3719,8 @@ int generic_ci_d_compare(const struct dentry *dentry, unsigned int len,
  *   happens when a directory is casefolded and the filesystem is strict
  *   about its encoding.
  */
-static inline bool generic_ci_validate_strict_name(struct inode *dir, struct qstr *name)
+static inline bool generic_ci_validate_strict_name(struct inode *dir,
+						   const struct qstr *name)
 {
 	if (!IS_CASEFOLDED(dir) || !sb_has_strict_encoding(dir->i_sb))
 		return true;
@@ -3734,7 +3735,8 @@ static inline bool generic_ci_validate_strict_name(struct inode *dir, struct qst
 	return !utf8_validate(dir->i_sb->s_encoding, name);
 }
 #else
-static inline bool generic_ci_validate_strict_name(struct inode *dir, struct qstr *name)
+static inline bool generic_ci_validate_strict_name(struct inode *dir,
+						   const struct qstr *name)
 {
 	return true;
 }
-- 
2.47.2

[PATCH 6/6] make it easier to catch those who try to modify ->d_name

[Al Viro]

Turn d_name into an anon union of const struct qstr d_name with
struct qstr __d_name.  Very few places need to modify it (all
in fs/dcache.c); those are switched to use of ->__d_name.

Note that ->d_name can actually change under you unless you have
the right locking environment; this const just prohibits accidentally
doing stores without being easily spotted.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/dcache.c            | 26 +++++++++++++-------------
 include/linux/dcache.h |  5 ++++-
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 60046ae23d51..b4cd5e1321b3 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1717,13 +1717,13 @@ static struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
 		dname = dentry->d_shortname.string;
 	}	
 
-	dentry->d_name.len = name->len;
-	dentry->d_name.hash = name->hash;
+	dentry->__d_name.len = name->len;
+	dentry->__d_name.hash = name->hash;
 	memcpy(dname, name->name, name->len);
 	dname[name->len] = 0;
 
 	/* Make sure we always see the terminating NUL character */
-	smp_store_release(&dentry->d_name.name, dname); /* ^^^ */
+	smp_store_release(&dentry->__d_name.name, dname); /* ^^^ */
 
 	dentry->d_flags = 0;
 	lockref_init(&dentry->d_lockref);
@@ -2743,15 +2743,15 @@ static void swap_names(struct dentry *dentry, struct dentry *target)
 			/*
 			 * Both external: swap the pointers
 			 */
-			swap(target->d_name.name, dentry->d_name.name);
+			swap(target->__d_name.name, dentry->__d_name.name);
 		} else {
 			/*
 			 * dentry:internal, target:external.  Steal target's
 			 * storage and make target internal.
 			 */
-			dentry->d_name.name = target->d_name.name;
+			dentry->__d_name.name = target->__d_name.name;
 			target->d_shortname = dentry->d_shortname;
-			target->d_name.name = target->d_shortname.string;
+			target->__d_name.name = target->d_shortname.string;
 		}
 	} else {
 		if (unlikely(dname_external(dentry))) {
@@ -2759,9 +2759,9 @@ static void swap_names(struct dentry *dentry, struct dentry *target)
 			 * dentry:external, target:internal.  Give dentry's
 			 * storage to target and make dentry internal
 			 */
-			target->d_name.name = dentry->d_name.name;
+			target->__d_name.name = dentry->__d_name.name;
 			dentry->d_shortname = target->d_shortname;
-			dentry->d_name.name = dentry->d_shortname.string;
+			dentry->__d_name.name = dentry->d_shortname.string;
 		} else {
 			/*
 			 * Both are internal.
@@ -2771,7 +2771,7 @@ static void swap_names(struct dentry *dentry, struct dentry *target)
 				     target->d_shortname.words[i]);
 		}
 	}
-	swap(dentry->d_name.hash_len, target->d_name.hash_len);
+	swap(dentry->__d_name.hash_len, target->__d_name.hash_len);
 }
 
 static void copy_name(struct dentry *dentry, struct dentry *target)
@@ -2781,11 +2781,11 @@ static void copy_name(struct dentry *dentry, struct dentry *target)
 		old_name = external_name(dentry);
 	if (unlikely(dname_external(target))) {
 		atomic_inc(&external_name(target)->count);
-		dentry->d_name = target->d_name;
+		dentry->__d_name = target->__d_name;
 	} else {
 		dentry->d_shortname = target->d_shortname;
-		dentry->d_name.name = dentry->d_shortname.string;
-		dentry->d_name.hash_len = target->d_name.hash_len;
+		dentry->__d_name.name = dentry->d_shortname.string;
+		dentry->__d_name.hash_len = target->__d_name.hash_len;
 	}
 	if (old_name && likely(atomic_dec_and_test(&old_name->count)))
 		kfree_rcu(old_name, head);
@@ -3133,7 +3133,7 @@ void d_mark_tmpfile(struct file *file, struct inode *inode)
 		!d_unlinked(dentry));
 	spin_lock(&dentry->d_parent->d_lock);
 	spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
-	dentry->d_name.len = sprintf(dentry->d_shortname.string, "#%llu",
+	dentry->__d_name.len = sprintf(dentry->d_shortname.string, "#%llu",
 				(unsigned long long)inode->i_ino);
 	spin_unlock(&dentry->d_lock);
 	spin_unlock(&dentry->d_parent->d_lock);
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
index cc3e1c1a3454..c83e02b94389 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -95,7 +95,10 @@ struct dentry {
 	seqcount_spinlock_t d_seq;	/* per dentry seqlock */
 	struct hlist_bl_node d_hash;	/* lookup hash list */
 	struct dentry *d_parent;	/* parent directory */
-	struct qstr d_name;
+	union {
+	struct qstr __d_name;		/* for use ONLY in fs/dcache.c */
+	const struct qstr d_name;
+	};
 	struct inode *d_inode;		/* Where the name belongs to - NULL is
 					 * negative */
 	union shortname_store d_shortname;
-- 
2.47.2

Re: [PATCHES] simple part of ->d_name stuff

[David Howells]

Al Viro <viro@zeniv.linux.org.uk> wrote:

> 	Rules for ->d_name access are rather unpleasant and so's
> verifying that they are followed.  There is a relatively simple part,
> though - nobody outside of fs/dcache.c has any business modifying
> that thing.
> 
> 	So let's make sure that all functions we are passing
> &dentry->d_name are taking const struct qstr * and replace
> ->d_name with an anon union of struct qstr *__d_name and
> const struct qstr *d_name.
> 
> 	It is *not* enough to guarantee that another thread will
> not call __d_move() right under you - checking the requirements
> for that is the hard part.  It does make it easy to verify that
> nothing else accidentally starts changing it.
> 
> 	This stuff lives in
> git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git #work.qstr
> Branch is -rc4-based, individual patches in followups.
> 
> 	Please, review.  If nobody objects, I'll put that in #for-next.

Reviewed-by: David Howells <dhowells@redhat.com>

Re: [PATCH 2/6] exfat_find(): constify qstr argument

[Namjae Jeon]

On Thu, Sep 11, 2025 at 2:05 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> Nothing outside of fs/dcache.c has any business modifying
> dentry names; passing &dentry->d_name as an argument should
> have that argument declared as a const pointer.
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Thanks!

Re: [PATCH 1/6] security_dentry_init_security(): constify qstr argument

[Casey Schaufler]

On 9/10/2025 10:05 PM, Al Viro wrote:
> Nothing outside of fs/dcache.c has any business modifying
> dentry names; passing &dentry->d_name as an argument should
> have that argument declared as a const pointer.
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

For the Smack bit:

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  include/linux/lsm_hook_defs.h | 2 +-
>  include/linux/security.h      | 4 ++--
>  security/security.c           | 2 +-
>  security/selinux/hooks.c      | 2 +-
>  security/smack/smack_lsm.c    | 2 +-
>  5 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index fd11fffdd3c3..aa4d6ec9c98b 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -85,7 +85,7 @@ LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry,
>  	 int mode, const struct qstr *name, const char **xattr_name,
>  	 struct lsm_context *cp)
>  LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
> -	 struct qstr *name, const struct cred *old, struct cred *new)
> +	 const struct qstr *name, const struct cred *old, struct cred *new)
>  
>  #ifdef CONFIG_SECURITY_PATH
>  LSM_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 521bcb5b9717..3f694d3ebd70 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -391,7 +391,7 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
>  				  const char **xattr_name,
>  				  struct lsm_context *lsmcxt);
>  int security_dentry_create_files_as(struct dentry *dentry, int mode,
> -					struct qstr *name,
> +					const struct qstr *name,
>  					const struct cred *old,
>  					struct cred *new);
>  int security_path_notify(const struct path *path, u64 mask,
> @@ -871,7 +871,7 @@ static inline int security_dentry_init_security(struct dentry *dentry,
>  }
>  
>  static inline int security_dentry_create_files_as(struct dentry *dentry,
> -						  int mode, struct qstr *name,
> +						  int mode, const struct qstr *name,
>  						  const struct cred *old,
>  						  struct cred *new)
>  {
> diff --git a/security/security.c b/security/security.c
> index ad163f06bf7a..db2d75be87cc 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1775,7 +1775,7 @@ EXPORT_SYMBOL(security_dentry_init_security);
>   * Return: Returns 0 on success, error on failure.
>   */
>  int security_dentry_create_files_as(struct dentry *dentry, int mode,
> -				    struct qstr *name,
> +				    const struct qstr *name,
>  				    const struct cred *old, struct cred *new)
>  {
>  	return call_int_hook(dentry_create_files_as, dentry, mode,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index c95a5874bf7d..58ce49954206 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2901,7 +2901,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
>  }
>  
>  static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
> -					  struct qstr *name,
> +					  const struct qstr *name,
>  					  const struct cred *old,
>  					  struct cred *new)
>  {
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index fc340a6f0dde..5caa372ffbf3 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -4908,7 +4908,7 @@ static int smack_inode_copy_up_xattr(struct dentry *src, const char *name)
>  }
>  
>  static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
> -					struct qstr *name,
> +					const struct qstr *name,
>  					const struct cred *old,
>  					struct cred *new)
>  {

Re: [PATCHES] simple part of ->d_name stuff

[Linus Torvalds]

On Wed, 10 Sept 2025 at 22:01, Al Viro <viro@zeniv.linux.org.uk> wrote:
>
>         So let's make sure that all functions we are passing
> &dentry->d_name are taking const struct qstr * and replace
> ->d_name with an anon union of struct qstr *__d_name and
> const struct qstr *d_name.

Ack, all these patches look ObviouslyCorrect(tm) to me, and seems a
good improvement.

Even if it won't catch the more involved cases that worry you more.

             Linus

Re: [PATCH 1/6] security_dentry_init_security(): constify qstr argument

[Paul Moore]

On Sep 11, 2025 Al Viro <viro@zeniv.linux.org.uk> wrote:
> 
> Nothing outside of fs/dcache.c has any business modifying
> dentry names; passing &dentry->d_name as an argument should
> have that argument declared as a const pointer.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> Reviewed-by: David Howells <dhowells@redhat.com>
> ---
>  include/linux/lsm_hook_defs.h | 2 +-
>  include/linux/security.h      | 4 ++--
>  security/security.c           | 2 +-
>  security/selinux/hooks.c      | 2 +-
>  security/smack/smack_lsm.c    | 2 +-
>  5 files changed, 6 insertions(+), 6 deletions(-)

LSM and SELinux bits look fine to me.  Al, I'm guessing you would
prefer to take this patch as part of the larger patchset, but if you
want me to take this single patch for the upcoming merge window let
me know.

Acked-by: Paul Moore <paul@paul-moore.com>

--
paul-moore.com

Re: [PATCH 1/6] security_dentry_init_security(): constify qstr argument

[Christian Brauner]

On Thu, Sep 11, 2025 at 06:05:29AM +0100, Al Viro wrote:
> Nothing outside of fs/dcache.c has any business modifying
> dentry names; passing &dentry->d_name as an argument should
> have that argument declared as a const pointer.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

Reviewed-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 2/6] exfat_find(): constify qstr argument

[Christian Brauner]

On Thu, Sep 11, 2025 at 06:05:30AM +0100, Al Viro wrote:
> Nothing outside of fs/dcache.c has any business modifying
> dentry names; passing &dentry->d_name as an argument should
> have that argument declared as a const pointer.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

Reviewed-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 3/6] afs_edit_dir_{add,remove}(): constify qstr argument

[Christian Brauner]

On Thu, Sep 11, 2025 at 06:05:31AM +0100, Al Viro wrote:
> Nothing outside of fs/dcache.c has any business modifying
> dentry names; passing &dentry->d_name as an argument should
> have that argument declared as a const pointer.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

Reviewed-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 4/6] afs_dir_search: constify qstr argument

[Christian Brauner]

On Thu, Sep 11, 2025 at 06:05:32AM +0100, Al Viro wrote:
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

Reviewed-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 5/6] generic_ci_validate_strict_name(): constify name argument

[Christian Brauner]

On Thu, Sep 11, 2025 at 06:05:33AM +0100, Al Viro wrote:
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

Reviewed-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 6/6] make it easier to catch those who try to modify ->d_name

[Christian Brauner]

On Thu, Sep 11, 2025 at 06:05:34AM +0100, Al Viro wrote:
> Turn d_name into an anon union of const struct qstr d_name with
> struct qstr __d_name.  Very few places need to modify it (all
> in fs/dcache.c); those are switched to use of ->__d_name.
> 
> Note that ->d_name can actually change under you unless you have
> the right locking environment; this const just prohibits accidentally
> doing stores without being easily spotted.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

Reviewed-by: Christian Brauner <brauner@kernel.org>