On Mon, Aug 12, 2019 at 11:16:11AM +0900, Tetsuo Handa wrote:
> syzbot is reporting that nfsd_mkdir() forgot to remove dentry created by
> d_alloc_name() when __nfsd_mkdir() failed (due to memory allocation fault
> injection) [1].
That's not the only problem I see there.
ret = __nfsd_mkdir(d_inode(parent), dentry, S_IFDIR | 0600);
if (ret)
goto out_err;
if (ncl) {
d_inode(dentry)->i_private = ncl;
kref_get(&ncl->cl_ref);
}
and we are doing that to inode *after* it has become visible via dcache -
__nfsd_mkdir() has already done d_add() (and pinged f-snotify, at that).
Looks fishy...
