git.apps.os.sepia.ceph.com Git - ceph-client.git/commit

author	Alex Markuze <amarkuze@redhat.com>
	Tue, 12 Aug 2025 09:57:39 +0000 (09:57 +0000)
committer	Ilya Dryomov <idryomov@gmail.com>
	Tue, 9 Sep 2025 10:57:02 +0000 (12:57 +0200)
commit	bec324f33d1ed346394b2eee25bf6dbf3511f727
tree	fb179b6cc5e257693717c22d2dda7fc2cd05a526	tree \| snapshot
parent	15f519e9f883b316d86e2bb6b767a023aafd9d83	commit \| diff

ceph: fix race condition where r_parent becomes stale before sending message

When the parent directory's i_rwsem is not locked, req->r_parent may become
stale due to concurrent operations (e.g. rename) between dentry lookup and
message creation. Validate that r_parent matches the encoded parent inode
and update to the correct inode if a mismatch is detected.

[ idryomov: folded a follow-up fix from Alex to drop extra reference
  from ceph_get_reply_dir() in ceph_fill_trace():

  ceph_get_reply_dir() may return a different, referenced inode when
  r_parent is stale and the parent directory lock is not held.
  ceph_fill_trace() used that inode but failed to drop the reference
  when it differed from req->r_parent, leaking an inode reference.

  Keep the directory inode in a local variable and iput() it at
  function end if it does not match req->r_parent. ]

Cc: stable@vger.kernel.org
Signed-off-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>