On Sun, Mar 17, 2019 at 08:38:22PM +0000, Al Viro wrote: > On Sun, Mar 17, 2019 at 01:04:40PM -0700, Eric Biggers wrote: > > + /* > > + * Ciphertext name; valid if the directory's key is still unavailable. > > + * > > + * Note: since fscrypt forbids rename() on ciphertext names, it should > > + * be safe to access ->d_parent directly here. > > No, it is not. Again, d_splice_alias() on buggered fs image picking a reference > to your subdirectory when doing a lookup elsewhere. It can relocate the > damn thing, without rename() being allowed for _anything_. You're talking about directory hard links, right? E.g. if there's a directory with two links a/dir and b/dir, and fscrypt_d_revalidate() is running on 'dir' via a lookup in a/, it could be the case that b/dir is being concurrently looked up. Then the concurrent d_splice_alias() will move the whole dentry tree rooted at 'dir' from a/ to b/ in the dcache. Okay, it looks like you're right; I'll update my comment to clarify that dget_parent() is still needed... - Eric
