Return-Path: Received: from zeniv.linux.org.uk ([195.92.253.2]:48696 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751096AbcFCD26 (ORCPT ); Thu, 2 Jun 2016 23:28:58 -0400 Date: Fri, 3 Jun 2016 04:28:53 +0100 From: Al Viro To: Trond Myklebust Cc: Oleg Drokin , "J. Bruce Fields" , "linux-nfs@vger.kernel.org" , " Mailing List" , "" Subject: Re: NFS/d_splice_alias breakage Message-ID: <20160603032853.GK14480@ZenIV.linux.org.uk> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: Sender: linux-nfs-owner@vger.kernel.org List-ID: On Fri, Jun 03, 2016 at 12:44:51AM +0000, Trond Myklebust wrote: > That would have to be a really tight race, since the code in _nfs4_open_and_get_state() currently reads: > > d_drop(dentry); > alias = d_exact_alias(dentry, state->inode); > if (!alias) > alias = d_splice_alias(igrab(state->inode), dentry); > > IOW: something would have to be acting between the d_drop() and d_splice_alias() above... How? dentry is * negative (it would better be, or we are _really_ fucked) * unhashed How does whoever's rehashing it stumble across that thing?