On Fri, Apr 26, 2019 at 05:12:38PM -0400, Jeff Layton wrote: > temp is not defined outside of the RCU critical section here. Ensure > we grab that value before we drop the rcu_read_lock. > + base = ceph_ino(d_inode(temp)); > rcu_read_unlock(); Umm... Freeing (including freeing the name) is postponed by holding rcu_read_lock(). Children moving away + dentry going negative is *not*. What are you trying to return there, anyway? Root or, in case of stop_on_nosnap, CEPH_NOSNAP one you'd stepped into? The latter I'd suggest to handle while under ->d_lock; the former ought to be safe if it's fs root. Details, please... Another fun question is whether you can hit a disconnected subtree from open-by-fhandle in process. That might get uncomfortable, since you'd get the tail of actual pathname and the length will depend upon the timing.
