diff mbox series

ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock

Message ID 20231026022115.GK800259@ZenIV
State New
Headers show
Series ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock | expand

Commit Message

Al Viro Oct. 26, 2023, 2:21 a.m. UTC
[at the moment in viro/vfs.git#fixes]
Use of dget() after we'd dropped ->d_lock is too late - dentry might
be gone by that point.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/ceph/mds_client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jeff Layton Oct. 27, 2023, 1:38 p.m. UTC | #1
On Thu, 2023-10-26 at 03:21 +0100, Al Viro wrote:
> [at the moment in viro/vfs.git#fixes]
> Use of dget() after we'd dropped ->d_lock is too late - dentry might
> be gone by that point.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
>  fs/ceph/mds_client.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 615db141b6c4..293b93182955 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -861,8 +861,8 @@ int ceph_wait_on_conflict_unlink(struct dentry *dentry)
>  		if (!d_same_name(udentry, pdentry, &dname))
>  			goto next;
>  
> +		found = dget_dlock(udentry);
>  		spin_unlock(&udentry->d_lock);
> -		found = dget(udentry);
>  		break;
>  next:
>  		spin_unlock(&udentry->d_lock);

Reviewed-by: Jeff Layton <jlayton@kernel.org>
Xiubo Li Oct. 30, 2023, 2:29 a.m. UTC | #2
On 10/26/23 10:21, Al Viro wrote:
> [at the moment in viro/vfs.git#fixes]
> Use of dget() after we'd dropped ->d_lock is too late - dentry might
> be gone by that point.
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
>   fs/ceph/mds_client.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 615db141b6c4..293b93182955 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -861,8 +861,8 @@ int ceph_wait_on_conflict_unlink(struct dentry *dentry)
>   		if (!d_same_name(udentry, pdentry, &dname))
>   			goto next;
>   
> +		found = dget_dlock(udentry);
>   		spin_unlock(&udentry->d_lock);
> -		found = dget(udentry);
>   		break;
>   next:
>   		spin_unlock(&udentry->d_lock);

Good catch.

Thanks Al.

- Xiubo
diff mbox series

Patch

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 615db141b6c4..293b93182955 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -861,8 +861,8 @@  int ceph_wait_on_conflict_unlink(struct dentry *dentry)
 		if (!d_same_name(udentry, pdentry, &dname))
 			goto next;
 
+		found = dget_dlock(udentry);
 		spin_unlock(&udentry->d_lock);
-		found = dget(udentry);
 		break;
 next:
 		spin_unlock(&udentry->d_lock);