On Mon, Aug 18, 2025 at 11:53 PM NeilBrown <n...@brown.name> wrote:
>
> On Mon, 18 Aug 2025, Amir Goldstein wrote:
> > On Wed, Aug 13, 2025 at 1:53 AM NeilBrown <n...@brown.name> wrote:
> > >
> > > A few callers operate on a dentry which they already have - unlike the
> > > normal case where a lookup proceeds an operation.
> > >
> > > For these callers dentry_lookup_continue() is provided where other
> > > callers would use dentry_lookup(). The call will fail if, after the
> > > lock was gained, the child is no longer a child of the given parent.
> > >
> > > There are a couple of callers that want to lock a dentry in whatever
> > > its current parent is. For these a NULL parent can be passed, in which
> > > case ->d_parent is used. In this case the call cannot fail.
> > >
> > > The idea behind the name is that the actual lookup occurred some time
> > > ago, and now we are continuing with an operation on the dentry.
> > >
> > > When the operation completes done_dentry_lookup() must be called. An
> > > extra reference is taken when the dentry_lookup_continue() call succeeds
> > > and will be dropped by done_dentry_lookup().
> > >
> > > This will be used in smb/server, ecryptfs, and overlayfs, each of which
> > > have their own lock_parent() or parent_lock() or similar; and a few
> > > other places which lock the parent but don't check if the parent is
> > > still correct (often because rename isn't supported so parent cannot be
> > > incorrect).
> > >
> > > Signed-off-by: NeilBrown <n...@brown.name>
> > > ---
> > > fs/namei.c | 39 +++++++++++++++++++++++++++++++++++++++
> > > include/linux/namei.h | 2 ++
> > > 2 files changed, 41 insertions(+)
> > >
> > > diff --git a/fs/namei.c b/fs/namei.c
> > > index 7af9b464886a..df21b6fa5a0e 100644
> > > --- a/fs/namei.c
> > > +++ b/fs/namei.c
> > > @@ -1874,6 +1874,45 @@ struct dentry *dentry_lookup_killable(struct
> > > mnt_idmap *idmap,
> > > }
> > > EXPORT_SYMBOL(dentry_lookup_killable);
> > >
> > > +/**
> > > + * dentry_lookup_continue: lock a dentry if it is still in the given
> > > parent, prior to dir ops
> > > + * @child: the dentry to lock
> > > + * @parent: the dentry of the assumed parent
> > > + *
> > > + * The child is locked - currently by taking i_rwsem on the parent - to
> > > + * prepare for create/remove operations. If the given parent is not
> > > + * %NULL and is no longer the parent of the dentry after the lock is
> > > + * gained, the lock is released and the call fails (returns
> > > + * ERR_PTR(-EINVAL).
> > > + *
> > > + * On success a reference to the child is taken and returned. The lock
> > > + * and reference must both be dropped by done_dentry_lookup() after the
> > > + * operation completes.
> > > + */
> > > +struct dentry *dentry_lookup_continue(struct dentry *child,
> > > + struct dentry *parent)
> > > +{
> > > + struct dentry *p = parent;
> > > +
> > > +again:
> > > + if (!parent)
> > > + p = dget_parent(child);
> > > + inode_lock_nested(d_inode(p), I_MUTEX_PARENT);
> > > + if (child->d_parent != p) {
> >
> > || d_unhashed(child))
> >
> > ;)
>
> As you say!
>
> >
> > and what about silly renames? are those also d_unhashed()?
>
> With NFS it is not unhashed (i.e. it is still hashed, but with a
> different name). I haven't checked AFS.
>
> But does it matter? As long as it has the right parent and is not
> unhashed, it is a suitable dentry to pass to vfs_unlink() etc.
>
> If this race happened with NFS then ovl could try to remove the .nfsXXX
> file and would get ETXBUSY due to DCACH_NFSFS_RENAMED. I don't think
> this is a problem.
>
Not a problem IMO.
FYI, ovl does not accept NFS as a valid upper fs
on account of ->d_revalidate() and no RENAME_WHITEOUT support.
if (ovl_dentry_remote(ofs->workdir) &&
(!d_type || !rename_whiteout || ofs->noxattr)) {
pr_err("upper fs missing required features.\n");
err = -EINVAL;
goto out;
}
> If we really wanted to be sure the name hadn't changed we could do a
> lookup and check that the same dentry is returned.
>
> OVL is by nature exposed to possible races if something else tried to
> modify the upper directory tree. I don't think it needs to provide
> perfect semantics in that case, it only needs to fail-safe. I think
> this recent change is enough to be safe in the face of concurrent
> unlinks.
<nod>
Thanks,
Amir.
