On Sun, Mar 17, 2019 at 01:04:40PM -0700, Eric Biggers wrote: > + /* > + * Ciphertext name; valid if the directory's key is still unavailable. > + * > + * Note: since fscrypt forbids rename() on ciphertext names, it should > + * be safe to access ->d_parent directly here. No, it is not. Again, d_splice_alias() on buggered fs image picking a reference to your subdirectory when doing a lookup elsewhere. It can relocate the damn thing, without rename() being allowed for _anything_.
